1.1 - Risk management is broken. Let's rebuild it.
2026 Webinar Program: Rebuilding cyber risk management
Series 1: Cyber risk management, rebuilt: from ISO 27005 to the boardroom
To help you navigate your cyber risk management challenges, C-Risk has developed a three-part webinar series on rebuilding what's broken in cyber risk management. This approach reflects Gartner's guidance on CRQ: start with decisions, express exposure in ranges and set appetite thresholds. The result is a risk program that supports decisions across the business.
This series addresses the shift from compliance-focused to data-driven risk management, build the foundation for defensible analysis, and connect quantified cyber risk to enterprise governance.
1.1 - Risk management is broken. Let's rebuild it.
Cyber risk programs spend a lot of effort on compliance and controls testing, but these are only components of the risk management process.
The full process of identifying, analyzing, evaluating, and treating risk should deliver defensible recommendations and decision support, with clear answers on where to invest, what to treat, and what to accept. ISO 31000 and 27005 set out the framework for getting there. The gap is between what the frameworks ask for and how programs actually implement them, with too much weight on compliance, controls, and resilience activities and not enough on the analysis and decision support that should sit at the center.
Christophe Foret (C-Risk Co-founder) and Neil MacGowan (Customer Success Director, C-Risk) explore:
- Where ISO 31000 and 27005 place analysis and decision support in the risk management process
- How compliance, controls testing, and resilience fit into the process without taking it over
- What defensible recommendations look like, and what it takes to produce them
- Where to start closing the gap in your own program
Replay is available here.
1.2 - From scenarios to analysis: scoping cyber risk for decision support
On June 2nd, Christohe Foret and Neil MacGowan will host webinar two of the series.
Cyber risk analysis is only as credible as the scenarios it's built on. Many programs analyze whatever the framework or tool prompts for, rather than the scenarios that would actually inform a decision.
Scoping should start with the decisions the business needs to make and the threats most likely to affect them. Cyberthreat intelligence and expert input narrow the field to the top threat-to-business scenarios that matter. A well-scoped scenario shows you what data is needed to reduce uncertainty and support an objective analysis.
What you’ll learn:
- How to move from a generic risk register to scenarios tied to specific business decisions
- How to incorporate cyberthreat intelligence and input from subject matter experts to prioritize scenarios
- What data each scenario requires, and how to perform an analysis
- How to recognize when a scenario is well scoped