Advisory firms push integrated ERM tying cyber to business risk to prod boards

BDO is pressing companies to treat cyber risk as part of enterprise risk management, not as a standalone information-technology problem. (bdo.com) (lexology.com) On April 23, BDO promoted an eBook called *Enterprise Risk Management: An Engine for Achieving Performance*. The firm said organizations are moving beyond fragmented risk activities toward a dynamic model that aligns risk, resilience, accountability, and decision-making across the enterprise. (lexology.com) (bdo.com) BDO’s public materials say the shift requires “breaking down silos,” using cross-functional teams, and turning risk data into business insight. Its ERM page now markets the approach to chief financial officers, chief risk officers, and chief executives as a way to protect performance and unlock value. (bdo.com 1) (bdo.com 2) The underlying idea is simple: enterprise risk management is the companywide system for ranking threats to strategy, operations, finance, and compliance in one place. Integrated ERM pulls cyber into that same system so boards can compare a ransomware risk with a supplier failure or regulatory shock using a common lens. (nist.gov) (diligent.com) That framing has hardened as cyber incidents have become operational events, not just security events. BDO says “business continuity is no longer enough,” and its resilience materials argue that traditional ERM often identifies risks in isolation instead of connecting them to response plans and recovery. (bdo.com) (bdo.co.uk) The same message now runs through official standards and board guidance. NIST’s December 2025 revision of Interagency Report 8286 says directors and senior leaders need a clear understanding of cyber posture and that cyber risk information should flow into enterprise risk management processes. (nist.gov) Board groups are translating that into oversight mechanics. The National Association of Corporate Directors’ April 16, 2026 toolkit says cyber reporting should map top enterprise risks to business objectives and track measures such as mean time to detect, mean time to recover, and vendor service-level coverage. (nacdonline.org) Other advisers are making the same case in board language. PwC’s October 2025 cyber oversight report tells directors to embed cyber in strategy and culture, while Diligent says enterprise security risk management should unify cyber, physical, privacy, and third-party risks under one governance framework. (pwc.com) (diligent.com) The common target is the siloed risk register: one list for cyber, another for operations, another for compliance, each owned by a different team. Advisory firms are telling boards to ask for one view of the “critical few” risks, tied to strategy, tolerance, and response. (bdo.com) (nacdonline.org) That does not mean every company needs a new committee or software platform tomorrow. It means boards are being pushed to demand a single risk story that connects cyber controls, operational resilience, and business performance before the next disruption forces the issue. (bdo.com) (nist.gov)