Customer cases
At ACI Risk Measure, we work with organisations that seek a stronger foundation for decision-making in cybersecurity.
Our client cases provide insight into how risk quantification can be translated into concrete action – and how a shared language for cyber and IT risk can strengthen the dialogue between security, business, and leadership.
“Cybersecurity has been a strategic focus area for us for many years. The collaboration with ACI Risk Measure has provided us with a clear picture of our cyber risks in business terms. I am very impressed by the way ACI Risk Measure applies actuarial methods to calculate probabilities and associated costs. It translates risk into a language that is familiar and understandable to the board.”
QUANTIFYING CYBER RISK STRENGTHENS STRATEGIC DECISION-MAKING
Challenge
VELUX wanted a stronger foundation for discussing and prioritising cyber risks at executive level. The traditional red, yellow, and green heat maps (4×4 matrix) did not provide a true picture of what the risks actually meant for the business. The goal was therefore to establish a better way of communicating risk – one that could enhance understanding of the risks and their business impact, while supporting strategic choices and investment priorities that reduce risk where it creates the most value.
Approach
In collaboration with ACI Risk Measure, VELUX’s cyber risks were analysed and quantified through a series of workshops and data-driven assessments. The process combined the security team’s existing knowledge with business insights from leadership, enabling risks to be translated into concrete financial estimates. This made it possible to illustrate how different types of incidents could affect VELUX – both directly and indirectly – in financial terms, supported by statistical data.
Result
By quantifying the risks, cybersecurity could be communicated in a far clearer and more measurable way. The report summarising the results has been used as both a communication and prioritisation tool for management and the board, making it easier for the security team and leadership to speak from a common point of reference. It provided a clear picture of where efforts create the most value, increased transparency around budget needs, and strengthened the dialogue on priorities.
“The collaboration with ACI Risk Measure has provided us with a risk management approach that genuinely supports management decision-making. The continuous updates deliver a current, data-driven risk picture that can be used directly in day-to-day management and in dialogue with the board.”
CONTINUOUS CYBER RISK MANAGEMENT CREATES DECISION-MAKING CLARITY AND REGULATORY ROBUSTNESS
Challenge
Lægernes Pension and Bank is characterised by being both a pension fund and a bank, which places specific requirements on governance, compliance, and it risk management. This combination means that the organisation is subject to a broad and complex regulatory landscape, including DORA.
Prior to the collaboration, Lægernes Pension and Bank had a clear objective to raise their compliance and maturity level in relation to DORA while at the same time strengthening management oversight of it risks. Achieving greater control and transparency was essential – particularly in relation to IT third parties – and ensuring that risk management was operational, data-driven, and decision-relevant. The work was initiated one and a half to two years before DORA entered into force and required a coordinated effort across management, IT, risk management, and compliance.
Approach
In collaboration with ACI Risk Measure, Lægernes Pension and Bank transitioned from an annual risk and security assessment (SARA) to quarterly updates. As a result, the risk picture has become a continuous and dynamic management tool, where new incidents, changes in the threat landscape, and operational experience are quickly reflected in the assessments.
ACI Risk Measure’s Managed Cyber Risk forms a central element of this approach. The quarterly updates are based on actual data points, Lægernes Pension and Bank’s own incident logging, and follow-up on initiated risk-mitigating measures. At the same time, the solution supports clear management processes within it, a structured handling of it third-party risks, and a multi-year risk assessment setup that ensures consistency and continuity in the risk picture – in full alignment with Lægernes Pension and Bank’s DORA programme.
Result
During the period, Lægernes Pension and Bank underwent an independent maturity assessment conducted by an audit firm, which evaluated a range of it processes, including IT risk management. In the audit firm’s reporting, Lægernes Pension and Bank’s it risk management was assessed as being at a medium-to-high level, providing a solid starting point for Lægernes Pension & Bank to work towards achieving a generally high level of maturity.
The most significant result, however, is that Lægernes Pension and Bank has now established risk management as a genuine management tool. Executive management and the board receive ongoing reporting that can be used directly as decision support and have a clear overview of risks, trends, and the effect of initiated measures. Risk management is now operational, data-driven, and DORA-aligned throughout the year.
