The effects of the pandemic, supply chain issues, gas prices, real-estate industry turbulence, hostile political landscapes, etc. has impacted everyone. The consequences of these are long-lasting and continue to inject stress into populations worldwide. Among those hit hardest are the professionals trying to ensure that organizations using different processes and technology can survive crises. One of the increasing trends across a number of industries is enterprise risk management (ERM).
Define, in order to fulfill – what is ERM?
One of the principles I try to follow in every aspect of life is defining words, concepts, methodology, etc. before doing anything else. Prior to recommending a solution, I try to define and fully understand the challenge or issue; before explaining a method or theory, it’s important to agree on a sound definition. Too often, I’ve noticed individuals using words to label things before comprehensively understanding the meaning or intent of what they’re talking about.
I often refer back to my experience following the attacks of 11 September 2001 – during that time, I was working for the US Government and can recall how we struggled to define counterterrorism. At one point, we found 12 different definitions on US Government organizational websites. The lack of unified classification increased our challenge in then identifying a solution.
With that in mind and for the purpose of this article, at the most basic level, ERM is an organization’s approach to managing risk. It should include policies and practices for the way an organization handles risk. It must take risk tolerance and appetite into account, against vulnerabilities and threats. I have further defined ERM as: the methodology that enables holistic, cross-functional risk-based decision making, which thereby brings awareness to risk exposure to the organization.
Whether you adopt this definition or not, it is critical to outline a firm definition of ERM for your organization. Regardless, ERM requires collaboration, coordination and potentially compromise to ensure risk acceptance is made at an enterprise level when appropriate. This approach may require a business-level unit or corporate function to compromise; however, it provides management assurance of organizational risk minimization. It also ensures cross-functional knowledge and support for mitigation plans of identified risk. Whether identified during an incident, crisis or annual metric reporting, ERM provides insight into vulnerabilities and gaps they can track and manage. This helps to address risk from strategic and operational planning to prevent or minimize losses and potential crises.
Many may ask – how does this differ from risk management? While risk management is still a critical function and element to apply across an organization, ERM differs from typical risk management practices based on ERM’s enterprise-level focus. Most risk management programs or definitions have been at an operational or singular risk. ERM considers each business unit or corporate function as a portion or element of risk. ERM also identifies risk trends across the organization, regardless of business unit or function. Organizations that adopt an ERM will typically have a dedicated function or team to oversee, track and manage all risk exposure.
Some may also wonder if it’s worth the time and investment to establish an ERM program or office. This type of assessment is critical and necessary to ensure resources are not expended if unneeded. Some advantages and disadvantages to a program are provided below to help organizational leaders understand what the benefits may be, balanced against some downsides to having an ERM program.
What is ERM responsible for?
Now that we’ve established what ERM is and is not, we can consider the types of risk normally managed by an ERM program. ERM can include any type of risk faced by the organization, but the organization should decide – at the executive level – what risk threatens its ability to survive. Once broad thresholds are established, further categories can be developed. I have used two categories to define programs – operational and strategic.
Within operational and strategic categories exist elements for an ERM program to manage. The following is not meant to be an exhaustive list, but provides general areas when considering establishing an ERM program. In general, most ERM programs track and manage:
What does ERM look like practically?
ERM practices can vary greatly from organization to organization. There are different aspects to consider based on size of the organization, industry, regulatory requirements, business objectives, etc. There are also several approaches to ERM frameworks and guidance. One of the most cited comes from the Committee of Sponsoring Organizations (COSO). In 1992, COSO initially provided eight components of ERM, but they have since updated their list to include the following nine components:
As an organization considers ERM and whether to establish another program, in the midst of the current environment, leaders must decide if their current structure can absorb major risk, such as ransomware, a pandemic, a major insider threat event, etc. These types of events can and will have long-lasting impact to an organization’s survivability. While ERM may not be a magic formula, risk management is certainly a best practice on minimizing risk exposure.
This article was originally published in the December edition of Security Journal Americas. To read your FREE digital edition, click here.