Organizational leaders find themselves in complex times, writes JT Mendoza, President & CEO, Citadel Risk Group.

The effects of the pandemic, supply chain issues, gas prices, real-estate industry turbulence, hostile political landscapes, etc. has impacted everyone. The consequences of these are long-lasting and continue to inject stress into populations worldwide. Among those hit hardest are the professionals trying to ensure that organizations using different processes and technology can survive crises. One of the increasing trends across a number of industries is enterprise risk management (ERM).

Define, in order to fulfill – what is ERM?

One of the principles I try to follow in every aspect of life is defining words, concepts, methodology, etc. before doing anything else. Prior to recommending a solution, I try to define and fully understand the challenge or issue; before explaining a method or theory, it’s important to agree on a sound definition. Too often, I’ve noticed individuals using words to label things before comprehensively understanding the meaning or intent of what they’re talking about.

I often refer back to my experience following the attacks of 11 September 2001 – during that time, I was working for the US Government and can recall how we struggled to define counterterrorism. At one point, we found 12 different definitions on US Government organizational websites. The lack of unified classification increased our challenge in then identifying a solution.

With that in mind and for the purpose of this article, at the most basic level, ERM is an organization’s approach to managing risk. It should include policies and practices for the way an organization handles risk. It must take risk tolerance and appetite into account, against vulnerabilities and threats. I have further defined ERM as: the methodology that enables holistic, cross-functional risk-based decision making, which thereby brings awareness to risk exposure to the organization.

Whether you adopt this definition or not, it is critical to outline a firm definition of ERM for your organization. Regardless, ERM requires collaboration, coordination and potentially compromise to ensure risk acceptance is made at an enterprise level when appropriate. This approach may require a business-level unit or corporate function to compromise; however, it provides management assurance of organizational risk minimization. It also ensures cross-functional knowledge and support for mitigation plans of identified risk. Whether identified during an incident, crisis or annual metric reporting, ERM provides insight into vulnerabilities and gaps they can track and manage. This helps to address risk from strategic and operational planning to prevent or minimize losses and potential crises.

Many may ask – how does this differ from risk management? While risk management is still a critical function and element to apply across an organization, ERM differs from typical risk management practices based on ERM’s enterprise-level focus. Most risk management programs or definitions have been at an operational or singular risk. ERM considers each business unit or corporate function as a portion or element of risk. ERM also identifies risk trends across the organization, regardless of business unit or function. Organizations that adopt an ERM will typically have a dedicated function or team to oversee, track and manage all risk exposure.

Some may also wonder if it’s worth the time and investment to establish an ERM program or office. This type of assessment is critical and necessary to ensure resources are not expended if unneeded. Some advantages and disadvantages to a program are provided below to help organizational leaders understand what the benefits may be, balanced against some downsides to having an ERM program.

Pros

• May better prepare a company for risks and uncertainties
• May leave employees more satisfied with the future state of the company
• May result in improved customer service as companies are prepared for certain situations
• May result in efficient reporting to upper management that enhances decision-making
• May lead to more efficient company-wide operations

Cons

• May not accurately identify the risks a company is likely to experience
• May not accurately assess the financial impact or likelihood of an outcome
• Often requires time investment from a company in order to be successful
• Often requires capital investment from a company in order to be successful

What is ERM responsible for?

Now that we’ve established what ERM is and is not, we can consider the types of risk normally managed by an ERM program. ERM can include any type of risk faced by the organization, but the organization should decide – at the executive level – what risk threatens its ability to survive. Once broad thresholds are established, further categories can be developed. I have used two categories to define programs – operational and strategic.

• Operational risks include those vulnerabilities and threats that impact day-to-day operations. This can be further defined using other elements like financial impact, business units/functions, etc. An example can be a natural disaster that damages a data center or warehouse
• Strategic risks are those vulnerabilities and threats that can impact long-term efforts. This can include a competitor with lower-priced technology or product that threatens to replace the organization as a provider of goods or services

Within operational and strategic categories exist elements for an ERM program to manage. The following is not meant to be an exhaustive list, but provides general areas when considering establishing an ERM program. In general, most ERM programs track and manage:

• Financial risks: risk that threatens the financial standing of an organization. This can include foreign currency holdings, real estate holdings, investments, etc.
• Security risks: risk that threatens the organization’s assets, people and information. Examples include insufficient controls for detecting or preventing loss of sensitive data
• Legal risks: risk that threatens the organization’s ability to withstand legal action or penalty for contractual, regulatory or dispute issues. This can include a major customer disputing contractual obligations
• Compliance risks: risk that threatens an organization based on violation or non-compliance with standards (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), US Securities and Exchange Commission (SEC) or other industry-specific requirements). An example would be an organization failing to report internal audit findings to the SEC

What does ERM look like practically?

ERM practices can vary greatly from organization to organization. There are different aspects to consider based on size of the organization, industry, regulatory requirements, business objectives, etc. There are also several approaches to ERM frameworks and guidance. One of the most cited comes from the Committee of Sponsoring Organizations (COSO). In 1992, COSO initially provided eight components of ERM, but they have since updated their list to include the following nine components:

1. Internal environment: this includes your organizational culture and risk appetite
2. Objective setting: this outlines your risk tolerance – what are you not willing to accept vs what you can absorb. Some other frameworks refer to this as defining your risk philosophy
3. Event identification: is sometimes referred to “risk identification”; identify internal and external events that could affect meeting your objectives – positive and negative
4. Risk assessment: determine the likelihood, severity and consequence of risk; also includes deciding on a measurement tool/matrix. Once the assessment is done, an organization should create an action plan to determine what must be done to protect its critical assets and the future of the organization
5. Risk response: outline and identify actions when incidents or events occur that meet your risk tolerance
6. Control activities: include appropriate internal controls to manage and potentially test business-as-usual (BAU) activities
7. Communication: build a strategic communications plan to garner support from across the organization by sharing what ERM is and what it is not – communicate, communicate, communicate. Share your objectives, strategy and how others play a role in the effort. Every employee must know what the priorities of the ERM program are and how what they do on a day-to-day basis can impact ERM
8. Reporting and monitoring: determine what metrics should be collected, how they’ll be gathered and who will report them and be accountable for them. In most large organizations, this function aligns well with the audit function. However, some organizations had decided to create a chief risk officer (CRO) position to prioritize the ERM program. CRO positions can vary from company to company, but they are essentially the corporate executive responsible for managing risk across the organization
9. Governance: this includes the ongoing effort to implement lessons learned and refining controls and governance processes across the organization

As an organization considers ERM and whether to establish another program, in the midst of the current environment, leaders must decide if their current structure can absorb major risk, such as ransomware, a pandemic, a major insider threat event, etc. These types of events can and will have long-lasting impact to an organization’s survivability. While ERM may not be a magic formula, risk management is certainly a best practice on minimizing risk exposure.

This article was originally published in the December edition of Security Journal Americas. To read your FREE digital edition, click here.