If security is often classified as 'reactive', then formal risk management methodologies or processes such as ERM are one of the most critical attempts at breaking out of that mold.
Jeff Spivey is optimistic about the business world's rapid adoption of more and more sophisticated organizational models for enterprise risk management.
Spivey of Security Risk Management, Inc. is former President of the ASIS International security association. He now spearheads ASIS' involvement with the Alliance for Enterprise Security Risk Management (AESRM), a cooperative effort founded by associations historically representing physical security, information security and information systems audit.
CSO: First give us a simple definition of enterprise risk management.
Jeff Spivey: I consider ERM a holistic view of all risk that a business entity or government may be exposed to.
Does that include strictly operational risk, or does it include capital risk as well?
Operational risk, brand risk, financial risk.... All of the risk an organization faces.
Unfortunately what's happening is that, as we look through the security microscope, if you will, we're not backing off and understanding that a company has a lot of other risks outside of security risks or even operational risk. If we say ERM is 'holistic', we need to make sure that it really is all-encompassing. Otherwise we will have gaps.
In the last five years or so we've come a long way in removing risk management stovepipes; where would you say we are in that process? What do you think will happen in the coming year?
CFOs and other corporate leaders now understand that their credit ratings are going to be based on how well they handle risk and how mature their ERM process are. So I think that will be a driver moving ERM forward.
I think there is more of an understanding that enterprise risk is important. Look at the
In 2007, reports show that 12% or so of companies have ERM fully implemented. In 2009, some reports estimate that will rise to 20%. I'm going to suggest, maybe aggressively so, that we'll be at 30% or so hitting some form of ERM adoption and maturity.
What holds back the other 70 percent?
Lack of understanding.
Companies are still confused by the terminology that's being used. They hear 'enterprise risk management' and say, 'Well, we have a risk manager so we're doing that already'. But in fact they're just doing the old traditional approach—transferring of risk by [purchasing] insurance. They may be involved in some risk identification or some claims analysis, but they really don't know the full scope of ERM.
In the coming years they'll move from that into a strategic type of risk management, involving gathering more data regarding risk, aggregating it, analyzing it, managing it. And there will be more silos in the company brought into that whole conversation.
You mention insurance policies. How is the communication between the insurance risk management people and the security risk management people?
AESRM, did a presentation to the board of RIMS, the Risk and Insurance Management Society. Number one, we were inviting them into the alliance, and that's under consideration. But after the discussion, there were a lot of people saying, this is exactly the type of thing that we need—we need more understanding of types of risk and the different ways they would handle risks. They applaud that effort.
There's some progress there. The Alliance for Enterprise Security Risk Management,
So there's headway being made. What has been lacking is a structure for discussion—and we were hoping the alliance may be an avenue if not the avenue for these types of discussions. It's not that the people who understand ERM and security's role in ERM are smarter than anybody else; it's just that they've been talking with more silos about it and understand that [broad perspective] a little better.
You can imagine a critical role in ERM discussions for privacy people represented by IAPP, fraud people represented by ACFE...
I think they could and should be included. At the end of the day, two things will happen. There will be champions within organizations who champion that holistic point of view, but they're still going to need a structure with which to have that conversation. Fortunately we are entering the technological age with social media, wikis, and other technologies that will enable those discussions to start maturing the ideas, either within a particular company or across the entire industries that are involved.
Let's say I'm a CSO and my company isn't far down the ERM road. Is there an effective analogy, a statement, what's the elevator pitch to the CEO to get the support?
Overspending for the risks they are managing. The reason is they are approaching it in the organizational silos that they have. So they're not only overspending for the risks that they are addressing, they're also overexposed to the potential losses that could occur because of the gaps [between silos]. They're inefficient.
In the growing economic challenges we're going to have, that conversation is important. Companies right now, in my opinion, are
The inefficiency can be changed, but it takes a sea change in culture and understanding within a company, within a government, within entire industries, to make that happen.
You could argue that the creation of the Department of Homeland Security (DHS) was an attempt to do this, to break down silos and get the discussion going. Of course there are critics of everything, but DHS seems widely regarded to be not accomplishing that aim, at least not yet.
I'm also a proponent of the idea that the ERM is less about hierarchy and more about process integration. So the command-and-control structure and the possible silos that may exist in a DHS, or any other government entity or even big business, is a lot of times what restricts that process integration.
Whether it's DHS or large companies, any bureaucracy—and I define a bureaucracy as any group larger than five people—creates a lot of silly rules and regulations that keep you from getting your work done.
Back to the elevator pitch. So the pitch is: 'Boss, we're going to lower and risks and spend our money better, and the first thing I need from you is the commission to gather a group to start capturing a list of all our risks'.
The CEO and CFO will innately understand the idea; they just might not yet know what the answer could be. So step one is, identify and then collectively prioritize the risks.
Then you can manage those risks in a number of different ways. There are five ways to treat risk: I remember it with REITA. You can reduce a risk, Ignore it, Eliminate it, Transfer it, or Accept it. Every risk can be treated in one or more of those ways.
The other thing that's happening is, ERM is getting a lot more attention at the Board level. When Sarbanes-Oxley happened here, the Board members started understanding they could be liable for not understanding risk. There is now an impetus from the Board to understand the risks and how the risks are being managed. And then in Europe, I've heard some of the boards they control the risk at that level. Not even at the C-Suite. I don't know if that would really work here [in the US].