Risk's rewards: Organizational models for ERM

Has the security department found a home in enterprise risk management organizations? That's where three companies are looking to accelerate business benefits.

Do you know the butterfly effect? Well, there are billions of butterflies in the world, and you want to keep an eye on the ones that, according to the chaos theory, are about to flap their wings and start a chain of events that will eventually result in a hurricane half a world away. In business, those butterflies go by many names: counter-party risk, supply chain disruption, natural disaster, compliance, regime change, Anonymous, and many, many more. The bigger the organization, the more butterflies there are to worry about.

Businesses have created monitoring groups, such as information security, credit risk, physical security, business continuity, compliance and audit security. At most companies, these groups report to separate people—some to the CSO, some to the CIO and some to the COO.

[More in this CSOonline.com ERM special report: A COO's perspective on ERM | Sample ERM organizational charts]

There are a lot of drawbacks to that arrangement.. Perhaps the biggest is that no one person or department can know all the risks a company faces and how they can affect each other. Many businesses are responding to this uncertainty by instituting enterprise risk management (ERM) processes that consolidate the information and the responsibility in one place.

"We had an ERM function, but it was very limited," says Steven Jones, director of operational risk for Synovus Financial. "The person responsible for ERM was mostly concerned with credit risk.... We didn't have a chief risk officer." That all changed after Mark Holladay, who had been chief credit officer, was named the company's first CRO in 2008.

Learn more about Enterprise Risk Management

Jones says Holladay brought a much more focused approach to risk assessment than had previously been applied. "We realized we had packets of risk management throughout the organization," says Jones. "But we didn't have clear visibility into our risk, whether it's operations or credit or market or strategic. We needed better, more focused [information] on how risk plays into our decision making." Without knowing the risks, decision making becomes a lot more like guessing.

Connecting the Dots

If the first decade of the 21st century has taught us anything, it's that you never know where the next threat will come from: 9/11, the mortgage meltdown, Hurricane Katrina, the Gulf oil spill, the Indonesian and Japanese tsunamis, nuclear power failures, political revolutions. The last 10 years have been a series of lessons in dealing with the unexpected. While no risk-management system can foresee everything, executives at companies that have adopted ERM say it has major advantages over what they were doing before.

"I believe this is the model for the future," says Pete Dowling, SVP of risk management at AXA Equitable. "This isn't just about investigating stolen things in the workplace anymore. All the things we manage on a daily basis have the potential, if they become a crisis, to get the company in trouble."

All companies have expertise in a lot of types of threat monitoring and prevention. For example, IT handles issues like information security and intrusion prevention; finance handles issues such as audit, compliance and credit; and operations may be in charge of physical security. Those business functions developed this expertise because they were most directly affected by the threats.

The problem with this approach is that it leads to gaps, either because something falls though the cracks or, more likely, because no one is looking at the whole picture. No one person or department is trying to systematically understand how one risk can affect and increase so many other risks. A stolen laptop can be a lot more than just an inconvenience to the person it was taken from. It is now a potential leak of critical information about the company and its customers, which in turn harms the brand and possibly the stock price and.... Well, you get the idea. So information and credit security have just as big a stake in physical security as a building manager does.

This is why companies have responded by consolidating all the risk-management functions—information gathering, analysis, prevention—in one place. It makes it possible to see past the obvious risks posed by a single threat to all its potential ramifications. "All of our issues are transversal, all of our issues cut across all business lines here," says Dowling.

For Dowling, the 2004 Republican National Convention in New York City was a perfect example of this. AXA's headquarters is adjacent to two very large, well-known hotels where delegates and VIPs were housed. At first glance, this looked to be nothing more than an inconvenience, as the already congested city streets handled the additional traffic. (Editor's note: Read CSO's in-depth profile of security at the Democratic National Convention that same year.)

But the people attending the convention didn't concern Dowling so much as some of the people opposing it. Specifically, the groups that "terrorized Seattle back in 2000 and then victimized the IMF and World Bank meetings." He knew that it wasn't just the physical plant that was threatened by them.

"I was well aware of the tactics of the protesters and particularly the anarchists that are involved with them," he says, referring to the violent clashes that led to injuries and the destruction of property. "I was afraid it would be disruptive to our workplace."

Dowling recommended to CEO Mark Pearson that the company temporarily move operations to its business recovery site, which it did for 10 days during the convention. Fortunately, what violence did occur during at the convention never reached the levels seen in Seattle and elsewhere, and the move provided significant benefits for the company. Dowling says that in addition to being prudent, the company's relocation also served as a test of existing contingency plans and familiarized employees with the process.

Speaking a Common Language

Being able to assess a company's full risk posture is also more important today because that information is needed by more stakeholders than ever. The board of directors, the C suite, regulators and auditors all need access to consistent, reliable information about emerging risks, trends, compliance controls, security measures and information protection. This information makes compliance easier by quickly letting regulators know that the company is fulfilling its obligations. It also makes it possible for senior executives to determine how much risk the company is willing to take on and then set policy accordingly. It's about "helping people adopt and understand the risk posture of the executive management team, and then making sure we are consistently applying that level of risk management throughout the organization."

Steve Jones, director of operational risk management, Synovus Financial

It's about "helping people adopt and understand the risk posture of the executive management team, and then making sure we are consistently applying that level of risk management throughout the organization," says Synovus' Jones. "Our job is not to eliminate risk but to manage it to the level of appetite that's been accepted by top management."

As threats become more complex in both their cause and their effect, companies struggle to keep pace. ERM initiatives not only integrate all threat information, they can also provide a much more sophisticated analysis. "They create a multi-disciplinary approach to risk," says Eric Cowperthwaite, CISO for Providence Health and Services. "Now the information is not just seen through the security lens. We're beginning to see where we can learn from each other's perspective."

For example, is a denial-of-service incident just an attack on the IT infrastructure or is it also designed to have an impact on some other part of the company? The information security team may be too busy dealing with the immediate crisis to even think about other implications, if they even know what those are.

Bringing all these groups together allows for formal and informal cross-pollination. In addition to allowing people to see how others approach problems, their participation in a casual interchange of ideas may also spur new ideas. Another significant benefit is that it allows companies to do more with resources they already have. They can save money and improve efficiency by leveraging their information systems, using one system where before there may have been many.

Using the same system creates more integration as everyone is forced to use a standardized evaluation criteria, assessment process and taxonomy. One of the most overlooked issues about the use of multiple reporting systems is the difficulty of making sense of all the different descriptions of similar information. The executives who rely on reports from totally separate groups to guide their decisions have to use their own best judgment to determine whether one department's "serious" is the same as another's "imminent" or a third's "yellow alert."

"Each of these particular functions had a way we reported activities and risk plans and we all were using different language," says Cowperthwaite. "This has allowed us all to use the same lexicon of risk indicators."

Getting Buy-In

Implementing ERM to its full extent really means creating a single department or formal, ongoing team responsible for risk. That means there either has to be buy-in from senior management or, as was the case with Synovus, AXA Equitable and Providence, leadership has to be the ones initiating it. Because this usually means bringing together functions now spread out across many business departments, it isn't unreasonable to expect turf battles and other push back.

However, that wasn't the experience for any of these three companies. While a lot of that is undoubtedly because the system was initiated from the C suite, it also reflects an increased awareness of the dangers faced by every organization.

Providence may have had it the easiest when it came to reorganizing because "the CFO grabbed the bull by the horns," says Cowperthwaite. "He said, 'All those folks report to me and they should get together.'"

For both Synovus and AXA, creating an ERM approach meant taking a little from here and a little from there.

AXA's Dowling was originally responsible for business continuity issues but, at the urging of his CEO, he was soon adding privacy, information security and records management to his portfolio. "I know a lot of my peers are pulling on their CEO's coattails" to make this happen, he says. "I can assure you [our CEO] was pulling on my coattails to see what the progress was."

When the consolidation started, most of the risk-assessment capability resided in IT. Dowling says that the CIO was very cooperative in the transfer and now views the risk department as an essential partner in IT's operations.

Steven Jones at Synovus had a similar experience with ERM, even though he started in IT. As at AXA, information security had responsibility for "the typical perimeter things like firewalls, intrusion prevention, info security policy and some vendor due diligence and risk areas," he says. Synovus created the chief risk officer position in the wake of the mortgage crisis. This not only showed the company's commitment to getting a handle on all its risk, it also meant someone was leading the charge at the top of the organization. "The critical piece was having executive buy-in, so having a CRO was paramount for all that to be successful," says Jones.

[See an earlier example of connecting the dots under a CRO in the 2005 case study Security 2.0]

Once that was in place, the ERM team focused on what exactly should be under the direction of risk management. It decided that anything about risk assessment, monitoring or governance should be directly under the team, while day-to-day management of things like firewalls would be left with the proper department—in that case, IT. Jones makes it clear, however, that risk management retains ultimate authority for the policy on things like that.

"A general rule of thumb: We will take things that are operational and split them out so we can take on more of a governance role," says Jones. This is a work in progress, though, and subject to change as experience dictates. For example, physical security is still directly under another department.

"Physical security right now is in a little bit of flux," Jones says. "We're going to watch this and see how it works. You could make a case for it either way."

Strengthening Connections

Everyone interviewed for this article agreed there is one key thing not to do when implementing ERM. Do not just go and impose what you perceive to be the correct measures on other departments. If you want this thing to work, it is essential to know not just how the business works but also what it does with its information.

In order to find out where the control deficiencies are, it is crucial to understand the full business lifecycle: How do people, process and technology all fit together with things like vendor management, business continuity, information risk, product-development risk, or fraud and loss.

In order to find out where the control deficiencies are, it is crucial to understand the full business lifecycle.

"When we met with the business units, we sought to understand what their inform assets were, what systems they relied on," says Jones. "We had them walk us through the business process, and we take an informed risk-assessment perspective on it. We also looked at it from a confidentiality, integrity and availability standpoint."

A governance, risk and compliance software package from Modulo is a part of the ongoing work to discover and manage risk points and assets throughout the company. As the ERM work got underway, Synovus also conducted an employee survey to find out what they thought was important about risk management's role in the organization. What they found out was that people wanted more information about possible risks and what should be done about them.

Doing all this work getting to know the entire enterprise has had many side benefits for the risk-management office. For one thing, it increased the unit's visibility and made it less of an auditor and more of a partner to other departments.

This sense of partnership was spurred by the ERM system making it easier for those departments to work with all the areas of security and risk management. Cowperthwaite at Providence Health says that his company's ERM implementation brought together the information and physical security, audit, compliance, risk and insurance departments under a single person. So instead of having many separate meetings about each of those things, people had one person who could advise them and coordinate all of that. Once that happened, Cowperthwaite says, people started coming to him for help instead of his having to insert his department in what others were doing.

Changing Culture

Becoming a highly visible partner has also made risk management seem like less of an abstract concept and more of a real, important thing that everyone has a stake in. As a result, there is a lot more support from all levels of the organization, which is more important than any system or technology to security work.

"We can have great information security programs, but if employees don't buy in and participate in them, our program isn't going to be successful," says AXA's Dowling.

Consolidating all these functions also helps to drive home the importance of the CRO's mission across the entire organization. At AXA, this is reinforced by an annual three- to five-day, companywide exercise in business continuity and crisis management. Repeating it allows managers to make sure many people are aware of the plans and how to carry them out. This, in turn, provides the redundancy that is so important in a crisis.

They are also fairly popular within the organization, according to Dowling. "People call and ask, 'When is the exercise this year?'"

This type of response is just one result of the centralization that can happen with an ERM system, and it can have a profound and long-lasting effect on an organization, which makes the CRO's life that much easier.

"We've seen a cultural change here," says Dowling. "This isn't business as usual. These people have daily jobs and daily functions within the company, and they've bought in to our procedures."

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies