Jeff Spivey on Enterprise Risk Management

The former ASIS president explains the accelerating move to more comprehensive risk management models. (Part of the What Happens Next security predictions series.)

By

November 10, 2008CSO

If security is often classified as 'reactive', then formal risk management methodologies or processes such as ERM are one of the most critical attempts at breaking out of that mold.

Jeff Spivey is optimistic about the business world's rapid adoption of more and more sophisticated organizational models for enterprise risk management.

Spivey of Security Risk Management, Inc. is former President of the ASIS International security association. He now spearheads ASIS' involvement with the Alliance for Enterprise Security Risk Management (AESRM), a cooperative effort founded by associations historically representing physical security, information security and information systems audit.

CSO: First give us a simple definition of enterprise risk management.
Jeff Spivey: I consider ERM a holistic view of all risk that a business entity or government may be exposed to.

Does that include strictly operational risk, or does it include capital risk as well?
Operational risk, brand risk, financial risk.... All of the risk an organization faces.

Unfortunately what's happening is that, as we look through the security microscope, if you will, we're not backing off and understanding that a company has a lot of other risks outside of security risks or even operational risk. If we say ERM is 'holistic', we need to make sure that it really is all-encompassing. Otherwise we will have gaps.

In the last five years or so we've come a long way in removing risk management stovepipes; where would you say we are in that process? What do you think will happen in the coming year?
I think there is more of an understanding that enterprise risk is important. Look at the adoption [of risk measurement] of Standard & Poor's and Moody's. CFOs and other corporate leaders now understand that their credit ratings are going to be based on how well they handle risk and how mature their ERM process are. So I think that will be a driver moving ERM forward.

In 2007, reports show that 12% or so of companies have ERM fully implemented. In 2009, some reports estimate that will rise to 20%. I'm going to suggest, maybe aggressively so, that we'll be at 30% or so hitting some form of ERM adoption and maturity.

what holds back the other 70 percent?
Lack of understanding.

Companies are still confused by the terminology that's being used. They hear 'enterprise risk management' and say, 'Well, we have a risk manager so we're doing that already'. But in fact they're just doing the old traditional approach—transferring of risk by [purchasing] insurance. They may be involved in some risk identification or some claims analysis, but they really don't know the full scope of ERM.

RESOURCE CENTER