Risk's rewards: Organizational models for ERM
Has the security department found a home in enterprise risk management organizations? That's where three companies are looking to accelerate business benefits.
By Constantine von Hoffman
June 07, 2011 — CSO —
Do you know the butterfly effect? Well, there are billions of butterflies in the world, and you want to keep an eye on the ones that, according to the chaos theory, are about to flap their wings and start a chain of events that will eventually result in a hurricane half a world away. In business, those butterflies go by many names: counter-party risk, supply chain disruption, natural disaster, compliance, regime change, Anonymous, and many, many more. The bigger the organization, the more butterflies there are to worry about.
Businesses have created monitoring groups, such as information security, credit risk, physical security, business continuity, compliance and audit security. At most companies, these groups report to separate people—some to the CSO, some to the CIO and some to the COO.
There are a lot of drawbacks to that arrangement.. Perhaps the biggest is that no one person or department can know all the risks a company faces and how they can affect each other. Many businesses are responding to this uncertainty by instituting enterprise risk management (ERM) processes that consolidate the information and the responsibility in one place.
"We had an ERM function, but it was very limited," says Steven Jones, director of operational risk for Synovus Financial. "The person responsible for ERM was mostly concerned with credit risk.... We didn't have a chief risk officer." That all changed after Mark Holladay, who had been chief credit officer, was named the company's first CRO in 2008.
Jones says Holladay brought a much more focused approach to risk assessment than had previously been applied. "We realized we had packets of risk management throughout the organization," says Jones. "But we didn't have clear visibility into our risk, whether it's operations or credit or market or strategic. We needed better, more focused [information] on how risk plays into our decision making." Without knowing the risks, decision making becomes a lot more like guessing.
Connecting the DotsIf the first decade of the 21st century has taught us anything, it's that you never know where the next threat will come from: 9/11, the mortgage meltdown, Hurricane Katrina, the Gulf oil spill, the Indonesian and Japanese tsunamis, nuclear power failures, political revolutions. The last 10 years have been a series of lessons in dealing with the unexpected. While no risk-management system can foresee everything, executives at companies that have adopted ERM say it has major advantages over what they were doing before.
"I believe this is the model for the future," says Pete Dowling, SVP of risk management at AXA Equitable. "This isn't just about investigating stolen things in the workplace anymore. All the things we manage on a daily basis have the potential, if they become a crisis, to get the company in trouble."
All companies have expertise in a lot of types of threat monitoring and prevention. For example, IT handles issues like information security and intrusion prevention; finance handles issues such as audit, compliance and credit; and operations may be in charge of physical security. Those business functions developed this expertise because they were most directly affected by the threats.