Organizational models for ERM

Has the security department found a home in enterprise risk management organizations? That's where three companies are looking to accelerate business benefits.

Do you know the butterfly effect? Well, there are billions of butterflies in the world, and you want to keep an eye on the ones that, according to the chaos theory, are about to flap their wings and start a chain of events that will eventually result in a hurricane half a world away. In business, those butterflies go by many names: counter-party risk, supply chain disruption, natural disaster, compliance, regime change, Anonymous, and many, many more. The bigger the organization, the more butterflies there are to worry about.

Businesses have created monitoring groups, such as information security, credit risk, physical security, business continuity, compliance and audit security. At most companies, these groups report to separate people—some to the CSO, some to the CIO and some to the COO.

There are a lot of drawbacks to that arrangement.. Perhaps the biggest is that no one person or department can know all the risks a company faces and how they can affect each other. Many businesses are responding to this uncertainty by instituting enterprise risk management (ERM) processes that consolidate the information and the responsibility in one place.

"We had an ERM function, but it was very limited," says Steven Jones, director of operational risk for Synovus Financial. "The person responsible for ERM was mostly concerned with credit risk.... We didn't have a chief risk officer." That all changed after Mark Holladay, who had been chief credit officer, was named the company's first CRO in 2008.

Jones says Holladay brought a much more focused approach to risk assessment than had previously been applied. "We realized we had packets of risk management throughout the organization," says Jones. "But we didn't have clear visibility into our risk, whether it's operations or credit or market or strategic. We needed better, more focused [information] on how risk plays into our decision making." Without knowing the risks, decision making becomes a lot more like guessing.

1 2 Page 1
Page 1 of 2
What is security's role in digital transformation?