Organizational models for ERM

Has the security department found a home in enterprise risk management organizations? That's where three companies are looking to accelerate business benefits.

1 2 Page 2
Page 2 of 2

A governance, risk and compliance software package from Modulo is a part of the ongoing work to discover and manage risk points and assets throughout the company. As the ERM work got underway, Synovus also conducted an employee survey to find out what they thought was important about risk management's role in the organization. What they found out was that people wanted more information about possible risks and what should be done about them.

Doing all this work getting to know the entire enterprise has had many side benefits for the risk-management office. For one thing, it increased the unit's visibility and made it less of an auditor and more of a partner to other departments.

This sense of partnership was spurred by the ERM system making it easier for those departments to work with all the areas of security and risk management. Cowperthwaite at Providence Health says that his company's ERM implementation brought together the information and physical security, audit, compliance, risk and insurance departments under a single person. So instead of having many separate meetings about each of those things, people had one person who could advise them and coordinate all of that. Once that happened, Cowperthwaite says, people started coming to him for help instead of his having to insert his department in what others were doing.

Changing Culture

Becoming a highly visible partner has also made risk management seem like less of an abstract concept and more of a real, important thing that everyone has a stake in. As a result, there is a lot more support from all levels of the organization, which is more important than any system or technology to security work.

"We can have great information security programs, but if employees don't buy in and participate in them, our program isn't going to be successful," says AXA's Dowling.

Consolidating all these functions also helps to drive home the importance of the CRO's mission across the entire organization. At AXA, this is reinforced by an annual three- to five-day, companywide exercise in business continuity and crisis management. Repeating it allows managers to make sure many people are aware of the plans and how to carry them out. This, in turn, provides the redundancy that is so important in a crisis.

They are also fairly popular within the organization, according to Dowling. "People call and ask, 'When is the exercise this year?'"

This type of response is just one result of the centralization that can happen with an ERM system, and it can have a profound and long-lasting effect on an organization, which makes the CRO's life that much easier.

"We've seen a cultural change here," says Dowling. "This isn't business as usual. These people have daily jobs and daily functions within the company, and they've bought in to our procedures."

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
22 cybersecurity myths organizations need to stop believing in 2022