Ask the boss: A COO's perspective on ERM

What does a coordinated view of risk really offer an organization?

Mike Butler, executive vice president and chief operating officer at Providence Health and Services, explains ERM's benefits from his point of view. [Part of CSOonline's special report on enterprise risk management and organizational models.]

CSO: How would you describe the value of this organizational approach?

Mike Butler: This structure allows us to see all significant or critical risks across the organization from one vantage point.

We can comprehensively see the impact of many different types of risk, instead of dealing with them in silos that isolate the costs and impacts from each other.

CSO:The CFO normally has responsibility for risk management, dealing with such things as insuring the company's operations, facilities and holdings; leveling the financial risks of corporate investments (in such things as 401(k)s); and dealing with reputational risk. Why is it valuable for security-type risks to be added to that risk-management portfolio, particularly under the finance chief?

Butler: Security risk ultimately involves not just financial impact, but the reputational risk of how the community trusts and has confidence in the organization.

Many of the controls to mitigate the risks are technical in nature and dealt with by the CIO, but the risk itself is something that needs to be addressed in the overall enterprise risk-management portfolio. You can, and should, determine the potential financial and reputational impacts of information security threats and mitigate them using the same approach you would use for any other risk once you understand it financially.

CSO: In what's sometimes called holistic risk management, is there any downside to putting so many different types of risk in one package, or under one person? Loss of focus on critical things like insurance, for example?

Butler: The risks themselves are not under one person. Identification, assessment, management plans, and so on are in one functional place, but the operational leaders are still, ultimately, responsible for the risks of the functions they lead. With this model, we can see all of the risks that operational leaders are dealing with, instead of trying to sort through them across the entire organization, one at a time.

NEW! Download the Fall 2018 issue of Security Smart