ERM: The basics

An introduction to ERM (Enterprise Risk Management) for security, IT and operational risk professionals. ISO and COSO frameworks; risk measurement and prioritization; mini-case studies and real-world ERM examples.

Natural disasters, political instability, data breaches, financial calamity—even asteroids—the sources of risk are on the rise and are increasingly unpredictable.

And in an age of increasing regulatory compliance, not to mention cost sensitivity, it's even more important to get the job of risk management right.

For these reasons, companies are increasingly turning toward enterprise risk management (ERM), where instead of handling risk on a function by function basis, they are centralizing the oversight of all risk under a single entity, whether that's a department or a cross-functional team.

The hope is that less will slip through the inevitable gaps between responsible parties and that a more holistic view will shed some light on how to assess and manage the organization's entire risk profile and handle changes as time goes on.

While ERM adoption is on the rise, the shift from traditional ad hoc risk management toward a more holistic approach poses plenty of obstacles. Challenges include potential turf wars, defining all the areas of risk, identifying metrics for measuring risk, finding the right organizational structure and simply communicating what ERM is and how it differs from simply appointing a risk manager.

Here are frequently asked questions about ERM and how it can add value at your organization, compiled from's in-depth reporting. [Photo by iStockphoto.]

Define Enterprise Risk Management for me.

According to the International Standards Organization (ISO), "risk" is the effect of uncertainty on objectives, whether positive or negative.

Risk management, according to the ISO, is not a stand-alone activity, separate from the main activities and processes of the organization, but an integral part of all organizational processes, including strategic planning and all project and change management processes.

On a practical level, ERM is a holistic approach toward managing all risk that a business entity or government may be exposed to. There are five ways to deal with any given risk:

  • Reduce it (with controls, for example)
  • Ignore it
  • Eliminate it
  • Transfer it (with insurance, for example)
  • Accept it (which is not the same as ignoring it)

The big difference between ERM and traditional approaches is that it takes a top-down, enterprise-wide view of all risk exposures vs. managing risk in distinct pockets, or silos.

Companies with ERM programs consolidate all risk information, responsibility and functions in one place. They integrate their formerly separate risk processes across business areas and consolidate all risk-management functions, including information gathering, analysis and prevention. This makes it possible to see past the obvious risks posed by a single threat, to all its potential ramifications.

Another way to think of ERM is in context of "the butterfly effect," a hypothetical example of chaos theory that illustrates how small differences may lead to large unforeseen consequences over time. In business, "butterflies" include counter-party risk, supply chain disruption, natural disaster, compliance, regime change, Anonymous and many, many more. Traditionally, businesses have created monitoring groups for these risks, such as:

  • credit risk,
  • physical security,
  • loss prevention,
  • fraud prevention,
  • information security,
  • business continuity,
  • safety,
  • compliance
  • and audit.

At most companies, these groups report to separate people—the General Counsel, CSO, CIO and COO, as examples. But in this arrangement, no one person or department can know all the risks a company faces, how these risks can affect each other, and which controls might be interrelated, overlapping, or missing altogether.

According to the ERM Initiative at the North Carolina State University [see .pdf here], it's essential for an ERM program to cover the full inventory of all key risk exposures that could potentially affect an entity's ability to achieve its objectives. This includes security and operational risk, in addition to brand, financial and capital risk.

What's the point? How will my company benefit?

The goal of ERM is to improve how enterprises handle risk by allowing them to see the big picture and the inter-relationships among their various areas of exposure.

With this holistic approach, one person or department works to systematically understand how one risk can affect and increase many other risks. This helps enterprises optimize spending and minimize the chance of untended risks falling through the cracks.

Proponents say ERM can reduce costs, improve efficiency and lower exposure to losses that could occur because of the gaps between silos. According to Jeff Spivey, President of Security Risk Management, companies in certain industries with a demonstrable ERM effort can also receive better credit ratings. (You can read more of Spivey's views on the accelerated move to more comprehensive risk management models in our Q&A.)

ERM initiatives can also enable much more sophisticated risk analysis. For example, a denial-of-service incident can be just an attack on the IT infrastructure, but it could also be designed to impact another part of the company. The information security team may be too busy dealing with the immediate crisis to even think about other implications, if they even know what those are.

Bringing cross-disciplinary groups together, however, allows for formal and informal cross-pollination. In addition to allowing people to see how others approach problems, their participation in a casual interchange of ideas may also spur new ideas.

Another significant benefit is that companies can do more with resources they already have. They can save money and improve efficiency by leveraging their information systems, using one system, where before there may have been many. Using the same system puts everyone on the same page, as everyone uses standardized evaluation criteria, assessment process and taxonomy.

One of the most overlooked issues about the use of multiple risk reporting systems is the difficulty of making sense of all the different descriptions of similar information. The executives who rely on reports from totally separate groups to guide their decisions have to use their own best judgment to determine whether one department's "serious" is the same as another's "imminent" or a third's "yellow alert."

David Kent summed up a practitioner's view of holistic risk management very well: "The primary benefit is identification and assessment of risks across professional disciplines -- so that when you do offer your views of probability and impact, it's done with this very broad perspective. By extension, the solutions that are going to come to the front are going to carry that broad thought with them, and inherently be more efficient," said Kent, VP of security for Sanofi North America.

"For the solution or behavior or decision, you'll have incorporated all those views in a very time-efficient way, and gained the knowledge capital that comes from repeating that across time."

How many organizations are really doing this?

ERM adoption has grown steadily over the past few years, although the percentage of companies engaged in ERM processes or methodologies today is still not astoundingly high. According to CSO's research [pdf link], ERM got a jumpstart in 2010, when companies with a formal ERM process or methodology in place jumped from 46% to 57%. However, from 2010 and 2011, that percentage showed no increase at all.

Research from The ERM Initiative at North Carolina State University shows a similarly steady increase from 2009 through 2012 in the percentage of organizations that claim to have a "complete formal enterprise-wide risk management process in place." The overall percentage of companies adopting ERM was lower in this study, increasing from 8.8% in 2009, to 23.4% in 2012. The largest organizations are further along, at 46.6%. However, almost 40% of all organizations in the survey have no ERM processes in place, despite two-thirds describing their risk culture as "strongly risk averse" or "risk averse."

Top challenges that restrict progress include the belief that "risks are monitored in other ways besides ERM," "too many pressing needs" and "no requests to change our risk management approach."

Meanwhile, according to a Spring 2012 study by Deloitte and Forbes Insights, 91% of respondents plan to reorganize and re-prioritize risk management over the coming three years.

Planned changes included:

  • Elevating the function within the organization (52 percent)
  • Reorganizing processes (39 percent)
  • Providing additional training for staff (37 percent)
  • Incorporating new technology (31 percent)
  • Integrating ERM into strategic planning (28 percent)

The response base comprised three broad industry groupings: life sciences and healthcare, consumer and industrial products, and telecom.

Why all the interest now?

In today's business world, the risks have evolved, and significant new ones need to be dealt with, according to Richard Steinberg, who led development of the COSO Enterprise Risk Management Integrated Framework (see below). Executives and boards of directors want to take a more disciplined approach to identifying, analyzing and managing risk.

Being able to assess a company's full risk posture is also more important today because that information is needed by more stakeholders than ever. The board of directors, the C suite, regulators and auditors all need access to consistent, reliable information about emerging risks, trends, compliance controls, security measures and information protection. This information makes compliance easier by quickly letting regulators know that the company is fulfilling its obligations. It also makes it possible for senior executives to determine how much risk the company is willing to take and then set policy accordingly.

Respondents to the Deloitte/Forbes Insights study reported less tolerance overall for volatility and surprises in the wake of ongoing global financial challenges. The top sources of risk named by respondents include market volatility, regulatory changes and the rise of social media.

Further interest in ERM will be fueled by recognition of the business benefits, Steinberg said, which include smooth-running supply chain processes that don't interrupt manufacturing; avoidance of the large financial meltdowns seen in recent years; and assurance that marketing programs in foreign locations achieve their stated goals.

You mention the COSO 'framework'. What is it? What other established frameworks are out there, and how could they help us?

Two of the most widely known ERM frameworks are the International Standards Organization's ISO 31000 and COSO's ERM Integrated Framework.

ISO 31000 is an international standard, introduced in 2009, whose foundation is the 1995 Australian standard, AS/NZ 4360. ISO 31000 provides generic guidelines that can be used by any organization to design, implement and maintain risk management processes. It is intended to help organizations establish processes for identifying, analyzing, evaluating, treating, monitoring and communicating risk.

Meanwhile, COSO (the Committee of Sponsoring Organizations of the Treadway Commission) is a joint initiative of five private-sector organizations dedicated to providing thought leadership on ERM, internal control and fraud deterrence. In 2004, the group introduced the Enterprise Risk Management Integrated Framework, which describes the critical principles and components of an effective ERM process. Specifically, it outlines how important risks should be identified, assessed, responded to and controlled. COSO's ERM framework has gained considerable influence in the U.S. because it is linked to requirements of Sarbanes-Oxley.

[Sign up for CSO's monthly | See our new blog, Risk's Rewards]

It's important to understand that the COSO ERM framework is not a primer on risk management, Steinberg said; rather, it's aimed at business people with some background in managing business risk. The executive summary may be helpful to boards of directors who provide oversight to get a sense of what's involved in ERM, he said, but the framework does not attempt to take the place of what's obtained through experience, education and training.

It's also important to understand that the COSO ERM framework is not a how-to on developing ERM, Steinberg said. It describes what an effective ERM process is, what it contains and represents, and how it works. But it does not set forth a specific methodology for implementing an ERM process, he said.

Do we need to apply the entire framework in order to benefit from ERM?

Most companies practice risk management, but it's not very common to have all the elements of what COSO defines as an effective ERM framework, according to Steinberg. For example, some companies might not relate risks to their business objectives, spell out an established risk appetite or develop a portfolio view of risk.

The framework sets forth principles that need to be in place in order to have what is defined as an "effective" ERM process. However, Steinberg believes, many companies can take significant steps to manage their risks without having what the COSO framework defines as ERM.

1 2 3 Page 1
Page 1 of 3
7 hot cybersecurity trends (and 2 going cold)