ERM: The basics

An introduction to ERM (Enterprise Risk Management) for security, IT and operational risk professionals. ISO and COSO frameworks; risk measurement and prioritization; mini-case studies and real-world ERM examples.

1 2 3 Page 2
Page 2 of 3

Why all the interest now?

In today's business world, the risks have evolved, and significant new ones need to be dealt with, according to Richard Steinberg, who led development of the COSO Enterprise Risk Management Integrated Framework (see below). Executives and boards of directors want to take a more disciplined approach to identifying, analyzing and managing risk.

Being able to assess a company's full risk posture is also more important today because that information is needed by more stakeholders than ever. The board of directors, the C suite, regulators and auditors all need access to consistent, reliable information about emerging risks, trends, compliance controls, security measures and information protection. This information makes compliance easier by quickly letting regulators know that the company is fulfilling its obligations. It also makes it possible for senior executives to determine how much risk the company is willing to take and then set policy accordingly.

Respondents to the Deloitte/Forbes Insights study reported less tolerance overall for volatility and surprises in the wake of ongoing global financial challenges. The top sources of risk named by respondents include market volatility, regulatory changes and the rise of social media.

Further interest in ERM will be fueled by recognition of the business benefits, Steinberg said, which include smooth-running supply chain processes that don't interrupt manufacturing; avoidance of the large financial meltdowns seen in recent years; and assurance that marketing programs in foreign locations achieve their stated goals.

You mention the COSO 'framework'. What is it? What other established frameworks are out there, and how could they help us?

Two of the most widely known ERM frameworks are the International Standards Organization's ISO 31000 and COSO's ERM Integrated Framework.

ISO 31000 is an international standard, introduced in 2009, whose foundation is the 1995 Australian standard, AS/NZ 4360. ISO 31000 provides generic guidelines that can be used by any organization to design, implement and maintain risk management processes. It is intended to help organizations establish processes for identifying, analyzing, evaluating, treating, monitoring and communicating risk.

Meanwhile, COSO (the Committee of Sponsoring Organizations of the Treadway Commission) is a joint initiative of five private-sector organizations dedicated to providing thought leadership on ERM, internal control and fraud deterrence. In 2004, the group introduced the Enterprise Risk Management Integrated Framework, which describes the critical principles and components of an effective ERM process. Specifically, it outlines how important risks should be identified, assessed, responded to and controlled. COSO's ERM framework has gained considerable influence in the U.S. because it is linked to requirements of Sarbanes-Oxley.

[Sign up for CSO's monthly Risk Management e-newsletter | See our new blog, Risk's Rewards]

It's important to understand that the COSO ERM framework is not a primer on risk management, Steinberg said; rather, it's aimed at business people with some background in managing business risk. The executive summary may be helpful to boards of directors who provide oversight to get a sense of what's involved in ERM, he said, but the framework does not attempt to take the place of what's obtained through experience, education and training.

It's also important to understand that the COSO ERM framework is not a how-to on developing ERM, Steinberg said. It describes what an effective ERM process is, what it contains and represents, and how it works. But it does not set forth a specific methodology for implementing an ERM process, he said.

Do we need to apply the entire framework in order to benefit from ERM?

Most companies practice risk management, but it's not very common to have all the elements of what COSO defines as an effective ERM framework, according to Steinberg. For example, some companies might not relate risks to their business objectives, spell out an established risk appetite or develop a portfolio view of risk.

The framework sets forth principles that need to be in place in order to have what is defined as an "effective" ERM process. However, Steinberg believes, many companies can take significant steps to manage their risks without having what the COSO framework defines as ERM.

The cube in the framework brings concepts together in a meaningful way, Steinberg said, but people who don't focus on risk on a regular basis or as a process might need to work a bit to get their arms around it. He suggests that security managers look into the framework's Application Techniques volume for specific ways to apply risk management effectively.

How can we get started with ERM in a practical way?

It can seem daunting to embark on an ERM initiative. However, it doesn't have to be so complex if you "begin with the end in mind" (with credit to Stephen Covey for that idea).

The "end," or goal, of ERM, according to the COSO ERM framework, is "to provide reasonable assurance regarding the achievement of entity objectives." Translation: The goal is to enable the business. That should be your security department's goal, and (critically) your CEO must know that it's your goal.

With that in mind, here is a six-step exercise that can help you devise and refine a process to use in strategy-setting. It's just a beginning, but it can yield immediate payoff, and that will help gather support for more formal efforts down the road. We'll use internal investigations as the first business activity to which we'll apply these steps. The six steps are based on COSO's seven components of ERM, modified for this beginner's exercise.

Step 1. Create a working group that includes a representative from every department that plays any role in internal investigations. This might include HR, corporate security, information security, facilities, finance and legal.

Step 2. Brainstorm events and scenarios that could create risk for the company in an internal investigation, such as information leaks in various departments or a potentially violent suspect.

Step 3. Rank the risks by likelihood and impact. Absolute precision is not necessary here, although this step may provide the impetus to gather new metrics, both within your business and from the outside world for benchmarking purposes.

Step 4. Now for controls and solutions: List existing controls. Look for redundancy across departments. Brainstorm new ones to address these risks. Rank new controls based on cost, difficulty and effectiveness—especially noting controls that can reduce likelihood and impact across multiple types of events. With good luck, you might be able to pay for a new control by reducing the redundancy of existing controls.

Step 5. Select the appropriate point person responsible for implementing (or championing) each high-priority control.

Step 6. Establish a way to measure the effect of each new control and communicate that measurement within and outside of your working group. Don't get too hung up on formalities. Keep the end in mind: Enable business objectives. Keep it simple. Show progress. Make internal investigations more effective and less risky.

Now repeat this six-step process with a new team for each of these additional, clearly cross-functional areas:

Using this six-step process, you will not only create specific business value (the deliverables in steps 5 and 6); you will also lay the foundation for more interdepartmental communication and coordination. Security personnel will have more and better contacts within finance, marketing and other groups. As we've noted before, those connections can form the basis for competitive advantage for your company. (More about that concept at the end of this article.)

1 2 3 Page 2
Page 2 of 3
Microsoft's very bad year for security: A timeline