As I said at the outset, this blog covers enterprise risk management from a security POV.It’s by no means our first foray into the topic.Let me point to some prior coverage of risk management on CSO — articles that, together, provide a practical foundation.1. Jeff Spivey (former President of ASIS, now affiliated with RiskIQ) provides a great, accessible overview of ERM. Quotable:“Companies are still confused by the terminology that’s being used. They hear ‘enterprise risk management’ and say, ‘Well, we have a risk manager so we’re doing that already’. But in fact they’re just doing the old traditional approach—transferring of risk by [purchasing] insurance. They may be involved in some risk identification or some claims analysis, but they really don’t know the full scope of ERM.” (Side point, but I also love Spivey’s statement “I define a bureaucracy as any group larger than five people.”)[Hey you! Get all CSO’s ERM coverage with our new CSO Risk Management newsletter. Sign up now!]2. Here’s a practical approach, a grassroots way to get started with holistic risk management if your organization isn’t ready to go whole-hog with a formal framework like COSO.Quotable:“Beyond the specific business value you create [through this 6-step exercise], you will also lay the foundation for more interdepartmental communication and coordination. Security personnel will have more and better contacts within finance, marketing and other groups.”3. The article Organizing for ERM offers a deeper dive into how several large companies are structuring their risk management efforts. Quotable:“It’s about ‘helping people adopt and understand the risk posture of the executive management team, and then making sure we are consistently applying that level of risk management throughout the organization,’ says Synovus’ Jones. ‘Our job is not to eliminate risk but to manage it to the level of appetite that’s been accepted by top management.’ “4. Hopefully you know your company’s “risk managers” – a title long in use in the insurance world. (Spivey refers to this function in the first article I linked to.) Here is a bit more detail: What are your risk managers thinking about?Security is tasked with reducing risks; insurance policies “transfer” risks to another party, for a fee of course. Both tactics are key parts of ERM. [Note: This article requires CSO Insider registration, which is free.] 5. And lastly, here’s a look at how a university is translating risk management work into specific projects that increase both security and efficiency.I could go on, but let’s keep this semi-digestible!Next post will point to some indepth coverage of risk measurement practicqals, particularly in regards to IT. After that, we’ll charge forward with new interviews and observations from across the risk management spectrum. Related content opinion Getting the Board on board Sean Lyons argues that the Board of Directors must see themselves as an active part of corporate defense - not the beneficiaries of it By Derek Slater Feb 13, 2013 8 mins Government IT Strategy opinion Recent risk discussions, here and there By Derek Slater Jan 28, 2013 2 mins IT Strategy opinion Risk management in HBR (and whether that's a good thing) Is ERM only about preventing downside? Or is there more to it than that? By Derek Slater Dec 12, 2012 2 mins IT Jobs IT Strategy IT Leadership opinion Information security risk: A conversation with Adam Shostack How has the landscape changed since publication of The New School of Information Security? By Derek Slater Dec 04, 2012 5 mins Data and Information Security IT Strategy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe