• United States



What has come before

Oct 23, 20123 mins
IT Strategy

As I said at the outset, this blog covers enterprise risk management from a security POV.

It’s by no means our first foray into the topic.

Let me point to some prior coverage of risk management on CSO — articles that, together, provide a practical foundation.

1. Jeff Spivey (former President of ASIS, now affiliated with RiskIQ) provides a great, accessible overview of ERM.


“Companies are still confused by the terminology that’s being used. They hear ‘enterprise risk management’ and say, ‘Well, we have a risk manager so we’re doing that already’. But in fact they’re just doing the old traditional approach—transferring of risk by [purchasing] insurance. They may be involved in some risk identification or some claims analysis, but they really don’t know the full scope of ERM.”

(Side point, but I also love Spivey’s statement “I define a bureaucracy as any group larger than five people.”)

[Hey you! Get all CSO’s ERM coverage with our new CSO Risk Management newsletter. Sign up now!]

2. Here’s a practical approach, a grassroots way to get started with holistic risk management if your organization isn’t ready to go whole-hog with a formal framework like COSO.


“Beyond the specific business value you create [through this 6-step exercise], you will also lay the foundation for more interdepartmental communication and coordination. Security personnel will have more and better contacts within finance, marketing and other groups.”

3. The article Organizing for ERM offers a deeper dive into how several large companies are structuring their risk management efforts.


“It’s about ‘helping people adopt and understand the risk posture of the executive management team, and then making sure we are consistently applying that level of risk management throughout the organization,’ says Synovus’ Jones. ‘Our job is not to eliminate risk but to manage it to the level of appetite that’s been accepted by top management.’ “

4. Hopefully you know your company’s “risk managers” – a title long in use in the insurance world. (Spivey refers to this function in the first article I linked to.) Here is a bit more detail: What are your risk managers thinking about?

Security is tasked with reducing risks; insurance policies “transfer” risks to another party, for a fee of course. Both tactics are key parts of ERM. [Note: This article requires CSO Insider registration, which is free.]

5. And lastly, here’s a look at how a university is translating risk management work into specific projects that increase both security and efficiency.

I could go on, but let’s keep this semi-digestible!

Next post will point to some indepth coverage of risk measurement practicqals, particularly in regards to IT. After that, we’ll charge forward with new interviews and observations from across the risk management spectrum.