Is ERM only about preventing downside? Or is there more to it than that? In a recent digital edition of CSO I noted thatSecurity is occasionally susceptible to two afflictions: 1. Hype. 2. Semantic arguments.No great surprise if the broader discipline of risk management sometimes catches the same cold.In June, Harvard Business Review published an article Managing Risks: A New Framework by Balanced Scorecard co-creator Robert Kaplan and colleague Anette Mikes. The article is (of course) smart and interesting – and begins with this can’t-miss anecdote about BP:When Tony Hayward became CEO of BP, in 2007, he vowed to make safety his top priority. Among the new rules he instituted were the requirements that all employees use lids on coffee cups while walking and refrain from texting while driving. Three years later, on Hayward’s watch, the Deepwater Horizon oil rig exploded in the Gulf of Mexico, causing one of the worst man-made disasters in history.Nice to see the topic being addressed in major business media. But being smart and interesting doesn’t make you right, and some smart risk thinkers are taking for- and against- positions regarding a fundamental concept in Kaplan’s article. The issue will sound familiar to security leaders: Is risk management only about downside?Or is it about managing uncertainty, which can include upside as well? GRC guru Michael Rasmussen praises the HBR article and emphasizes a definition of risk that focuses on the possibility of downside:A more accurate understanding is that risk is an event or condition that creates a state where undesirable effects may be possible.In the other corner, Norman Marks, an outspoken audit and risk expert, disagrees strenuously with Rasmussen and “the lamentably poor example” of Kaplan and Mikes.My own view is that risk management effectiveness is measured by its ability to influence decision-making. Better decisions, made with quality information, enable better performance.So is this merely an argument of semantics? Or does the answer really matter?I think it matters a great deal for security folks, at a very practical level. Decades of experience in the corporate world have shown that if you focus only on preventing the bad, you limit the impact of the security function. Your value is potentially much greater to the organization if you stay on the lookout for opportunities to enable the good.What do you think? Related content opinion Getting the Board on board Sean Lyons argues that the Board of Directors must see themselves as an active part of corporate defense - not the beneficiaries of it By Derek Slater Feb 13, 2013 8 mins Government IT Strategy opinion Recent risk discussions, here and there By Derek Slater Jan 28, 2013 2 mins IT Strategy opinion Information security risk: A conversation with Adam Shostack How has the landscape changed since publication of The New School of Information Security? By Derek Slater Dec 04, 2012 5 mins Data and Information Security IT Strategy opinion Corporate ERM efforts undergoing radical change Enterprise risk management (ERM) is shaking the corporate world -- perhaps because, as a recent study shows, the world is shaking up ERM By Derek Slater Nov 06, 2012 2 mins IT Strategy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe