• United States




Update to risk management framework should be taken seriously

Jul 12, 20165 mins
ComplianceIT LeadershipIT Strategy

By speaking "their language" technology professionals can garner more interest and support from business executives especially as it relates to gaining funding form security risk management initiatives.

business person holding a briefcase 152121278
Credit: Thinkstock

Recently, the Committee of Sponsoring Organizations (COSO) released a long awaited exposure draft update to its Enterprise Risk Management (ERM) Framework.  The original ERM Framework was issued in 2004.  And as we are all aware, much has changed in how we and our organizations view and manage risk.

That’s right you read it correctly, from the same people that brought you the internal control framework used for Sarbanes Oxley (SOX) – COSO.

[ ALSO ON CSO: 5 ways to create a collaborative risk management program ]

The ERM Framework is very different than the COSO – Internal Control Integrated Framework (IC 2013) that was last updated in 2013 and that you are probably very familiar with. The latter focuses on designing, implementing, monitoring internal control effectiveness and is used to assess the internal controls for preparing and reporting on financial statements (SOX compliance). You know, “that framework” responsible for the pain you experience every fall because some executive decided to declare something you do as a critical control, and now you need to make sure you do it right 100 percent of the time – or else you’ll be spending your winter vacation trying to satisfy the auditors. 

The ERM Framework is actually a tool you will find helpful

Let’s face it – whether you are a CISO, technology risk manager or an administrator trying to avoid corporate politics, the proposed ERM Framework will help you. Here are my top reasons why you should care and take this thing seriously:

  • A lot of what you do is risk management. Yet, existing risk assessment tools – although facilitating strong consideration of technical issues, do a poor job of providing a process on how to communicate the risks to Executive Management and the Board of Directors. This proposed framework helps overcome this challenge.
  • The ERM Framework provides a consistent process that provides a recognized approach to performing risk assessment. You can be confident in your prioritizations – and more importantly so can those “higher-ups.”
  • Because at its core it is an “enterprise” framework rather than a “technology” framework, it will enable you to present you concerns from an enterprise rather than technology perspective (what you’ve always been wishing for). More importantly, your issues will be presented in a language that is used by corporate executives significantly increasing the probability of inclusion in key reports and communications and hopefully more positive response to “security investment” requests.
  • The framework forces a “top-down” approach ensuring that the needs of key stakeholders are understood and risk response strategies align with their needs and are prioritized properly.

What is the framework all about?

The framework is comprised of five components supported by 23 principles. These are not meant to be a one size fits all – so a little creativity and thinking outside the box is required to tailor the framework for your unique needs. The five components are risk governance and culture; risk, strategy and objective setting; risk in execution; risk information, communication and reporting; and monitoring enterprise risk management performance. Here is what each of these components mean and their impact:

  • Risk Governance and Culture – This deals with overall corporate philosophies including Board of Director and Executive buy-in to managing risks and supporting programs that mitigate the risks. This also includes policies, ensuring adequate funding and promoting an appropriate tone at the top.
  • Risk Strategy and Objective Setting – Helps define risk appetite and what level of risk is or isn’t acceptable. Many information security and technology risk professionals are well aware of the constant need to assess business opportunities by balancing availability with security needs. In this component, these professionals help define what the general parameters of risk are so that they may be applied to assess individual business opportunities or technology issues.
  • Risk in Execution – This component represents activities where most risk professionals spend their time and for non-enterprise wide assessments it reflects the total assessment. This component addresses the actual process of identifying the risk, assessing its severity, designing and implementing mitigation strategies and responses. Although inherently not technology focused, it challenges technology professionals to translate their technical risks and solutions to a language that business executives can relate to.
  • Risk Information, Communication and Reporting – Gathering relevant data and converting it into actionable information that can help the organization better achieve its objectives is the purpose of this component. Information security and technology risk professionals “live this challenge” by developing relevant performance metrics that can be used to demonstrate the effectiveness of security management risk reduction programs. That old cliché of “what gets measured gets done” is relevant here – so choose the information that you are assessing your work against wisely. 
  • Monitoring Enterprise Risk Management Performance – This final component doesn’t always receive the attention that it deserves. We designed and implemented risk management strategies – but do they work? In this component the larger picture is taken to help ensure that what does get developed is effective and efficient for the organization’s objectives.

I realize that what I’ve described above is what you do as a security risk management professional on a daily basis. By using “their language” you’ll have better success in winning executive support (and investments) for your information security program.


Joel Lanz is the founder and principal of Joel Lanz, CPA, P.C., a niche CPA practice focusing on information and technology governance, risk, compliance and auditing. Prior to starting his practice in 2001, Joel was a technology risk consulting partner at Arthur Andersen (1995-2001) and a manager at Price Waterhouse (1986-1991). He currently serves as a reference member of the American Cancer Society's audit committee. His industry experience includes a job as vice president and audit manager at The Chase Manhattan Bank (1991-1995) and senior IT auditor positions at two insurance companies (1981-1986).

Joel currently chairs the AICPA’s Information Management and Technology Assurance Executive Committee and previously chaired the AICPA's CITP credential committee (IT specialist certification for CPAs) and co-chaired the AICPA’s Top Technology Initiatives Task Force. Joel's prior contributions to professional organizations include serving as chairman of the New York State Society of CPAs Technology Assurance and Information Technology Committees.

Joel is a member of the editorial board of The CPA Journal. He frequently speaks at professional society and industry conferences, including the AICPA, NYSSCPA and IIA, and he is an adjunct professor at New York University’s Stern School of Business and at the State University of New York's College at Old Westbury.

Joel holds a BBA in accounting and an MBA with a focus on information systems from Pace University's Lubin School of Business Administration.

The opinions expressed in this blog are those of Joel Lanz and do not necessarily represent those of IDG Communications Inc., or its parent, subsidiary or affiliated companies.