Update to risk management framework should be taken seriously

Recently, the Committee of Sponsoring Organizations (COSO) released a long awaited exposure draft update to its Enterprise Risk Management (ERM) Framework.  The original ERM Framework was issued in 2004.  And as we are all aware, much has changed in how we and our organizations view and manage risk.

That’s right you read it correctly, from the same people that brought you the internal control framework used for Sarbanes Oxley (SOX) – COSO.

[ ALSO ON CSO: 5 ways to create a collaborative risk management program ]

The ERM Framework is very different than the COSO – Internal Control Integrated Framework (IC 2013) that was last updated in 2013 and that you are probably very familiar with. The latter focuses on designing, implementing, monitoring internal control effectiveness and is used to assess the internal controls for preparing and reporting on financial statements (SOX compliance). You know, “that framework” responsible for the pain you experience every fall because some executive decided to declare something you do as a critical control, and now you need to make sure you do it right 100 percent of the time – or else you’ll be spending your winter vacation trying to satisfy the auditors. 

The ERM Framework is actually a tool you will find helpful

Let’s face it – whether you are a CISO, technology risk manager or an administrator trying to avoid corporate politics, the proposed ERM Framework will help you. Here are my top reasons why you should care and take this thing seriously:

• A lot of what you do is risk management. Yet, existing risk assessment tools – although facilitating strong consideration of technical issues, do a poor job of providing a process on how to communicate the risks to Executive Management and the Board of Directors. This proposed framework helps overcome this challenge.
• The ERM Framework provides a consistent process that provides a recognized approach to performing risk assessment. You can be confident in your prioritizations – and more importantly so can those “higher-ups.”
• Because at its core it is an “enterprise” framework rather than a “technology” framework, it will enable you to present you concerns from an enterprise rather than technology perspective (what you’ve always been wishing for). More importantly, your issues will be presented in a language that is used by corporate executives significantly increasing the probability of inclusion in key reports and communications and hopefully more positive response to “security investment” requests.
• The framework forces a “top-down” approach ensuring that the needs of key stakeholders are understood and risk response strategies align with their needs and are prioritized properly.

What is the framework all about?

The framework is comprised of five components supported by 23 principles. These are not meant to be a one size fits all – so a little creativity and thinking outside the box is required to tailor the framework for your unique needs. The five components are risk governance and culture; risk, strategy and objective setting; risk in execution; risk information, communication and reporting; and monitoring enterprise risk management performance. Here is what each of these components mean and their impact:

• Risk Governance and Culture – This deals with overall corporate philosophies including Board of Director and Executive buy-in to managing risks and supporting programs that mitigate the risks. This also includes policies, ensuring adequate funding and promoting an appropriate tone at the top.
• Risk Strategy and Objective Setting – Helps define risk appetite and what level of risk is or isn’t acceptable. Many information security and technology risk professionals are well aware of the constant need to assess business opportunities by balancing availability with security needs. In this component, these professionals help define what the general parameters of risk are so that they may be applied to assess individual business opportunities or technology issues.
• Risk in Execution – This component represents activities where most risk professionals spend their time and for non-enterprise wide assessments it reflects the total assessment. This component addresses the actual process of identifying the risk, assessing its severity, designing and implementing mitigation strategies and responses. Although inherently not technology focused, it challenges technology professionals to translate their technical risks and solutions to a language that business executives can relate to.
• Risk Information, Communication and Reporting – Gathering relevant data and converting it into actionable information that can help the organization better achieve its objectives is the purpose of this component. Information security and technology risk professionals “live this challenge” by developing relevant performance metrics that can be used to demonstrate the effectiveness of security management risk reduction programs. That old cliché of “what gets measured gets done” is relevant here – so choose the information that you are assessing your work against wisely. 
• Monitoring Enterprise Risk Management Performance – This final component doesn’t always receive the attention that it deserves. We designed and implemented risk management strategies – but do they work? In this component the larger picture is taken to help ensure that what does get developed is effective and efficient for the organization’s objectives.

I realize that what I’ve described above is what you do as a security risk management professional on a daily basis. By using “their language” you’ll have better success in winning executive support (and investments) for your information security program.