Standard and Poor's (S&P) announced that it would start incorporating enterprise risk management (ERM) into discussions with the companies it rates and might, as early as the second quarter of 2009, begin to score companies based on ERM. The move sent a strong message to enterprise business and technical leaders: Stop procrastinating, and get your ERM act together -- pronto.
ERM defines a strategy, procedures and an organizational structure for managing risk in a holistic, top-down fashion. A central purpose of ERM is to ensure that various business and IT groups "understand their responsibilities with respect to operational risk (the risk of loss from failed systems, people, inadequate processes or external events)," according to Gartner Inc.'s April report "A Risk Hierarchy for Enterprise and IT Risk Managers."
A related goal is to get various group leaders to start talking to one another on a regular basis in order to assess how threats in operational/IT areas like business continuity, information security, compliance and privacy, might undermine business performance as well as long-term goals and priorities.
Enterprise IT and business leaders have long recognized the value of taking a holistic rather than a distributed approach to risk management. Both 9/11 and Hurricane Katrina dramatically demonstrated how serious damage to a company's IT systems can threaten not only critical business processes but also long-term financial and competitive health. Another wake-up call came when federal regulators and courts began to hit companies with multimillion-dollar penalties for failing to comply with information security and data privacy regulations like the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act.
Talking aside, when it comes to actually implementing ERM, many organizations have dragged their feet. In February 2007, risk adviser firm Marsh Inc. and the Risk and Insurance Management Society Inc. co-sponsored a survey of 501 U.S.-based risk managers, C-suite executives and risk-associated corporate positions, in which 12% of respondents said their companies have fully implemented ERM. That's an increase from 4% in 2006.
The finding is hardly surprising. Moving from silo-based processes to ERM requires a fundamental cultural change, not to mention a great deal of initial spadework.
"Business leaders are reluctant to accept accountability for risk and security decisions," said Paul Proctor, a vice president of research at Stamford, Conn.-based Gartner Inc. Furthermore, many IT and business managers are accustomed to focusing on threats within their sectors at the expense of the big picture.
At least business and IT managers are accustomed to dealing with one another once in awhile -- about service levels, for example. On the other hand, subordinates who install and maintain security and backup systems rarely interact with the business managers whose day-to-day jobs depend on the services those systems guard. And CIOs and other IT executives rarely, if ever, have occasion to work with corporate risk managers, who deal with financial and market threats.
The problem is, when it comes to risk management, both sides tend to think inside the box. "Historically, risk managers have been insurance buyers as opposed to strategic thinkers," said Michael Keating, director and leader of the business continuity practice at Navigant Consulting Inc. And on the other side, IT executives generally deal with a perceived threat by throwing technology at the problem and not taking business objectives and priorities into account, he added.
Indeed, even without the threat of having a ratings agency lower their credit scores a notch, enterprises have plenty of competitive and financial reasons to implement ERM.
"I know a number of organizations who are putting a huge focus on technical risk without having the governance that would enable them to focus their investment according to the business risk," said Peter Berlich, president of Swiss firm BirchTree Consulting LLC, and a board member of the International Information Systems Security Certification Consortium Inc., or (ISC)². This can lead to "spending too little on risk mitigation and prevention, so that business processes take too long to recover after a disaster or, conversely, overemphasizing technical risks so that the company loses out on business opportunities."
ERM is all about communication and collaboration among different corporate groups, each of which brings its own priorities, but also specialized experience and knowledge, to the challenge of assessing and dealing with risk in a proactive and company-wide fashion.
A well-founded ERM strategy gives business and IT group leaders the opportunity to work together on broader, proactive solutions that benefit business in the long run. It also puts responsibility for assessing threats and devising viable solutions where it belongs: in the hands of business and IT leaders whose operations have been threatened.
Gartner's Proctor stated the problem as a rhetorical question: "When it comes to tackling risk and security, who do you want to make decisions? The low-level person who manages the firewall?"
The second of this two-article series addresses the challenges and payback of implementing an ERM strategy.
Elisabeth Horwitt is a contributing writer based in Waban, Mass. Write to her at email@example.com.