Manage Learn to apply best practices and optimize your operations.

An ERM strategy that leverages compliance for IT/business alignment

Compliance can be achieved through enterprise risk management, but your ERM strategy may not mean compliance. Here's how to leverage ERM for compliance.

An enterprise risk management (ERM) strategy assumes your organization has conducted risk assessments, analyzed the results and initiated the appropriate responses. You should be relatively safe, correct? While this assumption should include the provision of controls such as network monitoring, antivirus software and disaster recovery, there is another area -- compliance -- that bears further analysis.

More compliance resources
Supreme Court hears 'sexting' case on employee privacy rights

Interest in cyber risk insurance is growing, but is it for you?

 If your organization is in the banking and finance sectors, you are heavily regulated, especially in regards to issues like data protection, security and disaster recovery. Thus, another element -- compliance with standards and regulations -- is becoming another key issue in governance, risk and compliance.

Simply stated, compliance means conforming to stated requirements. At an operational level, you achieve compliance by invoking technical processes, supported by management policies and procedures that are consistent with the stated regulatory activities for good IT management, data protection and security.

At an organizational level, it is achieved again through management processes that identify the applicable requirements (defined in laws, regulations, contracts, strategies and policies), assessing the state of compliance, the risks and the potential costs of noncompliance against the projected expenses to achieve compliance. These steps help prioritize, fund and initiate corrective actions deemed necessary to achieve compliance and IT/business alignment.

Steps from risk management to compliance

Assuming your IT organization has a well-defined ERM strategy, let's examine the steps to take to transition into a compliance-based strategy. Better yet, create a combined approach that leverages risk management with compliance:


  2. Review corporate business objectives and alignment with the IT organization. Ensure the correct IT/business alignment is in place; if not, make adjustments as needed.

  4. Review the ERM strategy and a current risk map of the IT organization (see table).
  5. High
    Password resets
    Low          Low ---------- Impact ----------- High


  6. Conduct a risk assessment to validate existing risks or threats and identify any new ones that need to be addressed (a good idea at least annually).

  8. Identify risks in the categories of internal and external factors, and risk relating to change (e.g., new employees, merger).

  10. Based on the risk assessment, determine how much risk exists, compare it with the quality of risk management in place, and determine the direction the risk is taking (e.g., increasing, decreasing).

  12. Review existing risk controls, such as policies, processes, staffing and control systems for reliability, sufficiency and cost-effectiveness.
  13. li>Determine if there is an absence of suitable controls (need to update controls and overall governance) and/or the lack of adherence to (or poor quality of) existing controls.


  15. Compile a list of applicable laws, regulations and standards that affect your organization; these may be promulgated by government agencies (e.g., with banking), professional associations (e.g., American Water Works Association, Federal Communications Commission), standards organizations (e.g., American National Standards Institute, National Institute of Standards and Technology) or accepted industry good practice.
  16. At an operational level, you achieve compliance by invoking technical processes, supported by management policies and procedures that are consistent with the stated regulatory activities.


  17. Based again on results of the risk assessment, identify what have historically been problems for your organization.

  19. Identify and list the top three sources of compliance risk for your organization (e.g., lack of suitable controls).

  21. Map existing policies, procedures and controls to the top three risks you identified; determine variances of inconsistencies.

  23. If you don't have a compliance program, the results of this analysis will help you get started by identifying the risk-based issues and their correlating regulations, standards or practices.

  25. If your company has a compliance program, examine it to see how you can map the identified risks, standards, regulations and other issues into the program framework.

  27. Consider an integrated solution that can manage compliance controls while managing, monitoring and mapping them against every risk factor.

  29. Regularly test the solutions to ensure that they are factoring in both risk and compliance; review with legal, regulatory compliance and other similar teams.

  31. Ensure that information systems address risk and compliance matters by incorporating governance, risk and compliance management at the system and application design stage, all of which is part of a structured framework.

A risk-centered IT management environment can evolve to acknowledge regulations and standards within a structured compliance program. Governance, risk management and compliance initiatives rank among the top strategic initiatives at most financial institutions and in a growing number of nonfinancial entities. Leading companies and their IT departments have already taken action to anticipate changes in the regulatory landscape that are likely to occur as governments continue their responses to market failures of the past two years.

Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years' experience in business continuity management as a consultant, author and educator. He is secretary of the Business Continuity Institute USA Chapter. Email him at

Dig Deeper on Risk management and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.