Last May, Standard and Poor's (S&P) announced that it would start incorporating enterprise risk management (ERM) into discussions with the companies it rates and might, as early as the second quarter of 2009, begin to score companies based on ERM. The move sent a strong message to enterprise business and technical leaders: Stop procrastinating, and get your ERM act together -- pronto.
S&P isn't alone. Investor services firm Moody's Investors Service has devised a holistic risk management rating methodology, and A.M. Best Co., an insurance information provider, has declared that ERM will be included as an integral part of its rating process.
ERM defines a strategy, procedures and an organizational structure for managing risk in a holistic, top-down fashion. A central purpose of ERM is to ensure that various business and IT groups "understand their responsibilities with respect to operational risk (the risk of loss from failed systems, people, inadequate processes or external events)," according to Gartner Inc.'s April 2008 report "A Risk Hierarchy for Enterprise and IT Risk Managers."
A related goal is to get various group leaders to start talking to one another on a regular basis in order to assess how threats in operational/IT areas like business continuity , information security, compliance and privacy, might undermine business performance as well as long-term goals and priorities.
Enterprise IT and business leaders have long recognized the value of taking a holistic rather than a distributed approach to risk management. Both 9/11 and Hurricane Katrina dramatically demonstrated how serious damage to a company's IT systems can threaten not only critical business processes but also long-term financial and competitive health. Another wake-up call came when federal regulators and courts began to hit companies with multimillion-dollar penalties for failing to comply with information security and data privacy regulations like the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act.
Talking aside, when it comes to actually implementing ERM, many organizations have dragged their feet. In February 2007, risk adviser firm Marsh and the Risk and Insurance Management Society (RIMS) co-sponsored a survey of 501 U.S.-based risk managers, C-suite executives and risk-associated corporate positions, in which 12% of respondents said their companies have fully implemented ERM, up from 4% in 2006.
The finding is hardly surprising. Moving from silo-based processes to ERM requires a fundamental cultural change, not to mention a great deal of initial spadework.
"Business leaders are reluctant to accept accountability for risk and security decisions," said Paul Proctor, a vice president of research at Gartner. Furthermore, many IT and business managers are accustomed to focusing on threats within their sectors at the expense of the big picture.
At least business and IT manager are accustomed to dealing with one another once in awhile – about service levels, for example. On the other hand, subordinates who install and maintain security and backup systems rarely interact with the business managers whose day-to-day jobs depend on the services those systems guard. And CIOs and other IT executives rarely, if ever, have occasion to work with corporate risk managers, who deal with financial and market threats.
The problem is, when it comes to risk management, both sides tend to think inside the box. "Historically, risk managers have been insurance buyers as opposed to strategic thinkers," said Michael Keating, the director and leader of the business continuity practice at Navigant Consulting. And on the other side, IT executives generally deal with a perceived threat by throwing technology at the problem and without taking business objectives and priorities into account, he added.
One of the problems with this silo-based approach is that people in one group can't take advantage of what another group is doing because they don't know about it, Keating said. For example, "IT decides to build a second data center to ensure that key applications don't go down for more than an hour. This can be a very compelling reason to do business with your company. Salespeople could say to a customer, 'We take your business so seriously we've made this investment to make sure we're always there with the answers you need.'"
Indeed, even without the threat of having a ratings agency lower their credit scores a notch, enterprises have plenty of competitive and financial reasons to implement ERM.
"I know a number of organizations who are putting a huge focus on technical risk without having the governance that would enable them to focus their investment according to the business risk," said Peter Berlich, the president of the Swiss firm Birchtree Consulting, and a board member of the International Information Systems Security Certification Consortium, Inc., or ISC2. This can lead to "spending too little on risk mitigation and prevention, so that business processes take too long to recover after a disaster or conversely, overemphasizing technical risks so that the company loses out on business opportunities."
ERM is all about communication and collaboration among different corporate groups, each of which brings its own priorities, but also specialized experience and knowledge, to the challenge of assessing and dealing with risk in a proactive and company-wide fashion.
A well-founded ERM strategy gives business and IT group leaders the opportunity to work together on broader, proactive solutions that benefit business in the long run. It also puts responsibility for assessing threats and devising viable solutions where it belongs: in the hands of business and IT leaders whose operations have been threatened.
Gartner's Proctor states the problem as a rhetorical question: "When it comes to tackling risk and security, who do you want to make decisions? The low-level person who manages the firewall?"