Management of corporate risk has traditionally been done in an informal and localized way across most corporations at best. It has been managed in local silos in which each department or business unit attempted to reduce the overall risk of its operations, usually without coordination with other related corporate groups. Even worse, it has often been treated as a side issue, not as a formal discipline that should be part of all operational and decision-making procedures.

 

Recently, the effects of this approach have become painfully obvious. A number of factors have caused this shift in thinking about formal risk management, including:

  • The complexity and interdependency of today’s corporate risk,
  • The rise and increasing numbers of legislative mandates,
  • Increased globalization and the complexity of compliance with (sometimes conflicting) international regulations, and
  • Increased visibility of recent corporate breaches and the associated catastrophic losses.

Enterprise risk management (ERM) is the systematic and formal management of risk to not only reduce loss but also to capitalize on opportunities. The goal of ERM is to create a sustainable and effective methodology for handling all forms of risk throughout the company, not to create a central bureaucracy to handle risk. This can only be done if risk management is a process that permeates all corporate decision-making, and is done by everyone, at all levels of the organization.

 

Despite widespread recognition of the value of this type of program, adoption remains somewhat limited. The 2007 Iron Mountain Compliance Benchmark Report revealed that only 35 percent of respondents said they have a formal, enterprise-wide records management policy - despite new e-discovery rules for civil litigation. The potential for increased adoption of this type of methodology is very high.

 

This limited adoption is not surprising, though, due to some inherent challenges in implementing ERM. For example, managing complex and sometimes unknown risks across business units presents severe organizational challenges. Also, the complexity and often conflicting nature of international mandates make managing regulatory risks very difficult. As a result, many companies see the need for a formal ERM program but are unsure how to proceed or which technologies to adopt to help them in this process.

 

Risk Categorization

 

What types of risks are included within ERM? As the name implies, it should include any risk that could impact the corporation in any nontrivial way. The major classifications of risks faced by most corporations include:

  • Hazard risk (fire, flood, theft, etc.);
  • Financial risk (price, credit, inflation, etc.);
  • Strategic risk (competition, technological innovation, regulatory changes, brand image damage, etc.); and
  • Operational risk (IT capability, business operations, security threats, etc.).

All of these types of risks are critical for a company to monitor and manage, and each could, in extreme cases, have catastrophic impacts for the corporation. The type of risk, though, that is often most predictable and most amenable to control is operational risk. Operational risks relate to the regular operations of the company and, therefore, are the easiest to impact with improved and strengthened internal controls.

 

Operational risk can be either internal or external in nature. Examples of operational risks include:

  • People – Inadequate technical or managerial expertise, attrition, etc.
  • Process – Inadequate process controls, corporate mergers, legal, supplier and partner risk, etc.
  • Technology – Inadequate system and physical security, system reliability, obsolescence, offsite data storage, etc.

Any risk that has a potentially significant impact on corporate goals requires a mitigation strategy. This involves the creation of controls to reduce the risk of loss, as well as monitoring capabilities to ensure that current risks are always correctly analyzed. Most risks require continuous and very proactive monitoring and analysis; some require slightly less proactive management.

 

Risk Management Framework

 

The goal of any ERM program ought to be to create an environment and infrastructure that permeates the operations and decision-making policies of the entire corporation. Such a program typically would have a few basic elements that need to be integrated and communicated widely in order to ensure success. Let’s look at each phase to see how it impacts the overall ERM program.

 

Figure 1: Risk Management Framework

 

Corporate Risk Strategy

 

This phase is completed by the corporate executive leadership and serves to formalize the accepted corporate risk tolerance into specific policies to be followed by the rest of the company. This typically involves defining categories of risk for the company, determining levels of risk that might exist and creating guidelines for the risk level that the company as a whole is willing to tolerate. Then, the acceptable risk levels for each business unit should be determined and communicated broadly to each such unit. Business units might be directed to have different levels of risk tolerance based on the specifics of their market and financial environment. It is the job, then, of each business unit to “operationalize” those risk tolerance directives into the specific situations that they each face.

 

Risk Planning and Analysis

 

The business units (BUs) then need to develop a detailed analysis of the risks that their business faces, and a categorization of these risks depending on their potential impact on the business. After each risk is analyzed and categorized, a risk response plan should be developed that describes how each such risk will be handled. In some cases, the risk will be just a cost of doing business, and will be accepted without a specific action plan to eliminate it. In most other cases, a mitigation plan should be developed that describes how to create controls and monitoring capabilities to significantly reduce the risk and the impact of each risk.

 

A cost/benefit analysis of each mitigated risk should be done. In some cases, the cost of mitigation will be larger than the negative impact. In such a case, other alternative actions might be more appropriate (such as transferring or accepting the risk).

 

Risk Management and Monitoring

 

The next step is to actually create and deploy controls to reduce risk and to monitor their success and effectiveness. Controls can be anything that can reduce the probability or impact of a risk. They can be technology solutions or procedural improvements or, more likely, both.

 

This is the area of the entire ERM process where technology adoption can have the most profound effect. In the case of IT security, for example, the risk of certain threats or outcomes can be dramatically controlled through the adoption of proven technologies and solutions.

 

An essential element of this phase is continual monitoring of the effectiveness of each control. This involves not only monitoring and reporting on existing controls, but continually re-evaluating risks and their mitigation plans based on changes in the business climate. As new risks appear, and old risks increase and decrease, changes need to be made in the risk management plan and in the set of controls that serve to mitigate them.

 

What does monitoring entail? In the case of IT security, it might involve reporting on security events, automated filtering and correlation of events to identify security problems, validating that all users have only the required level of access privileges, searching for and correcting any segregation of duties violations and the like.

 

Optimization of Controls

 

Internal controls and their effectiveness must be analyzed on an ongoing basis. A variety of things might cause a change to the defined risk strategy: the emergence of new risks, changes in priorities of existing risks, the failure of mitigation techniques and the like. In addition, business conditions could easily dictate a change in risk tolerance – when things are going well, more risk might be acceptable. Risk monitoring is a never-ending process because risks are usually somewhat dynamic. You never get it “right;” you just make it “better.”

 

Compliance Reporting

 

The last phase typically involves creating reports and information for any IT audit for regulatory compliance. This involves not only specific reports for regulatory auditors, but also reports for internal use to help determine the level of compliance.

 

Note that although this phase is not strictly a part of ERM, it is a natural outgrowth of the effort and results produced by the overall ERM effort. This is precisely why ERM is so important for effective regulatory compliance. It provides you with a framework for attacking risks of all kinds corporate-wide and enables you to create the internal controls to not only remediate these risks, but also to provide reports and information to prove that you have achieved your compliance goals.

 

Principles of Successful Risk Management

 

Many corporations find that their risk management efforts remain relatively ineffective. This is because risk management in many companies is done independently by each business unit, according to priorities and business needs largely locally determined. There is often no central oversight or visibility of these local efforts, with the result being a lack of consistency across the corporation. This means that there is no common and consistent framework of risk management that each business unit must conform to, with the result being a series of different, siloed approaches to risk management.

 

What are the attributes of a successful risk management program? The following are only a few of the more important characteristics of such a program:

 

A corporate-wide ERM framework. Risk management should be done consistently across the enterprise, driven by the corporate-level risk management priorities and policies. The most effective way to do this is through a common framework that is adopted in each business unit, so that not only can risk be communicated using a common model, but it can be managed using consistent techniques. The COSO[1]

ERM framework is a commonly recognized framework that can be used for this purpose. When each unit has its own risk management model, it becomes very difficult to both measure and control risk across the enterprise in a consistent way.

Continuous management and measurement. The success (or lack thereof) of an ERM program must be constantly monitored, with specific measurements for how well it is working. This information should then be consolidated at the corporate level in order to adjust the “knobs” used to control risk management activity.

For example, IT controls must be measured on a continual basis to ensure their ongoing effectiveness. And, the more automated this monitoring can be (with appropriate levels of manual oversight), the more efficient the whole process will be. As controls testing uncovers problems, it is essential that this information be communicated back to the “risk owner” associated with that control to ensure that the current level of risk is always known.

Finally, risks must be tracked centrally (or at least in one place) to avoid the silos of information that is common in most companies. As soon as risk information is maintained in two separate places without adequate and automatic synchronization, you increase the chance that risk information will be outdated and therefore inappropriate for effective decision support.

Risk management must be part of everyone’s job. Communication of risk strategies and goals must be ubiquitous within the enterprise. In order to succeed, an ERM program must be everyone’s job, at all levels. This is often easier said than done, because it is sometimes difficult for employees to see the big picture. Still, effective communication programs are necessary to ensure that everyone views risk management as part of their overall job responsibilities.

Central control and visibility of the ongoing ERM program. Business units have the responsibility to manage risk appropriately and according to corporate guidelines. In order to ensure that this occurs, there needs to be a central authority of some kind that is monitoring the operation of the entire corporation’s risk management initiatives. This function may have responsibilities that run the gamut from communication of corporate risk tolerances and principles to ongoing monitoring of specific risk management efforts.

 

Lastly, the most important element of any risk management effort is managing risk to an acceptable level. An entirely risk-free infrastructure is, for all practical purposes, not a possibility. Even reducing the risk to a very, very small level might put undue constraints on the growth of your business. The level of risk that you are willing to accept depends on many factors, including the potential impact of the event, the general corporate level of risk tolerance, impact on the growth of the business, and the competitive playing field, among others.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access