Is ERM leaving security behind?

Why are corporate security functions being marginalized in enterprise risk management?

Ideally, enterprise risk management (ERM) is a top-down, formal framework for identifying, prioritizing, analyzing, monitoring and managing all types of risk that an enterprise faces. It provides solid guidance for executive decision-making. It is headed by the strong leadership of a B-level or C-level officer and it enjoys the enthusiasm and involvement of the board and the entire executive team. It is founded on a clear articulation of the company’s risk appetite — aligned with business goals — that is communicated to employees at all levels. It is supported by a cross-functional management and advisory team that shares information about business unit risk.

In a perfect world, ERM would save the company money, prepare it for change, create stakeholder value and facilitate growth through the exploitation of opportunities. All organizations would be interested in and capable of embracing some sort of ERM model to manage risk, and the security function would play a weighty role in the process.

It’s a shame the real world seldom lives up to such ideals. ERM — developed with top-down support and strong leadership — can indeed lead to benefits like those mentioned above. But organizations have been slow to adopt it, and those that have climbed on board do not always invite security to help steer.

Not Yet Widely Accepted

In its April 2009 "Report on the Current State of Enterprise Risk," the ERM Initiative at North Carolina State University stated that 44 percent of 700 survey respondents (most of whom were CFOs) have no enterprise-wide risk management process in place and have no plans to implement one. IBM announced similar findings in its 2008 CFO Study, reporting that only 52 percent of CFOs surveyed have a prescribed risk management program.

What’s more, the NC State report found that nearly half of respondents lack a formal plan for business functions to establish or update assessments of risk exposures, and 75 percent indicate that key risks are communicated “merely on an ad-hoc basis at management meetings.”
These days, it is common knowledge that companies collapse when they make the wrong decisions about risk; we have learned that courtesy of the economic crisis and the behavior responsible for it. If we all know this, why is enterprise risk management still not the norm?

Why So Slow?

One reason is that ERM is a relatively new concern as management theories go, and it tends to take a while to implement a total ERM program like the one outlined in the introduction to this article.

The concept of managing risk holistically isn’t exactly new; the Society of Actuaries pins that idea on Gustav Hamilton of the Swedish state-owned holding group Statsforetag, who coined the phrase "risk management circle" in the 1970s. But the idea of ERM as a formal framework didn’t really take off until scandals began to break at the beginning of this decade — Tyco, Adelphia, WorldCom, Enron — bringing financial accountability and risk mismanagement front-and-center for legislators and the public. This resulted in the passage of the Sarbanes-Oxley Act in 2002, which requires publicly traded companies to assess financial reporting risk on a quarterly basis.

In the scant eight years since, we have seen the release of additional Securities & Exchange Commission guidance on risk assessment, the development of formal ERM frameworks like the COSO Enterprise Risk Management Integrated Framework, the launch of a family of risk management standards (ISO 31000), and the announcement that Standard & Poor’s would begin evaluating ERM as part of their credit rating process for both financial and non-financial corporations. That’s a lot of action in a little time.

This content continues onto the next page...