Is ERM leaving security behind?

Why are corporate security functions being marginalized in enterprise risk management?

A quick note: Many of the events and actions that drove the increased visibility of ERM were strictly or predominantly focused on direct financial risk. For instance, SOX requires risk assessments, but it truly concerns itself with risks to accurate financial reporting. ERM in its ideal is bigger than such compliance risk assessments, taking into account not only financial risk but operational risk, strategic risk, reputational risk, hazard risk, etc. I believe the Casualty Actuarial Society puts it best: "Enterprise risk is a 'big idea.'" Despite these facts, some organizations limit their practice of it to direct financial issues. More on that later.

A second reason for the delay in ERM implementation is that companies that see the value in formal, top-down ERM programs often face an uphill battle to accomplish the kinds of cultural shift and structural change necessary to implement them.

This battle is complicated by the fact that, according to Chief Executive Magazine, the typical tenure of a CEO is between four and five years. That means that a CEO may recognize the importance of ERM and work with his or her executive team to realize it, only to be replaced shortly thereafter by another CEO who has less interest in nurturing the program.

Yet another complication: the economy. "Companies are struggling with their costs right now. Many can’t afford to roll out new programs," says Richard Lefler, dean of emeritus faculty for the Security Executive Council and former VP of Worldwide Security for American Express. "Financial services companies began to put ERM in place rapidly, but they really represented a consolidation of the existing organizational function. With the rapid downturn in the economy, ERM was pushed back as desirable, but not necessary, with the exception of financial companies that were under pressure from regulators."

Given all these obstacles, companies can be forgiven for the slow ERM acceptance rate. The hope is that as the economic forecast brightens, more companies will learn the lessons of the downturn and implement ERM programs. But will security play a large role in them?

Security’s Role in ERM

Read any of the numerous white papers, studies and examinations of enterprise risk management, and you may be surprised to find that references to security are rare and fleeting. To the security leader, this may make little sense. Security is all about risk. Why does it seem as though corporate security is hardly involved in ERM? Shouldn’t corporate security be a major source of support for an ERM program, at the least?

Perhaps in some cases it should, but that is not how most corporate executives see things. Various studies have found that, while several financial companies have appointed Chief Risk Officers to lead risk management programs, many other organizations have put the CFO at the head. The CSO does not appear to be in the running. Again, there are a variety of reasons for this.

For one thing, as mentioned above, many companies look at ERM as primarily a device for managing financial risk, so their risk management programs — even those under the ERM moniker — may not exactly be enterprise-wide. NC State’s "Report on the Current State of Enterprise Risk" found that 19 percent of the audit committees that formally monitor risks for the board of executives only monitor financial risks; 63 percent monitor operational and compliance risks in addition to financial risks; and only 18 percent monitor all entity risks.

This is a misstep on their part, since a Corporate Executive Board study found that non-financial risks accounted for 85 percent of the risk types that led to companies’ market capitalization decline of 30 percent or more. "Security has a critical role in ERM as it manages mitigation programs protecting employees, investments and the brand," Lefler says. "Of equal importance but seldom discussed is the residual risk that security manages — for example, the 24-hour security center which not only manages security exposure but is often the first to be notified of a critical event impacting the company. Proper notification procedures on emerging events (including critical incidents, world crisis events, and potential business continuity issues) reduce the exposure of the company and improve the response of all units." Clearly, ERM is not all about money and should not be treated as though it is.