That said, ERM is all about money, in another sense. The point of managing risk is to avoid failure or damage (which costs money) and to find opportunities (which make money). ERM is about prioritizing risk to match business goals, and the sad fact is that for most companies, security is not. Security is still about saying no to new ideas without regard to risk appetite, being the corporate cop. And because of that, Lefler says, "business executives don’t necessarily see the importance of security mitigation programs in helping them accomplish their goals. Many of the financial services companies do — especially where it comes to controlling fraud and insider threat. But a lot of other companies really don’t yet visualize the possibilities that ERM with security inclusion can mean to achieving their business goals."
Lynn Mattice, Chairman of the Board of Advisors for the Security Executive Council and former VP and CSO of Boston Scientific, adds, "For a security function to work properly and provide the kind of intelligence that allows the company to effectively leverage its markets and manage its risk portfolio, you’ve got to understand the business environment, the supply chain, the political issues you’ll be facing, all the different risks you’re up against; and to be able to deal with the kinds of problems, disruptions and opportunities that exist across the globe. If you don’t have a handle on that, you’ve got no ability to understand how events and risks will impact the company."
Put on Your Business Hat
The disconnect between security and ERM shows where security has missed its opportunity. "We made a huge mistake years ago in the security arena. We had an opportunity to grab the title 'risk management' — because that’s really what corporate security functions are all about: identifying risk, analyzing risk and providing viable mitigation solutions within the risk tolerance level of the organization," Mattice says. "But instead we chose to hold on to security as an age-old link to law enforcement." Security is missing its chance to be a change agent, to gain executive stature in the organization, and thus to provide better value in organizational security.
ERM will continue to grow in acceptance. NC State’s report noted that almost half (45 percent) of respondents said the board of directors is asking senior executives to increase their involvement in risk oversight.
"Unless the role of the security function can be clearly defined and the value of it effectively articulated, it’s never going to be deeply engaged in ERM," Mattice says. "We need to do two things: 1) get senior executives educated about the value proposition that a well-functioning security/business intelligence organization can provide to the company in helping it understand and manage its global risk portfolio; and 2) get corporate security executives to focus on how they align with the business and be able to understand and respond to the needs of the business."
Mattice believes corporate security functions will continue to be marginalized in ERM unless security leaders begin looking at themselves as business leaders and acting accordingly.
Marleah Blades is senior editor for the Security Executive Council. For more information, visit www.securityexecutivecouncil.com/?sourceCode=std.
Sidebar: Risk management silos vs. ERM
By Richard Lefler
Right now, many organizations manage risk at the silo level. Take IT security, for example. IT security often reports to the CTO or CIO and decisions are made within that silo about protecting the company’s information. Those decisions may not be fully appreciated or understood by business leaders. The risk there could be extraordinary.
A recent major retailer case is a classic example. The CISO at the retailer went to management and said, “We need to go to a second level of encryption in our point-of-sale devices at stores.” They said no. The impact of the publicity when their system was compromised and millions of their customers’ credit card information was compromised was extraordinary, and the subsequent cost to their company was enormous.
It raises the question of whether the businesspeople would have approved the cost if there had been an ERM team looking at the holistic exposure to the company. The silo decision created exposure to the retailer across all business units and departments; the risk exposure went far beyond a data compromise at a store.
In order for risk management in an organization to be holistic, it has to be led at a high enough level that the people managing it can see it across the enterprise. The function of this C-level executive is to manage the team by pulling together existing silos that manage risk and forcing a holistic look at what the risks are to the company at the highest levels.