In his poem The Hollow Men, T.S. Elliot wrote of the shadow that exists between the idea and the reality of something — which could be describing the current corporate situation regarding enterprise risk management (ERM).
The general concept of ERM is becoming well-understood — the perceived benefits have tremendous appeal in an environment where the risks are all too real. The constituent parties agree, in principle, with both the need and the broad conceptual process. Achieving that understanding is of great significance because it includes a new and expanded view of what constitutes risk. Traditionally, risk management was about protecting a company’s current assets. ERM broadens that definition to include not only existing assets but an organization’s future growth, direction and the strategic means required to achieve it.
Now comes the hard part. Making true enterprise risk management a reality is a daunting task for many reasons. The concept, while both logical and appealing, does not fit into traditional corporate organizational structure. Nor does it fit smoothly into the culture of the practitioners required to participate. Those challenges notwithstanding, it is happening — unevenly, and with fits and starts, missteps and misgivings — but it is happening.
Drivers of ERM Adoption
What is driving ERM’s gradual adoption is what lurks in the Shadow between its concept and its reality. Organizations have experienced, or have observed close-hand, the risks created by inaction or by not studying and understanding the opportunity risks. A perusal of news headlines at times seems like a “perfect storm” of risk to businesses and other institutions. Economic imperatives are driving companies to take greater risks. Globalization has become a reality with vast opportunities and deep risks. For every wondrous new capability that technology brings, new risks and dangers come with them.
A recent study by the Alliance for Enterprise Security Risk Management (AESRM), a partnership of ISACA and ASIS Intl., found that corporate boards of directors and corporate management are now focused on the topic of enterprise risk management and have recognized its critical importance in reducing risks. Asked to identify what was driving ERM efforts, 73 percent cited risks from combined information and physical security threats; 58 percent cited the dangers in broader information sharing within and among companies; and 50 percent cited the ongoing need to protect people, intellectual property and corporate assets.
While the need is now well-recognized, the implementation of ERM is another matter. Only 19 percent of executives surveyed felt that their companies had a well-defined process in place to indicate when risk tolerance approached or surpassed defined limits.
Those statistics define the challenge we face — how to assist the majority of companies that recognize the risks and the benefit of ERM, but have not figured out how to effectively implement the processes. AESRM’s recent study, The Convergence of Physical and Information Security in the Context of Enterprise Risk Management, addresses that need and provides several examples of “early adopter” companies who are implementing robust ERM models.
As an essential first step, companies need to make sure they have defined ERM properly. Risk management, in essence, is not a new concept, and most managers will profess to know what it is and how it works. While ERM is based on the essential concept of traditional risk management, there are significant aspects to consider. The most widely accepted definition comes from the Treadway Commission’s Committee of Sponsoring Organizations:
“Enterprise Risk Management is a process affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity. It provides a framework to manage risk according to the organization’s appetite and offers reasonable assurance regarding the achievement of its objectives.”