From Concept to Reality

Oct. 27, 2008
Early enterprise risk management (ERM) adopters are creating models for corporate implementation

In his poem The Hollow Men, T.S. Elliot wrote of the shadow that exists between the idea and the reality of something — which could be describing the current corporate situation regarding enterprise risk management (ERM).

The general concept of ERM is becoming well-understood — the perceived benefits have tremendous appeal in an environment where the risks are all too real. The constituent parties agree, in principle, with both the need and the broad conceptual process. Achieving that understanding is of great significance because it includes a new and expanded view of what constitutes risk. Traditionally, risk management was about protecting a company’s current assets. ERM broadens that definition to include not only existing assets but an organization’s future growth, direction and the strategic means required to achieve it.

Now comes the hard part. Making true enterprise risk management a reality is a daunting task for many reasons. The concept, while both logical and appealing, does not fit into traditional corporate organizational structure. Nor does it fit smoothly into the culture of the practitioners required to participate. Those challenges notwithstanding, it is happening — unevenly, and with fits and starts, missteps and misgivings — but it is happening.

Drivers of ERM Adoption
What is driving ERM’s gradual adoption is what lurks in the Shadow between its concept and its reality. Organizations have experienced, or have observed close-hand, the risks created by inaction or by not studying and understanding the opportunity risks. A perusal of news headlines at times seems like a “perfect storm” of risk to businesses and other institutions. Economic imperatives are driving companies to take greater risks. Globalization has become a reality with vast opportunities and deep risks. For every wondrous new capability that technology brings, new risks and dangers come with them.

A recent study by the Alliance for Enterprise Security Risk Management (AESRM), a partnership of ISACA and ASIS Intl., found that corporate boards of directors and corporate management are now focused on the topic of enterprise risk management and have recognized its critical importance in reducing risks. Asked to identify what was driving ERM efforts, 73 percent cited risks from combined information and physical security threats; 58 percent cited the dangers in broader information sharing within and among companies; and 50 percent cited the ongoing need to protect people, intellectual property and corporate assets.
While the need is now well-recognized, the implementation of ERM is another matter. Only 19 percent of executives surveyed felt that their companies had a well-defined process in place to indicate when risk tolerance approached or surpassed defined limits.

Those statistics define the challenge we face — how to assist the majority of companies that recognize the risks and the benefit of ERM, but have not figured out how to effectively implement the processes. AESRM’s recent study, The Convergence of Physical and Information Security in the Context of Enterprise Risk Management, addresses that need and provides several examples of “early adopter” companies who are implementing robust ERM models.

Defining ERM
As an essential first step, companies need to make sure they have defined ERM properly. Risk management, in essence, is not a new concept, and most managers will profess to know what it is and how it works. While ERM is based on the essential concept of traditional risk management, there are significant aspects to consider. The most widely accepted definition comes from the Treadway Commission’s Committee of Sponsoring Organizations:

“Enterprise Risk Management is a process affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity. It provides a framework to manage risk according to the organization’s appetite and offers reasonable assurance regarding the achievement of its objectives.”

Organization
Determining how the ERM function is organized is the next step. There are three basic approaches available:

1. Merge traditional physical security and IT security into a single department, headed by an expert of one of those disciplines.
2. Maintain the two functions separately but reporting to a common manager.
3. Keep the two separate but elevate issues to security to an “enterprise risk council,” which includes security management as well as senior employees from each of the company’s business units, internal audit, C-level executives, finance, legal and public relations.

The companies in the report use variations of the enterprise risk council approach.

At this early stage in ERM’s development, it is effective for several reasons. It is the most all-inclusive structure, enabling participation from across the enterprise from all users of security services. Today that group is expanding, due to a number of macro-trends including increased regulations, the growing complexity of business models and the connectedness such models require and the velocity of market forces in a global, technology driven economic system.
The five entities — four companies and one municipality — that provided case studies for the report range from the simplest implementation of converged function to the most robust and provide approaches that most companies can consider for personalized use in their own ERM efforts.

ERM Implementations
* Constellation Energy Group, the oldest utility company in the United States with 37 fossil fuel and three nuclear power plants, had two goals for the security aspect of its overall ERM initiative — to “deliver the posture of the organization to executive management whenever needed,” and “to demonstrate true value.” John Petruzzi, director of enterprise security, focused on three critical success factors:

• Communication: ensuring that people know what is happening and why at every stage;
• Collaboration: involving the right people early in the process; and
• Dynamic security professionals, or experts supported by process- or technology-specific staff.

With this simple, straightforward model, Constellation executives get a real-time view of organizational risk, both financially and operationally.

* SAP, one of the world’s largest business software companies, had no centralized security policy or governing body overseeing its security professionals. To address the situation, the company merged its IT and physical security functions and created a corporate security department responsible for the strategic aspects of security and a security steering committee which includes some board members.
SAP also created a separate global risk management group focused solely on risk management in the broadest sense — from operational to financial risk, such as foreign exchange rates, liquidity and cash flow. The company demonstrated that integrating physical and IT security can be successful if the communications and cultural aspects are addressed effectively.

* The third adopter, a diversified manufacturer, implemented an integrated and intelligent ERM framework to standardize a largely dispersed and informal risk management capability. Using established Six Sigma management processes, it identified risk factors across all business units and used management processes already in place to implement ERM processes. As a result, it increased risk awareness within and across business units, established a clear channel of reporting to provide senior management with accurate and timely risk information, updated risk mitigation planning across business units and incorporated ERM into strategic planning.

* “Road to nowhere” was how a global consumer goods company described its ERM initiatives, before it established a methodical approach to building an ERM framework that delivered the desired results. The company integrated ERM practices into the executive management process, careful to secure management buy-in and support. It devised a specific step-by-step roadmap to achieve its goals and embedded the cycle of risk identification, assessment, response and monitoring into its standard strategic planning and budgeting processes.
Getting ERM back on the road to completion required careful listening to senior management and close interaction with executives throughout the process and the aforementioned road map to achieve a sustainable program.

* Finally, when the City of Vancouver decided to merge its IT and physical security departments, Dave Tyson, the head of IT security, quickly realized he did not have the bandwidth to mange the two functions separately. He devised a convergence strategy that would provide three essential benefits: reduced costs, improved risk mitigation and a more simplified organization with less duplication.
Tyson created an enterprise security team that plays a governance role, providing security policies and guidelines to the operational teams. His approach took into consideration the different cultures in the converged organization and carefully explained each groups function to the other. Tyson’s efforts delivered the benefits he promised and more. Perhaps the ultimate proof came when the physical security team devised an innovative solution for expanding the city’s local area network capabilities.

Make the Shift
For anyone involved in ERM, this is an opportune time to shift from the conceptual to the actual phase of implementation. Emerging best practices, like those suggested in the case studies our report highlighted, offer roadmaps that can be adapted to meet the needs of many diverse companies. The strong interest by senior management seems likely to continue, as economic drivers keep underscoring the need for ERM to emerge from shadow into the light of reality.

Ray O’Hara, CPP, is senior vice president of GardaWorld, a leading provider of consulting, investigation and security services. He is the elected secretary of the ASIS Intl. Board of Directors. He has also served as president of the ASIS Professional Certification Board, chair of the International Investigations Council and a member of the Substance Abuse Standing Committee. Mr. O’Hara is board-certified in security management by ASIS Intl.To obtain a free copy of “The Convergence of Physical and Information Security in the Context of Enterprise Risk Management,” please visit www.aesrm.org.