Enterprise Risk Management
Enterprise risk management is the process of planning, organizing, directing and controlling the activities of an organization to minimize the deleterious effects of risk on its capital and earnings. Enterprise risk management includes financial risks, strategic risks, operational risks and risks associated with accidental losses.
External factors are fueling the heightened interest in ERM. Industry and government regulatory bodies, as well as investors, are more closely scrutinizing enterprises' risk management policies and procedures. In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk management processes in their organizations.
Why is enterprise risk management important?
An ERM program can help increase awareness of business risks across an entire organization, instill confidence in strategic objectives, improve compliance with regulatory and internal compliance mandates and enhance operational efficiency through more consistent applications of processes and controls.
Enterprises can benefit by shifting their corporate culture from a focus on meeting IT compliance obligations to targeting overall risk reduction, which relies heavily on visibility into the overall security of the organization.
Organizations building a strategic ERM program must have some well-established practices already in place, such as the following:
governance model that includes senior management and organizational elements like security, risk assessment and management, compliance, IT operations, legal and any other important business stakeholder areas;
astrategy that incorporates internal policies and standards for all security and risk concerns as well as operational focal areas like system configuration; and
procedure that includes internal and external risk threat and vulnerability management to monitor adversaries and risk exposure factors that can potentially influence the risks to the enterprise and its assets.
ERM is a continuous work in progress that needs to grow and evolve, so be willing to regularly revisit, revise and update all elements of the program
Enterprise risk management frameworks come in many flavors. For some companies, adherence to ERM frameworks might be mandated by compliance and regulatory requirements. For other businesses, these frameworks may be useful in shaping and defining ERM in its early stages of development and implementation. Some of the more common frameworks include ISO 31000 for risk management, the NIST Risk Management Framework and COSO (Committee of Sponsoring Organizations of the Treadway Commission).