What is Enterprise Risk Management?
Enterprise risk management, and the creation of an enterprise risk management framework, is a fundamental governance responsibility. Enterprise risk management is a set of methods and processes used by organisations to manage risk and seize opportunities that are related to their organisational goals.
The corporate board has (depending on jurisdiction) either a fiduciary, or both a fiduciary and a statutory, duty to identify and manage enterprise risk. While enterprise risk management ought to be the responsibility of a corporate risk management team, the IT governance practitioner has three specific contributions to make to the risk management activity and for that reason needs to have a practical, high-level understanding of the key risk management issues and concepts.
"Unmanaged risk is the greatest source of waste in your business and in our economy as a whole. Major projects fail; customer shifts make our offers irrelevant; billion-dollar brands erode, then collapse; entire industries stop making money; technology shifts or... unique competitors kill dozens of companies in one stroke; companies stagnate needlessly. When these risk events happen, thousands of jobs get lost, brilliant organisations are disassembled, expertise gets lost, and assets are destroyed. Yet all of these risks can be understood, identified, anticipated, mitigated, or reversed, thereby averting hundreds of billions of dollars in unnecessary losses."
- from The Upside, Adrian J. Slywotzky.
Operational Risk Management
Operational risk management, particularly in the financial sector, is essential. Operational risk management deals with the cyclical application of a process of risk assessment, decision making, and the implementation of controls to manage and mitigate risk.
Enterprise Risk Assessment and Business Impact Analysis is a key operational responsibility for all practitioners, and the Cabinet Office's guidance Management of Risk (M_o_R®) is particularly useful to any organisation. Information security risk assessment is another key area.
Combined Code and Turnbull Report
The UK’s revised Combined Code, for instance, is now explicit in saying that all directors are required to ‘provide entrepreneurial leadership of the company within a framework of prudent and effective controls which enable risk to be assessed and managed.’
The US Sarbanes-Oxley Act (SOX) mandated the adoption by US-listed companies of an appropriate system of internal control and, in parallel, requires directors to monitor and report operational risk.
COSO ERM Framework
COSO, whose internal control framework has become the de facto standard for companies complying with SOX, started work on developing a separate risk management framework in 2001.
This framework, the Enterprise Risk Management: Integrated Framework was designed to provide a common framework, ‘key principles and concepts, a common language, and clear direction and guidance.’ This framework expands on the internal control framework, providing a broader and more robust focus on enterprise risk management. Because it incorporates the internal control framework, organisations could (as COSO suggests) move toward implementing an ERM framework to satisfy their internal control needs as well as their broader business risk management needs.
Financial sector corporate governance means that organisations have to comply with the operational risk management guidance of the Basel Committee on Banking Supervision. The 10 principles set out in the Basel Committee's Risk Management Group's paper on the management and supervision of operational risk are best addressed from within an IT governance framework that ensures that measures taken to assess, control and monitor operational risk are integrated with the firm's overall risk and information management strategy.
Basel II has raised operational risk management right up the agenda of financial institutions around the world. Operational risk (see Sound Practices for the Management and Supervision of Operational Risk) is defined as ‘the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.’ Risk categories include systems risks, such as hardware or software failure, issues over availability and integrity of data, and utility failures, and external events (e.g. malware or hacker attack, terrorist attack, vandalism or supplier failure.)
IT Risk Management
IT risk management has become a hot IT topic over the last few years. As organisations become increasingly dependent on information technology and intellectual capital assets, the key areas of IT risk are usually seen as:
- IT infrastructure and network security (arising from concerns about hackers, terrorists, cyber-criminals, insiders, outsiders, viruses, and so on);
- data integrity, confidentiality and privacy (arising from regulatory and market pressure around protecting personal (e.g. data protection legislation), and corporate data (e.g. fair disclosure regulations), as well as financial and operational data (e.g. Sarbanes Oxley));
- business continuity (arising from concerns about the capability to continue in business after a natural or man-made disaster);
- IT management (arising from concerns about project failure, poor IT operational performance, inadequate IT infrastructure, etc.)
Information Risk and ISO 27001
ISO/IEC 27001:2005, the information security standard, is specifically risk-based. In effect, it recommends that organisations implement information security controls prioritised by, and in proportion to, the business and information risks they identify. While OCTAVE (Operationally Critical Threat, Asset & Vulnerability Evaluation) is a clear risk assessment methodology, information security risk assessment can also now follow the guidelines contained in ISO/IEC 27005:2011.
Information Security Risk Management for ISO 27001/ISO 27002 provides the most comprehensive guidance on the subject.
Management of Risk (M_o_R)
Management of Risk (M_o_R) is the British Cabinet Office’s best practice methodology for managing risk. It is generic and can be applied in any type or size of organisation.