CyberSecOp.com

View Original

Enterprise Risk Management vs. Traditional RM

Enterprise Risk Management (ERM) introduces effective risk management (RM) by attacking the issues differently to assess and remediate risks that affect the business. It takes a more robust approach than traditional Risk Management.

Traditional Risk: Business unit leaders, directors, and managers were responsible and accountable for risks in their respective departments. An example is the CFO, or Comptroller is responsible for risks relating to business cash flow and finance. This approach is very siloed.  Having some type of Risk management is better than not having it, but this approach does have its shortcomings:

 

  • Unidentified risks that don’t fit nicely within a silo. Risks can be anywhere, and sometimes they do not necessarily align with the organizational chart resulting in unidentified risks.

  •  Some risks may span multiple business units. If one leader identifies the risk the business may not understand its true impact and likelihood if it spans multiple departments.  An example of this would be a privacy law that affects Spain for example. If the compliance officer ranks this as very low risk because there is no business/consumers or data from Spain residents. However, down the hall in another c-suite office, there are ongoing talks about a possible partnership with a platform in that same country.

  •  Silo risk owners may address a risk in their domain but not understand that the mitigations of their risk can affect another department.  A classic example is an IT change that mitigates some technical risks but impacts usability for other departments. This leads to frustration, confusion and ‘shadow IT’

  •  Traditional risk typically focused on internal risks. ERM focuses on external factors as well

  Holistic Top-Down Enterprise Risk Management

Enterprise Risk Management attempts to fill these gaps by incorporating a holistic, all-hands-on-deck approach to risk management. EMR is a top-down approach that starts from a strategic approach that trickles down to the operational level (Beasley, 2016).

 ERM begins with an understanding of what the organization is trying to achieve short and long term. Identifying all assets (people, technology, data, solutions, networks) ranking those assets, identifying risks and then ultimately remediation and monitoring. It is key to understand that top management and key staff are involved in this process, not just a department leader.  

 Identify all risks. Whereas with traditional risk management, risks that fall out of a department can be missed, EMR focuses on strategy, compliance, operations, and tactics to attempt to address all risks (internal and external).  

The output of EMR should be a risk register that clearly identifies the enterprise's top risks that identify:

  • Risk identification number

  • Owner, responsible, and accountable parties

  • Risk description

  • Risk Remediation

  • Risk milestones

  • Key Risk Indicators


EMR takes a more holistic approach to risk management and incorporates all levels of the business (strategy, tactical, operational). EMR focuses on internal and external risks. EMR is a cycle and not a project; the focus is always on understanding the business's top threats, their remediations if they are being implemented, and how effective those mitigations are.  This approach is the next step in the evolutionary process of risk management and provides one of the most impactful and thorough methods for risk management.

 

Written by:

Carlos Neto 1/9/2023

 

References:

Beasley , M. (2016). What is enterprise risk management? - North Carolina State University. NC State . Retrieved January 10, 2023, from https://erm.ncsu.edu/az/erm/i/chan/library/What_is_Enterprise_Risk_Management.pdf