It's also important to understand that the COSO ERM framework is not a how-to on developing ERM. It describes what an effective ERM process is, what it contains and represents, and how it works. But it does not set forth a specific methodology for implementing an ERM process. So to get on the same page, it's useful to start with the framework and the key concepts of risk management and then select a methodology for making it happen in your company.
One approach that I find helpful is to use risk concepts in the strategic development process and related implementation planning. Another approach is to set an ERM program for one business unit, with a leader who is well respected, and see the successes and benefits it brings to that unit and how it can be extended to others in the company.
In a midsize company, you can take what I call a big-bang approach, where an ERM process is developed and rolled out for the entire organization. This can work if you've got the support of top management to develop and design how risk management will be deployed, with an appropriate implementation plan, along with training and all the elements of an effective project and change management.
What advice would you give a security leader in an organization that does not have an effective ERM program?
It might be useful to work together with other corporate leaders such as the CFO and chief compliance officer. In some companies, this group of executives has been able to influence and persuade the CEO to support an initiative that brings ERM to the fore.
It seems that initiatives concerning good corporate governance are often event-driven. How can we convince organizations to adopt effective processes for internal control and ERM without waiting for the next meltdown?
If CFOs, compliance officers and other senior staff managers band together, they can be a major influence in getting senior operations executives to consider that risk management is good management. They can be a positive force in moving an organization to deal effectively with risk in a strategy setting and integrate risk-management principles into business objectives.
With the Dodd-Frank Act, we are seeing the implementation of ERM programs, direct board oversight over ERM, and the appointment of chief risk officers becoming mandated for some larger banks. Do you foresee similar regulations coming in industries other than financial services?
Not in the near term. However, boards of directors across industries are providing much closer oversight into risk-management programs and are suggesting to chief executives that there should be a greater focus on risk management. So the pressure is coming from that direction rather than inside the Beltway.
Sign up for Computerworld eNewsletters.