They also agree with what shows up in multiple frameworks and advice columns on the topic: The overall goal is to manage that risk in a way that provides value to the company. Or, as Cowperthwaite puts it, security professionals should "learn what your business does. Go talk to a business-unit person. He's going to think that's pretty cool because no security guy has ever done that before. Then you can connect what you do to what the business does in meaningful ways."
Within that overall mission are a number of specific goals common to most of the frameworks designed to help enterprises implement ERM.
-Get rid of silos in dealing with risks: Traditionally, businesses have had separate monitoring groups for risks involving credit, physical security, loss prevention, fraud prevention, information security, business continuity, safety, compliance and audit. If all divisions and departments in an enterprise are not connected and communicating, holistic risk-management is impossible.
-Define and balance risk appetite: It is difficult to set business security controls without a clear understanding of how much and what kind of risk the company is willing to accept.
"People have different risk appetites based on role and responsibility," says Jonny Gray, head of global client risk services for the Americas at Control Risks. "Legal has a different appetite than the business developers do."
-Enable the business: This includes the frequent exhortation to risk managers to "create and protect value." Again, this is only possible with an understanding of how a business makes money and what risks would undermine it.
-Help decision-makers make informed choices and risk-response decisions: Most frameworks recommend five options for dealing with risk, which can be remembered with the acronym REITA: Reduce it (with controls, for example); Ignore it; Eliminate it; Transfer it (by buying insurance, for example); or Accept it (which is not the same as ignoring it). The goal here is to make informed choices by looking at risks across the enterprise, rather than by department or function.
-Implement effective controls in response to risk: Obviously these are a natural result of the choices made during the REITA assessment. Achieve objectives at lower cost: One of the most common recommendations here is that consolidating risk management will mean it requires fewer people. ERM proponents also argue that setting priorities can help an enterprise cut its risk-management costs.
-Ensure appropriate and timely involvement of stakeholders: This includes company leadership, staff, customers, stockholders and business partners. Be responsive to internal and external change: Any ERM program, to be effective, must be nimble enough to respond quickly to emerging threats or new vulnerabilities.
Where, then, are CSOs and CISOs succeeding or failing in reaching ERM goals? McClurg says he believes ERM has led to "more thoughtful, deliberative decisions" about handling risk, and that security pros, especially at the larger, Fortune 100-size companies, are moving away from "guns, gates and guards. It's not security as much as business assurance."
Sign up for Computerworld eNewsletters.