In its April 2008 report, "A Risk Hierarchy for Enterprise and IT Risk Managers," Gartner advises enterprise and IT managers to abandon a "narrow, 'siloed' approach to risk assessment and management
Easier said than done, of course.
As we discussed in the first part of this series (see Risk management compliance holdouts get wake-up call"), many enterprise business and IT leaders now recognize the importance of taking a holistic, top-down approach to risk management. However, most enterprise rsk management (ERM) deployments are still in the vapor -- or paper -- stage. In this article, we'll get practical: delve into the guts of ERM, discuss challenges and potential paybacks, and provide some best practices for making it work.
A good place to start is Southern Company (Southernco), which has been practicing ERM for about five years. As a large, investor-owned electric utility, "maintaining a low risk profile is integral to the company's strategy" both for serving customers and for satisfying regulators and investors, says Todd Perkins, the company's enterprise risk management director.
Upping the ante is the fact that Southernco's four-state region of operations regularly gets hit by major hurricanes – such as Katrina. "Our storm recovery process has been in place for decades and is very well developed," Perkins notes. "Our ERM program has really been an effort to bring that type of discipline to other areas of the company."
Asked to describe what storm-recovery disciplines have been applied to Southernco's ERM strategy, Perkins answered: "It's mainly about having the right structures in place, making sure accountabilities are well defined, and that everyone understands who owns the risk."
While Perkins could not provide ROI numbers, he attests that enterprise risk management has played a critical role in identifying and addressing operational risks well before they become critical. During Katrina, for example, Southernco was able to significantly mitigate the impact of downed systems because it "had a clear idea of what systems … needed to be recovered first, and what our business priorities were," he explains.
Furthermore, Perkins notes, "Going through the ERM process allows us to identify broader strategic and financial issues that senior management should focus on."
Indeed, Southernco also uses its ERM strategy as a marketing tool, presenting it to investors, regulators and large customers as evidence "that we are very safe, and have a very low risk profile," he says.
Throughout the year, managers in all of Southernco's subsidiaries and functions identify and, if possible, quantify top risks in their areas. That information is then fed up to the ERM group, which includes senior management from IT, finance and various business areas. The group analyzes and prioritizes the data "at the parent level," Perkins says, ultimately developing "a total company risk profile that is used by business leaders, and the board of directors, for oversight and governance purposes."
Correlation across different groups is crucial to the success of an ERM strategy, according to Michael Keating, a director at Navigant Consulting's business continuance management practice. For example, when assessing the impact of a particular system going down, a financial manager would focus on lost revenues; an auditor, on public exposure; a business manager, on lost productivity. While each risk, individually, is assessed as medium, "take them all together and the risk is much higher," Keating points out.
Enterprise risk management action items
In formulating an ERM strategy, business and IT leaders need to come up with a three- to five-year plan that outlines "where you want to be, and what can interfere with getting there," Keating says. Next, you should group those "points of interference" according to whether they are technological, market-related or financial risks. "In many cases, you can gain collateral benefit" -- and save money, he adds -- by addressing all the items in one category as a group.
Defining accountability isn't enough: You have to enforce it. "I've had clients who laid out data retention and business continuity policies, and people just ignored them," Keating says, because there were no penalties involved.
Don't put too much weight on "quantitative risk assessments," advises Peter Berlich, CEO of Switzerland-based Birchtree Consulting. "Most risk calculations come with very low incidences and high impacts, which makes for enormous statistical uncertainties. It is much more important to derive an order of priority in which to make security investments."
Be sure to pick the right key performance indicators, Berlich continues. For example, "Setting targets on the number of incidents will have the obvious consequence that no incidents get reported, not that none happen."
IT staff should be encouraged to treat risk managers and internal auditors as potential allies, not enemies. Unlike external auditors, "who get paid to say something nasty about you," internal auditors "don't have to report everything that's talked about," Keating says. Furthermore, he notes, they have clout. If they say there's an IT problem that needs solving, and extra funding, the board listens.
Getting that meaningful dialogue can be difficult, of course. "IT executives often don't know [business risk] vernacular or how to talk to risk management people," Keating points out, while many risk managers are intimidated by technology.
But that level of openness and trust is a crucial first step toward a successful ERM strategy that not only deploys, but also leverages, effective risk mitigation. "An IT executive should feel comfortable calling the risk management office and saying, 'We've identified this risk. Is there an insurance product to cover it?' " Keating says. Or conversely: " 'We just made this investment, we're really strong here, we need to promote it to our customers or investors.' "
Elizabeth Horwitt is a contributing writer based in Waban, Mass. Write to her at email@example.com.