Managing individual business risks is difficult when silos exist. An enterprise risk management (ERM) framework consolidates risk management strategy across an entire organization, enabling better visibility, measurement, and management of business objectives.
With a unified focus on addressing risk, compliance teams can universally improve regulatory compliance, governance, and risk management processes.
This article covers the importance of ERM and how to implement a successful ERM framework in your organization.
What is ERM?
Enterprise risk management (ERM) is a strategy that addresses the entirety of an organization’s risks, breaking down silos across each business unit. This centralized approach enhances enterprise decision-making processes towards risk.
Risks traditionally covered by ERM include:
- Compliance and regulatory risk
- Operational risk
- Financial risk
- Strategic risk
Why is ERM Important?
Organizations often focus on certain risks over others. For example, financial risk has a highly visible impact on business performance. The board of directors can easily interpret budgets, sales performance, and other monetary values. Cybersecurity risk is not often as transparent. CISOs are faced with the difficult task of translating complicated IT jargon into digestible executive reporting. While cyber risk may not be as easily presented, it can have a domino effect on other types of risk if realized.
Below is an example of how cybersecurity risk can increase other types of business risk:
A financial institution is operating its online banking service over an insecure network. A cybercriminal discovers and exploits this vulnerability through a man-in-the-middle attack, gaining unauthorized access to internal systems. The hacker exfiltrates customer data to sell on the dark web, causing the following risk events:
- Operational Risk: The organization is forced to cease operations to prevent further exploitation and patch the vulnerability.
- Compliance Risk: The organization breaches regulatory requirements, such as PCI DSS, for failing to safeguard customer data through adequate security measures.
- Financial Risk: The organization is fined for breaching PCI DSS and suffers significant financial losses during the operational shutdown and the reputational damage that follows.
- Strategic Risk: The organization neglected to increase its IT budget to strengthen its cybersecurity, instead prioritizing other business opportunities.
With an effective ERM framework in place, key stakeholders could have predicted the broader impact cybersecurity risk management has on the entire organization.
How to Choose an ERM Framework
There are several ERM frameworks available, and finding the right one comes down to several factors, including an organization’s size and industry. For example, healthcare and financial services have strict regulatory compliance requirements surrounding data security and should implement ERM frameworks that prioritize mitigating cyber risk.
Other factors which may determine your choice of framework include:
- Level of risk appetite
- Level of risk maturity
- Level of risk exposure
- Industry laws and regulations
- Internal compliance requirements
Types of ERM Frameworks
Below are popular examples of ERM frameworks that provide a robust foundation for IT implementation within a traditional risk management model.
The COBIT ERM Framework
The Control Objectives for Information and Related Technology (COBIT) is an IT Governance Institute and the Information Systems Audit and Control Association (ISACA) publication. COBIT 2019, the most recent version of the framework, helps organizations create, monitor, and maintain IT governance and practices.
COBIT is ideal for IT implementations because it promotes collaboration, agility, and short feedback loops.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is an adaptable set of fundamental guidelines designed to mitigate organizational risks and strengthen overall organizational security. NIST CSF is based on existing standards, guidelines, and practices for private sector organizations in the United States to better manage and reduce cybersecurity risk.
In addition to helping organizations prevent, detect, and respond to cyber threats and cyber attacks, it was designed to improve cybersecurity and risk management communications among internal and external stakeholders.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the Enterprise Risk Management—Integrating with Strategy and Performance. COSO updated the framework in 2017 to reflect ERM’s importance in driving effective objective setting, strategy setting, and performance within modern business models.
The COSO ERM framework is an ideal risk management approach for financial organizations due to its incorporation of the Sarbanes-Oxley Act (SOX).
ISO 31000:2018 provides risk management guidelines that organizations from all industries can customize to their specific contexts. Organizations can implement these guidelines to improve their risk identification, resource allocation for risk treatment, and as an industry benchmark for ERM processes.
ISO/IEC 27001 (also called ISO 27001) is a global security standard for regulating data security through a code of practice for information security management. ISO/IEC 27001 issues a set of standards covering several aspects of information security, including information security management systems (ISMS), information technology, information security techniques, and information security requirements. Organizations can leverage ISO/27001 to implement effective cybersecurity risk controls to mitigate risk.
5-Step Guide: Implementing an ERM Framework
It’s best practice to follow one or more widely-adopted frameworks to follow an industry benchmark and set a strong foundation for ERM in your organization. From here, you can customize your chosen framework to align with business objectives and drive strategic decision-making.
Below are eight steps to developing and implementing an effective ERM framework.
Step 1. Foster Stakeholder Communication
A robust ERM framework follows a top-down approach to risk management practices, starting with buy-in from the senior management team. Your ERM committee should be built upon a cross-functional team, engaging key stakeholders across all business units in the strategic planning process.
ERM committee members are responsible for several outputs in their area of expertise, including:
- Defining strategic objectives
- Developing a risk profile
- Developing a risk appetite statement (RAS)
- Developing a risk strategy
- Driving risk culture throughout the organization
During Step 1, the ERM committee should achieve the following outcomes:
- Determine which stakeholders will be responsible for developing the risk governance structure;
- Clearly define the roles and responsibilities of each committee member;
- Ensure the ERM framework applies to each specific business unit;
- Identify any parts of the framework aimed at managing risk in specific units.
Step 2: Identify Risks
The ERM team needs to pinpoint all internal and external risks which could negatively impact your organization. Your risk profile and RAS will help identify risks specific to your business strategy.
During Step 2, the ERM committee should achieve the following outcomes:
- Develop a clear risk identification methodology that can be applied across all business units;
- Ensure the scope of risk identification covers both current and future risks (such as regulatory risk);
- Determine risk calculation factors, such as probability, operational impact, and financial impact;
- Record risk reporting in a centralized risk register.
Step 3. Assess Risks
Performing a risk assessment allows your organization to calculate risk probability and manage risk more effectively. The ERM team will need to select a risk assessment methodology guided by the use of a risk assessment tool or template.
Two popular examples of risk assessment tools include a risk control self-assessment (RSCA) and a risk assessment matrix.
Risk Control Self-Assessment (RCSA)
A risk control self-assessment (RCSA) process involves assessing and examining the effectiveness of current risk controls. RSCAs are commonly performed in a workshop setting, allowing stakeholders to identify and assess risks and controls in their area of expertise. An RCSA should increase awareness of organizational objectives and outline the role internal controls play in achieving them.
The main purpose of an RSCA is to demonstrate that business objectives will be met through the following assurances:
- Asset safeguarding
- Resource efficiency
- Regulatory compliance
- Established organizational goals and objectives
Risk Assessment Matrix
Risk assessment matrixes visualize the probability of risk occurrence against the severity of its potential impact. By allocating potential risks into a matrix quadrant, you can determine which risks you should prioritize.
During Step 3, the ERM committee should achieve the following outcomes:
- Determine the probability and business impact of all risks identified;
- Identify capability gaps in existing ERM capabilities and outline next steps;
- Determine if risk identification (Step 2) changed how different types of risks were prioritized in the risk assessment (Step 3).
Step 4. Risk Treatment
The risk treatment step puts the previous 3 steps into effect. The ERM team must devise an incident response plan to define the risk control environment and provide mitigating strategies in the event an identified risk takes occurs.
The risk control environment will include areas of overlap between separate business units, as well as unique risk controls. Risk owners should be allocated to their respective risk controls and assigned clear roles and responsibilities for risk response.
The risk treatment should align internal and external controls with compliance requirements, laws and regulations, governance strategy, and business processes and objectives.
An ERM framework typically covers the following four stages of risk response:
1. Accept: Accept the risk if its probability and severity are acceptable and the potential consequences are outweighed by the financial costs required for risk mitigation. Continue to monitor the risk.
2. Avoid: Avoid the risk if it has a high business impact, i.e., high likelihood and high severity.
3. Reduce: Reduce the probability and severity of a risk event if the opportunity of the risk outweighs the financial loss and other consequences.
4. Share: Share the risk by transferring (outsourcing) it to a third-party or purchasing insurance for the risk. Keep in mind that outsourcing presents another type of risk – third-party risk.
During Step 4, the ERM committee should achieve the following outcomes:
- Ensure all elements of the incident response plan have an allocated risk owner;
- Create policies and procedures for reviewing risk controls and risk owners;
- Establish how often risk control and risk owner processes should be reviewed;
- Ensure the response strategy covers the appropriate risk tolerance for each risk, including residual risk;
- Ensure third-party partnerships are included in the control environment.
Step 5. Risk Optimization
The final step involves monitoring and reviewing your ERM program through data analytics to create an ongoing feedback cycle. Aggregating and filtering data manually is a time-consuming and complicated process, with room for human error. Risk optimization tools can help provide meaningful, accurate insights for faster, better-informed decision-making.
When choosing risk optimization tool/s, there are several factors for consideration, including:
- Your resource allocation, e.g., What is your budget?
- Your risk management program's objectives, e.g., What are your high-priority risks?
- Your data analytics and reporting requirements, e.g., What level of detail is required?
For example, reducing cybersecurity risk requires continuous security monitoring to identify cyber threats and vulnerabilities as they emerge. This task is near impossible without the use of an attack surface monitoring solution. Organizations would likely gain a return on investment shortly after purchase with the use of such software. Faster risk identification enables faster remediation, reducing cybercriminals’ chances of exploiting detected security issues.
By following a similar approach to other areas of risk, the ERM committee should be able to identify the most cost-effective and necessary tools to gain a greater understanding of risk across all business units. Specialized ERM software offers a centralized cloud-based dashboard to input all key risk metrics and track KPIs.
During Step 5, the ERM committee should achieve the following outcomes:
- Implement dynamic risk monitoring reporting that adapts to the real-time risk environment;
- Ensure IT and cybersecurity governance and compliance strategies are enacted in the framework, in accordance with contemporary security requirements, e.g., cloud computing;
- Leverage automation, where possible, to enable continuous risk identification, monitoring, and reporting;
- Determine an appropriate schedule for undertaking an internal audit of the ERM framework;
- Assess the effectiveness of the framework in terms of improving risk awareness and removing silos from ERM.