Faculty Advisor: Where is Security’s best Opportunity in Enterprise Risk Management?

Return to Risk-Based Security
Q. Our organization has identified risks using Enterprise Risk Management but as far as execution across the enterprise we are floundering. Also, Security is not as involved as I think we should be. Any thoughts on better managing risks across the company’s businesses? How can we strive for operational excellence in this area?

A.
The answer involves many elements. Let’s start with the challenges with Enterprise Risk Management (ERM). Our review of the literature reveals enterprise risk management has shortfalls in the 5 following areas:

  • Organizations adopt frameworks or processes that are siloed, regulatory-focused, and overly prescriptive; often self-focused with insufficient attention on emerging hazards.
  • Risk inventories are often ‘personal-opinion’ management polls that are infrequently supported by research, or weighted subject matter expert opinion or proven practices.
  • Plans speak to, but seldom assure integrated cross-functional prevention, protection, mitigation planning, funding, testing or performance inside and outside the organization.
  • Compliance requirements are often less rigorous than intended and do not sufficiently educate, incent or protect anomaly reporters and whistleblowers.
  • Leadership governance is largely in name only, part-time and seldom involved in cross-functional resilience operational dependency planning, testing and performance oversight.

Some of or all of the challenges listed may be what your company is experiencing. It is extremely difficult for an organization to function optimally when risk mitigation units (e.g., Audit, Safety and Security, Business Continuity, Compliance, Risk Management) operate as siloed, stand-alone entities. This is because these types of frameworks or processes are often self-focused and pay insufficient attention to emerging hazards. A Unified Risk Oversight™ (URO) approach provides a more collaborative and cost-effective risk mitigation strategy. (See a quick definition and infographic on URO here.)

We find the ERM programs that do work are multi-dimensional, operationally integrated and relevantly informed by cross-functional subject matter expertise. They include:

  • 24x7x365 situational risk awareness communications.
  • Continuous risk/threat/vulnerability assessments.
  • Mitigation design, performance testing, and innovation driven pilots.
  • Persistent all-hazards risk monitoring, anomaly detection and response assurance.
  • Critical event management; including near-miss after-action queries with objective targeted performance improvement.
  • Engaged leadership governance.
  • Ongoing prevention/mitigation systems.
  • Understood roles and responsibilities including compliance and brand reputation duty of care dependencies

As part of your URO approach, consider forming an Operational Risk Leadership Advisory Committee or Council (ORLAC). An ORLAC is a chartered, cross-functional executive appointed, all-hazards risk leadership governance team that prioritizes the organization’s operational risk management strategy. At an operational level, emerging risks can often be identified earlier than compiling lists of risks at the enterprise management level. This body of informed leaders will bolster the higher-level enterprise risk initiative and remove unneeded redundancies based on risk exposures and threat priorities. The role of the ORLAC is to serve as an oversight counsel. It is not meant to handle all risks or to serve as the primary driver for organizational restructuring. Its purpose is to ensure that all existing risk mitigation activities are mapped to the accepted risk registry.

There are some definite benefits of an ORLAC. Persistent URO governance is achieved because subject matter expert business leaders and section chiefs can evaluate, prioritize and resource mitigation options for both emerging and residual threats. It can correct the course for efforts that did not connect ERM for emerging and fast onset of risks, especially at the operational levels.

Answer provided by Francis D’Addario, Faculty, Security Executive Council and Kathleen Kotwica, EVP and Chief Knowledge Strategist, Security Executive Council.

Return to Risk-Based Security