What are the Key Drivers of Enterprise Risk Management (ERM)?
Cybersecurity and Enterprise Risk Management (ERM) are two disciplines you’d think would be fully integrated into most organizations. After all, ERM is the process of managing risks and identifying threats to an organization as a whole — two tasks key to cybersecurity in general.
And breaches are obviously a big risk to organizations; not only does the average data breach cost $2.8 million, but its effects are likely to be felt for years. Ponemon’s Cost of a Data Breach Report found that one-third of data breach-related costs occur more than a year after the original breach.
Unfortunately, cybersecurity and ERM aren’t always in sync at most companies. A study conducted at RSA 2019 found that half the respondents hadn’t fully integrated cybersecurity into the ERM function in their organizations. Why haven’t business leaders recognized cybersecurity as a potential risk that could damage the health of their enterprise? And why haven’t security leaders been able to communicate that risk more effectively to the business side of the organization?
To answer those questions more effectively, this post will look at what ERM is, what its key drivers are, and why business leaders and security leaders might not be communicating well when it comes to risk and threats.
What is Enterprise Risk Management?
Briefly, ERM includes the process and methods of assessing risks to a business’s financial well-being. An ERM program seeks to understand and quantify an organization’s tolerance for risk.
This is done by using a formula to understand how likely a specific incident may be and how much of an impact that incident will have on the organization as a whole — a shipment being lost, for example, or a market crash. To do this, business leaders multiply the potential impact of an incident and multiply it by the probability that it will happen.
Every ERM program is driven by several factors. While the drivers vary by organization, below is a list of key drivers that typically drive ERM:
1. Strategy: Before anything else, an organization must first decide what its priorities are. What are its goals, what will its approach and governance structure be?
2. Ownership: Who is the risk owner? The risk owner is the person who ensures that risk is managed appropriately and adjusted based on the risk appetite of the organization. (The risk owner only manages risk — they don’t respond to risks or manage the effectiveness of risk response. This ensures that everyone stays focused on their jobs. More on that next.)
3. Risk management competencies: It’s important that everyone in an ERM program knows their role. There are four competencies: risk governance, risk management, risk responses, and monitoring the effectiveness of risk responses. Everyone in each competency should be an expert, should communicate, and should stay in their lane.
4. Decision-making: It’s important to involve experts from all competencies in proactive decision-making so that no risk is misunderstood before a decision.
5. Operations: Risk management is integrated into the day-to-day operations of a company through policies, training, and controls.
6. Continuous monitoring: Often ERM programs use ongoing monitoring of performance against metrics to provide a picture of how an ERM program is performing in real-time so that adjustments can be made.
7. Leadership: Good risk management starts at the top. Your board and leadership need to take the reins when it comes to risk management, creating policies and guidelines to build a strong security environment within your organization, and place emphasis on effective management of risks.
Cybersecurity and ERM seem like a natural fit
After reading the list of drivers above, you may be wondering why cybersecurity and ERM aren’t integrated at more companies. After all, many of the key drivers — continuous monitoring, or setting daily controls based on policy — are familiar to CISOs. The reason may be that ERM has been around for a long time, and cybersecurity is still relatively new and is still moving from the language of incidents and threats to the more business-focused language of risk.
According to an article in CSO, the CISO may have a hard time communicating with their colleagues on the business side.
“…Many cybersecurity experts throw up their hands in frustration when asked about how they quantify the risk reduction associated with particular mitigation strategies,” said the article, written by Marla Korolov. Instead, CISOs point to scary stats from media reports about breaches, talk about frameworks like NIST or bring up operational metrics. None of that language quite works for their business colleagues because it doesn’t quantify risk.
How SecurityScorecard can help
SecurityScorecard Ratings allow you and your organization’s business leaders to continuously monitor the most important cybersecurity KPIs for your extended enterprise. Our security ratings use an A-F scale across ten factors and automatically generates a recommended action plan when any issues are discovered.
The easy-to-understand ratings scale enables you to provide your board of directors with the necessary documentation to prove governance over your risk management program to meet increasingly stringent cybersecurity compliance requirements.
By monitoring the cyberhealth of your extended enterprise, you’ll be able to collect data on your cybersecurity efforts and make informed decisions about risk in the future.