What is Enterprise Risk Management?
Enterprise risk management, and the creation of an enterprise risk management framework, is a fundamental governance responsibility. Enterprise risk management is a set of methods and processes used by organizations to manage risk and seize opportunities that are related to their organizational goals.
The corporate board has (depending on jurisdiction) either a fiduciary, or both a fiduciary and a statutory, duty to identify and manage enterprise risk. While enterprise risk management ought to be the responsibility of a corporate risk management team, the IT governance practitioner has three specific contributions to make to the risk management activity and for that reason needs to have a practical, high-level understanding of the key risk management issues and concepts.
'Unmanaged risk is the greatest source of waste in your business and in our economy as a whole. Major projects fail; customer shifts make our offers irrelevant; billion-dollar brands erode, then collapse; entire industries stop making money; technology shifts or... unique competitors kill dozens of companies in one stroke; companies stagnate needlessly. When these risk events happen, thousands of jobs get lost, brilliant organisations are disassembled, expertise gets lost, and assets are destroyed. Yet all of these risks can be understood, identified, anticipated, mitigated, or reversed, thereby averting hundreds of billions of dollars in unnecessary losses.'
- from The Upside, Adrian J. Slywotzky.
Operational Risk Management
Operational risk management, particularly in the financial sector, is essential. Operational risk management deals with the cyclical application of a process of risk assessment, decision making, and the implementation of controls to manage and mitigate risk.
The Sarbanes–Oxley Act (SOX) mandates the adoption by US-listed companies of an appropriate system of internal controls and requires directors to monitor and report operational risk.
Under SOX, management is required to certify the company’s financial reports, and both management and an independent accountant are required to certify the organization’s internal controls. In almost every organization, financial reporting depends on the IT infrastructure, whether for the rendering of an invoice, the effective operation of an ERP system, or an integrated, organization-wide management information and control system.
Learn more about Sarbanes–Oxley >>
Financial sector corporate governance means that organisations have to comply with the operational risk management guidance of the Basel Committee on Banking Supervision. The 10 principles set out in the Basel Committee's Risk Management Group's paper on the management and supervision of operational risk are best addressed from within an IT governance framework that ensures that measures taken to assess, control and monitor operational risk are integrated with the firm's overall risk and information management strategy.
Basel II has raised operational risk management right up the agenda of financial institutions around the world. Operational risk is defined as ‘the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.’ Risk categories include systems risks, such as hardware or software failure, issues over availability and integrity of data, and utility failures, and external events (e.g. malware or hacker attack, terrorist attack, vandalism or supplier failure.)
Learn more about Basel II and the Basel Accords >>
IT Risk Management
IT risk management has become a hot IT topic over the last few years. As organizations become increasingly dependent on information technology and intellectual capital assets, the key areas of IT risk are usually seen as:
- IT infrastructure and network security (arising from concerns about hackers, terrorists, cyber-criminals, insiders, outsiders, viruses, and so on);
- Data integrity, confidentiality and privacy (arising from regulatory and market pressure around protecting personal (e.g. data protection legislation), and corporate data (e.g. fair disclosure regulations), as well as financial and operational data (e.g. Sarbanes Oxley));
- Business continuity (arising from concerns about the capability to continue in business after a natural or man-made disaster);
- IT management (arising from concerns about project failure, poor IT operational performance, inadequate IT infrastructure, etc.)
Information Risk and ISO 27001
ISO/IEC 27001:2005, the information security standard, is specifically risk-based. In effect, it recommends that organisations implement information security controls prioritised by, and in proportion to, the business and information risks they identify. While OCTAVE (Operationally Critical Threat, Asset & Vulnerability Evaluation) is a clear risk assessment methodology, information security risk assessment can also now follow the guidelines contained in ISO/IEC 27005:2011.