5 Enterprise Risk Management (ERM) StepsPublished March 27, 2018 by Karen Walsh • 4 min read
The enterprise risk management process is critical for business success.
Your ERM program — one that encompasses all aspects of risk management and risk response in all business processes including cybersecurity, finance, human resources, audit, privacy, compliance, and natural disasters– should involve strategic, high-level risk management decision-making.
Two ERM Must-Haves
Two essential components of an effective enterprise risk management program are a dedicated team to develop and implement it, and an ERM framework to guide that team through the process.
A proper enterprise risk management program will include people from a variety of enterprise functions and involve executives, senior management, and board members to avoid decision-making in silos, unaware of what other areas are doing.
This team will work together, often using an ERM framework such as:
- The COSO CSF (Committee of Sponsoring Organizations of the Treadway Commission Cybersecurity Framework), which helps establish industry-respected controls and suggests data to support decisions
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) developed by the CERT Coordination Center at Carnegie Mellon University, which provides a self-directed methodology customizable to your organization’s size
- FAIR (Factor Analysis of Information Risk), which helps you to address security practice weaknesses and provides a common risk mitigation vocabulary
- The NIST RMF (National Institute of Standards and Technology’s Risk Management Framework), which provides strategies for selecting initial controls and risk-assessment methods
- The International Organization for Standardization (ISO) 31000: Risk Management, with principles, a framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.
Using an established framework can help to streamline the complex ERM process, avoid unnecessary risk exposures, and heighten your enterprise’s competitive advantage in the marketplace.
A good governance, risk management, and compliance software can lead you step-by-step through your framework of choice.
ERM‘s Ultimate Objective
Among the organization’s objectives when establishing an ERM program, risk mitigation is at the top of the list. Risk mitigation requires assessing all aspects of your organization’s risk–the strategic, compliance, operational, reputational, and financial risks–and putting controls into place aimed to prevent these identified risks from harming your business.
If you approach ERM as a business strategy with specific strategic goals, you’ll find your chances of success much improved. Here’s how to set up and run an ERM program in five steps:
Step 1: Establish Organizational Objectives
Before beginning the risk assessment process, your organization needs to determine its business goals. These business objectives should govern not just your own department, but all functions, so risk reviews take into account corporate goals.
Risk mitigation strategies can strengthen your profitability by improving your business performance.
Unexpected events, especially cyber-attacks, reduce operational efficiency. As a result, you might lose customers and face higher employee remediation costs.
If you think only about profits, though, you’ll overlook the number-one hidden benefit of risk management: client and customer confidence. Security-savvy people and organizations will stick with you if they know you’re working hard to protect their data and security.
When you set your organizational objectives, review not only the risks you have now but also any threats that might come from new revenue streams.
For example, a company that focuses on payment systems may be PCI DSS-compliant. However, if that same organization decides to increase profitability by shifting to the healthcare industry, it must also review its HIPAA compliance.
As your organizations scales, its risks will change. Understanding organizational objectives before assessing risks increases the risk mitigation process’s value, just as knowing the different paths to winning a game allows players to make better choices.
Step 2: Assess the Risks
A key step in any ERM program is assessing your enterprise’s vulnerabilities.
Risk assessment starts with reviewing assets. In corporate risk analysis, your financial, customer, physical, employee/supplier, and organizational assets determine what you need to protect and how to protect it.
After reviewing your assets, you need to examine how opponents can exploit them. Your assets come with weaknesses that might cause damage to your revenue or reputation. To strengthen your compliance, you must recognize ways that opponents (or malicious attackers) can use even your best defenses to their advantage.
Step 3: Determine Risk Acceptance or Risk Avoidance
Risk tolerance assessments involve accepting or avoiding risk.
Reviewing your IT landscape, you look at the controls in place and accept avoid risks based on your risk assessment and assets.
For example, many consider Amazon Web Services (AWS) one of the safer Cloud Service Providers (CSP). However, malicious attackers increasingly target AWS, leading to DDoS attacks that cause data breaches. Even after recognizing the vulnerabilities associated with AWS, an enterprise might still determine that AWS’s protections outweigh its weaknesses and accept the risks.
Step 4: Map Internal and External Risks
After determining risk tolerance, you’ll need risk mitigation strategies.
When mapping internal and external risks, organizations engage in the same thought process. Internally, a business unit may have training issues or access-control-management weaknesses. For example, when human resources doesn’t report in a timely manner when employees leave the company, the IT department can’t quickly remove the worker’s access to company systems, placing information at risk.
Business partners’ lack of security could pose an external risk to your enterprise data via the partners’ access points, letting malicious attackers into your system.
Mapping internal and external risks throughout your enterprise can give you valuable insights ito where and how those risks intersect.
Step 5: Set Controls and KPIs
To remain continually compliant with regulations and frameworks, you’ll need to monitor your systems and networks and get notified when something changes, and review and reinforce your project management strategies.
Project managers recognize the value of agility when creating products. Risk managers and the c-suite can use agile principles, as well, to meet risk mitigation goals.
Agile product management requires lots of cross-departmental communication. Risk mitigation, too, requires ongoing conversations between departments.
Moreover, agile development requires product testing in small increments to keep the project moving forward. Continuous control monitoring and testing perform the same function in risk and compliance.
How Automation Benefits Risk Mitigation
Our risk heat maps provide user-friendly, color-coded dashboards showing high, low, and medium risk areas within your organization–shareable with your C-suite and board of directors.
ZenGRC also helps your organization to start organizing its risk mitigation strategies right away.
Our powerful software aligns with more than a dozen compliance frameworks and standards to help you map your risks and controls, highlighting any gaps and telling you how to fill them–for ERM that’s worry-free. Why not schedule a demo today?