Enterprise Risk Management: Old concept, new ideas

Enterprise risk management may be old hat, but some CSOs are using it in innovative ways. Here's how it can bring your security program into the future


Enterprise risk management (ERM) is hardly new. Eric Cowperthwaite, CISO at the nonprofit healthcare organisation Providence Health and Services, recalls hearing the term for the first time in the late 1990s, "and it existed before then, even if we didn't call it that," he said.

Indeed, the term goes back several decades, according to Jeff Spivey, who is vice president at RiskIQ, president at Security Risk Management, and international vice president of ISACA.

"My father was involved in risk management beginning in 1968," he said. "What was then called 'risk management' is now called 'enterprise risk management.'"

John Shortreed, a member of the International Organisation for Standards, which developed ISO 31000, one of the most prominent frameworks for ERM, says the framework has been "evolving and maturing over the last decade, in response to the increasing risks [in] our world" brought on by such varied factors as interconnectivity, climate change and economic upheaval.

But after all that evolution, it is still not close to being standard operating procedure in most enterprises. According to a 2012 customer survey by the Corporate Executive Board, 70 percent of respondents did not have a formal risk-appetite approach in place. Risk appetite is one of the fundamentals of ERM. Cowperthwaite is not surprised at those results.

"My perspective is that most security practices are foundationally compliance driven, even if they have a risk component," he said.

"The thinking of most CSOs is, 'There is some number of things I'm required to do. When I do them, I have a security program.'"

That doesn't mean nobody is doing ERM, he added.

"I could name a dozen CSOs who are really involved in their businesses and doing great ERM,"he said. "But I could also name more than a dozen who are basically just keeping in compliance keeping the firewalls in place. I think if we were to survey the industry as a whole, we'd find the 20-80 paradigm, where only about 20 percent really understand what their business is about so they can make the case for managing risk."

Not everybody thinks the divide is that great between those practicing ERM and those focused on compliance -often derisively called "checking-the-box security." Chris Wysopal, co-founder, CTO and CISO of Veracode, says he is seeing more of his security peers "performing threat modeling based on the way their business works and what is going on in the threat space."

In at least one sector of the economy - finance -there is strong evidence of risk management taking hold. The Wall Street Journal reported in October 2010 on a Deloitte survey of 111 financial institutions that found 75 percent of them had a chief risk officer or an equivalent position, which is one of the core components of most ERM frameworks.

John McClurg, vice president and CSO of Dell, says in recent years he has seen a lot of evidence of ERM in Fortune 100-level companies, "but not so much in smaller companies, and that is the majority of businesses in the country."

William Mabon, director of the cybersecurity product portfolio for BAE Systems, is among those who are not involved in ERM. He says that while he and his firm's clients, which are mostly in government, are very focused on protecting data, "as opposed to going through exercises that are designed to pass through audits," he does not hear much talk about ERM with those clients.

"It is not a buzzword that we're living and breathing every day," he said.

Cowperthwaite believes the stumbling block is not a lack of understanding, but rather an all-too-clear understanding of how hard ERM is to do.

"If you do qualitative risk management, it leaves an amazing amount of room for people to argue," he said "When I say something is a high-risk, the CEO might look at me and say, "[An impending merger] is high risk -what you're talking about is moderate.'"

But then, some experts say ERM is not the way to go anyway. Douglas Hubbard, CEO of Hubbard Decision Research, even wrote a book about it -The Failure of Risk Management -in which he poses three questions: Do these risk-management methods work? Would any organisation that uses these techniques know if they didn't work? What would happen if they didn't work?

Hubbard argues that the answer to the first two questions is "no," and that the answer to the third is that there could be catastrophic consequences for a company or its customers.

Richard Stiennon, chief research analyst at IT-Harvest, contends that ERM simply doesn't work. In a recent Facebook post, he proposed the following title for a course on ERM that he was about to teach at the National Defense University: "No one ever got fired for implementing a risk-management program - but they should be."

Stiennon says that "as an industry analyst and adviser to some of the largest organisations in the world, I have seen them start to move away from risk management to threat management."

Francis Cianfrocca, CEO of Bayshore Networks, agrees.

"With risk-management best practices, you're not really protecting yourself. Enterprises need protection rather than risk management."

Of course, advocates of ERM contend that it is all about protection - evaluating what kind of protection is needed based on the kind of risk and the amount of damage it could do to an organisation.

So maybe before we can discuss the progress and even worthiness of ERM, we need to refresh everyone on what the definition of ERM is and what some of its core goals are. Most CSOs would agree with Spivey that it starts with a holistic view of all risk that an organisation may be exposed to, including operational, brand, financial, physical and, of course, information security.

They also agree with what shows up in multiple frameworks and advice columns on the topic: The overall goal is to manage that risk in a way that provides value to the company. Or, as Cowperthwaite puts it, security professionals should "learn what your business does. Go talk to a business-unit person. He's going to think that's pretty cool because no security guy has ever done that before. Then you can connect what you do to what the business does in meaningful ways."

"Recommended For You"

CIOs vs. CISOs: Pros, cons of an 'adversarial' relationship Half of UK financial firms not ready for compliance