Ideally, enterprise risk management (ERM) is a top-down, formal framework for identifying, prioritizing, analyzing, monitoring and managing all types of risk that an enterprise faces. It provides solid guidance for executive decision-making. It is headed by the strong leadership of a B-level or C-level officer and it enjoys the enthusiasm and involvement of the board and the entire executive team. It is founded on a clear articulation of the company’s risk appetite — aligned with business goals — that is communicated to employees at all levels. It is supported by a cross-functional management and advisory team that shares information about business unit risk.

In a perfect world, ERM would save the company money, prepare it for change, create stakeholder value and facilitate growth through the exploitation of opportunities. All organizations would be interested in and capable of embracing some sort of ERM model to manage risk, and the security function would play a weighty role in the process.

It’s a shame the real world seldom lives up to such ideals. ERM — developed with top-down support and strong leadership — can indeed lead to benefits like those mentioned above. But organizations have been slow to adopt it, and those that have climbed on board do not always invite security to help steer.

Not Yet Widely Accepted

In its April 2009 "Report on the Current State of Enterprise Risk," the ERM Initiative at North Carolina State University stated that 44 percent of 700 survey respondents (most of whom were CFOs) have no enterprise-wide risk management process in place and have no plans to implement one. IBM announced similar findings in its 2008 CFO Study, reporting that only 52 percent of CFOs surveyed have a prescribed risk management program.

What’s more, the NC State report found that nearly half of respondents lack a formal plan for business functions to establish or update assessments of risk exposures, and 75 percent indicate that key risks are communicated “merely on an ad-hoc basis at management meetings.”
These days, it is common knowledge that companies collapse when they make the wrong decisions about risk; we have learned that courtesy of the economic crisis and the behavior responsible for it. If we all know this, why is enterprise risk management still not the norm?

Why So Slow?

One reason is that ERM is a relatively new concern as management theories go, and it tends to take a while to implement a total ERM program like the one outlined in the introduction to this article.