As CISOs, we are faced with a multitude of physical and cyber vulnerabilities related to applications, endpoints, data centers, cloud infrastructures, and the list goes on. This is where Enterprise Risk Management (“ERM”) comes into play. An ERM strategy should identify and prepare for hazards within an organization’s operations that may interfere with its objectives. A move away from the traditional silo approach of risk management handled by each department, this top-down methodology and view from an enterprise-wide perspective requires strategic leadership decision making by CISOs.
Enterprise risk is composed of all the possible threats, vulnerabilities, and hazards that an organization may face while conducting or operating its business. ERM utilizes systematic processes, frameworks, and controls, designed to mitigate those risks. This also highlights the likelihood of your associated risk from occurring and the potential outcomes. The first step is to accurately evaluate your organization’s risk profile.
5 Things to Consider When Evaluating Risk
As a CISO, you are likely partnering with other internal resources (e.g. Risk, Audit, Privacy, etc.) for managing the overall enterprise risk program. Before CISOs were what they are today, many IT departments responsible for security took a “compliance-only” approach, a “check the box” list of requirements that were tied to PCI, or HIPAA, or whatever the compliance requirements were. As the arena of information security and cybersecurity have evolved, away from IT issues to business problems, so has the approach or foundation of understanding risk. How do we take the first steps to evaluate risk?
- Take a Risk-based approach with a balanced strategy based on business needs and Risk.
- Conduct a Security Risk Assessment of the organization to identify your risks, the likelihood of events, maturity rating, and remediation items to reduce overall risk. This can also be part of a larger enterprise initiative for conducting an ERM assessment.
- Incorporate your Compliance and Regulatory requirements into the assessment for added value and visibility.
- Think proactively about how your company will address risks when they arise, especially through disasters, business continuity, and Incident Response.
- Have discussions with your internal stakeholders and business leaders, understand their parts of the business and their requirements. Conduct Business Impact Analysis (BIA) and Privacy Impact Assessments (PIA) as needed.
Key Ingredients to a Successful ERM Program
You might ask, “What goes into an ERM program?” An Enterprise Risk Management program is far from easy, and there are inherent challenges that most companies face, from time to time, especially as a public company. Like anything, a structure, a strategy, and a team of people to implement, assess, monitor, and learn from your mistakes and improve. Here are some examples of what makes an ERM program successful:
- The Chief Risk Officer should be assigned to manage enterprise risk. A risk committee should also be identified.
- Identify the risk framework that your company will utilize. The top frameworks are ISO 31000, RIMS, and COSO.
- Determine whether to implement an ERM system.
- Identify, analyze and quantify your risks.
- Assess and prioritize risks. This can be part of a process of assessment, identifying remediation items, and tracking all risks in a Risk Register.
- Understand compliance, regulatory, public-company requirements, and legal concerns.
- Build risk treatment plans.
- Constantly monitor and re-Assess.
GRC or ERM?
In a consulting capacity, I was often asked by clients, do I need an ERM system or, can I just implement an enterprise GRC program? GRC (“Governance, Risk, and Compliance”) are often used in an organization, as the compliance-focused alternative, especially for SMBs (small-medium sized businesses), or if the resources aren’t there. In easier terms, Governance is the “theory” for the company’s risk management program, whereas the ERM is the mechanism for applying that theory. An implementation of an ERM application or risk tool can provide the following benefits:
- Data Management: Data is often the key to most processes, analysis, program management, etc., and having control over your data in one location can streamline automation and operational effectiveness.
- Greater visibility across the company and business.
- Improve employee productivity through mandated compliance activities throughout the year, all performed via the tool’s platform.
- Integrate technology and data within your company with the ERM tool for greater control, analysis, and identification of risks.
- Better Risk reporting activities, integrated into one platform.
Unintentional or accidental behaviors cause the majority of cyber security incidents and can be difficult to identify through your traditional ERM controls. Elevate Security identifies risky users and behaviors that typically cause your next incident, or data loss, account compromise, or ransomware. We can enhance your enterprise risk management system through an integration with our platform.