Whether making a personal or professional decision, we all face risks on an ongoing basis.
Avoiding risk has been a part of life since the beginning of time, but modern businesses face dangers that are more frequent and more complex than ever before. It takes a collection of various professionals and tools to avoid threats, for both corporations and small businesses alike.
For example, consider the number of headlines you’ve probably seen recently similar to “[Insert big brand here] confirms breach of data.” In April 2019, the year-over-year odds of experiencing a data breach rose from 2% to 29.6%. Headlines focused on data breaches, financial losses, and reputation damage are commonplace in today’s business landscape, affecting established companies like Marriott, Capital One, and DoorDash.
The right technology needs to be in place before it’s too late, especially for companies that handle sensitive information. Too much is at stake for risk-mitigation technology not to be a key component of any enterprise IT system.
Recent findings from IBM and the Ponemon Institute, published in their joint 2019 Cost of a Data Breach Report, offer a degree of clarity around what is at stake. Among other findings, the report found that post-breach customer turnover on average costs businesses $1.4 million. Furthermore, among companies with more than 25,000 employees, the overall cost was a staggering $5.1 million. The cost was $2.65 million for companies with 500–1,000 employees.
As data breaches and new and emerging risks arise, companies look to enterprise risk management (ERM) to combat risk and establish a single source of truth for all stakeholders.
Enterprise risk management programs
In today’s business world, the collection of efforts to manage risks is its own function. The function is called enterprise risk management (ERM), and it plays a vital role in protecting companies against internal and external threats.
According to G2, an enterprise risk management program is "a business strategy designed to identify, assess, and prepare for any dangers, hazards, and other potentials for disaster that may affect an organization's operations and objectives."
Simply put, ERM involves preventative measures against anything that may disrupt an organization’s end goal. But, it’s not entirely that simple. There are many components and aspects of a company that goes into effective ERM processes.
It’s why the Committee of Sponsoring Organizations (COSO) takes this definition even further. It’s described as a full-on strategic movement that’s applied across an entire enterprise involving employees at every single level.
There are three identifiable parts to an effective ERM strategy: discipline, culture, and control. A company must have a structure in place which incorporates these descriptors to continuously monitor and mitigate risk at an enterprise level.
Five steps for assessing risk
Why is ERM important?
It’s not a matter of if your company will face risk, but when. Through ERM, companies can stay one step ahead of the risks that threaten them now and into the future. It’s not enough to implement just any process, however: in order to protect all facets of your business, an ERM system needs to be executed in an intelligent, strategic manner. Its goal is to limit exposure and damage as much as possible, benefiting both business and employees alike while curating a culture of risk.
Implementing an ERM program provides many benefits, saving companies money and time with increased operating and employee efficiency. Especially if current processes are done through manual tracking and coordinating, automated solutions will allow companies to close risk, security, and compliance coverage gaps.
Transparency with employees will allow risk-mitigation to be at the forefront of business operations – particularly necessary in industries such as healthcare, financial services, technology, and energy, where third-party and IT security risks are at the core of company performance.
Three questions to ask before starting an ERM program
Before establishing an ERM program, it’s important to ask the right questions. Identifying the core objectives of the program will help solidify expectations for all stakeholders.
What is the current state?
There should be a constant evaluation process of a company’s governance, risk management, and compliance processes. Knowing the current state of affairs of your existing systems and inventory – both formal tools and technologies as well as ad-hoc approaches – will be necessary, which is why including multiple people at this stage is critical.
Interviewing everyone involved with these processes and understanding their perspectives, objectives, and pain points allows you to make a more informed and, ultimately, better judgment call when establishing an ERM program. Analyzing your own practices can be difficult, especially pertaining to risk mitigation.
Asking some of these questions may help:
What kind of personally identifiable information (PII) or sensitive data do we handle?
Have we accounted for the regulatory landscape of our industry when collecting risks?
How complex are our risks?
How complex is our organizational structure?
What are the likelihood and impact scores of the risks, both individually and in aggregate?
Where does the company want to go?
Asking this question allows you to mold your ideal future ERM scenario. As a result, this will vary greatly based on company and industry. But, it’s still extremely important to be reasonable and specific. Consider modeling your goals after the “SMART” methodology, which stands for Specific, Measurable, Achievable, Relevant and Time-bound. Remember, though, that outside influences such as regulations, laws, and contracts may factor into decision-making as well.
How do we get from here to there?
This step is the road map for the whole program. Getting from step one to step two requires analyzing the current and potential future state of your business, and devising a game plan for moving forward. It’s reliant on identifying gaps in your system and finding an ERM that works to fill those gaps.
Don't be afraid to ask the right questions
Developing an enterprise risk management program can be a daunting task. While many companies rely on manual input and spreadsheets to maintain their program, others are digitally transforming their process, relying on cloud-based solutions to create a single source of truth across their organization.
Educating yourself on what ERM is, its importance, and questions to ask yourself before starting a program establishes a sound foundation from which to start. Instead of fearing risk, ERM programs can help companies identify opportunities to take greater risks while avoiding a feeling of constant worry.
Matt is the Co-Founder and CEO of LogicGate. Prior to LogicGate, he spent over a decade in the management consulting space building technology solutions to operationalize regulatory, risk, and compliance programs for Fortune 100 companies. Given his extensive background in the GRC space, Matt regularly speaks and consults on risk and compliance topics.