A successful enterprise risk management team has the support of senior management and the board. It’s also woven into the strategic plan. That’s one of the takeaways from a recent NeuGroup Corporate ERM peer group meeting.
The meeting featured a company that set out to build a comprehensive ERM program. This Fortune 500 tech company saw it as a strategic priority and pushed the program to be world class in stature. While many companies’ ERM programs are characterized by an assessment calendar with a 12-month cycle, this company’s program has risk discussions all year long, with calendared steps along the way.
One result of these ongoing discussions was the idea of operationalizing ERM, which makes ERM thinking ingrained into the company’s day-to-day. This means it is not a separate activity but a natural component of operational strategies and activities. As an illustration of the importance of ERM at the company, it has developed a proprietary in-house tool for gathering risk data from business leaders company-wide.
The tool makes no assessment or judgments but organizes the data in such a way as to inform all relevant parties and ensure they’re talking about it and taking steps to mitigate the issues if needed.
You’ve been hacked
One of those issues that companies are talking about more and more is cyber security. An unfortunate truism these days is that when it comes to cyber security there are two types of companies: those who’ve been hacked and those who have been hacked and don’t know it.
At the ERM meeting, one company discussed some of the more potent threats in cyberspace and how companies are inherently vulnerable. One of the troubling takeaways was the observation that most IT security people “don’t get the enterprise element of this risk.” That is, the chain of events that could be triggered if a breach occurred at, say, a national payroll processing company. Not only could a lot of personal and very sensitive information be compromised, but there would also be major economic consequences if payroll processing for millions of employees was hijacked.
ERM is growing and maturing, but it’s probably more important to evolve to meet the ever-changing challenges that cyber threats create. That’s why if an ERM program is more widely dispersed and ingrained into the company’s daily operational thinking, it’s more likely the threats will be identified sooner. This is important to the company’s customers and it’s also important because it can mean one’s job – see the fate of Target’s CEO.