The Ponemon Institute defines enterprise risk management (ERM) as the application of rigorous and systematic analysis techniques to the evaluation of risks that may affect the entire organization, including information assets and IT infrastructure. Enterprise risk intelligence is defined as the insight necessary to drive actionable business decisions related to governance, risk, and compliance. Currently organizations have a tough time incorporating ERM, because they lack resources and believe that the technologies are too complex. These facts make it hard to even begin practicing ERM. However, there are numerous benefits to enterprise intelligence: the evaluation and potential impact of risks to the entire organization, IT business and security goals are better aligned, and minimization of risks.
Increasing Enterprise Intelligence
Break down silos and join forces: To reach a clearly defined risk management goal, all components of an organization must work together and collaborate.
Accomplishments should be meaningful: Business continuity response, incident risk response, operational risk and compliance, and threat and vulnerability mitigation are all features that are seldom accomplished even though they are crucial to risk intelligence.
Develop a budget: Organizations must have a budget to designate appropriate resources to a successful ERM program.
Management and the Board of Directors must be involved: Leadership must be in the know and involved to create a culture that supports the importance of the ERM program.
IT assets and infrastructure clarity: Good risk measures can only be in place if there is a clear, concise outline of infrastructure and categorization of assets.
Assign accountability for the achievement of specific risk management objectives: It is important to identify responsible individuals who can be held accountable.
Risk Intelligence should be measured: Establish metrics to observe and measure important objectives like time to contain threats and attacks, time to identify and pinpoint high-risk areas, and time to remediate after containment of the attack.
Consolidate risk reporting: Develop a risk dashboard that can serve as a “one-stop” source of risk information for senior leadership.
Do not make complexity an issue: Technology can be a barrier to successful risk management that can be easily avoided if the central goals of the ERM program are clearly stated and understood.
Examples of Ineffective ERM programs
A majority of respondents (61%) to the survey stated that enterprise risk intelligence will become mandatory soon. However, these respondents have differing perceptions of why existing programs are still immature. Over half (60%) agree that an ERM program can help to align business objectives across functional areas; yet, less than half of the respondents agree that their current ERM program integrates well with the way business leaders make decisions and that senior executives and members of the board are involved in their organizations’ enterprise risk intelligence.
Respondent’s identified their top worries as reputation damage, cybersecurity breaches and business disruption resulting from a poorly designed or ineffective risk management program. Organizations are slowly improving the maturity level of their risk management program. Almost half (44%) reported that today, compared to 18 months ago, their organizations are defining risk appetites, manual business unit assessments, and have initiated limited business unit risk processes and reporting.
About half reported that their organizations use top down, assessment driven, reactive, manual processes, spreadsheets, siloed information for risk automation compared to the same time period 18 months ago. The greatest benefits from this system, the respondents say, are a reduction of costs and a generation of actionable risk intelligence. The survey revealed that these organizations risk management programs identify the controls needed (66%) but not the key information that should be protected (44%).
Barriers to an Effective Enterprise Risk Intelligence Program
Only 8% of respondents said that their organizations’ functional areas are fully integrated with respects to communication about risk management. Thus, collaboration is a large issue in enterprise intelligence. Almost half (44%) say that a lack of budget is their primary barrier to not achieving risk management objectives. Many respondents report that their company has no formal budget for ERM. An additional barrier is a clear outline of infrastructure and categorization of assets. Only 17% of respondents can manage risk well through a clear view of their infrastructure and assets, and only 24% say that their companies distinguish assets based on how critical to their business they are. No one leader is responsible for overall risk management according to 30% of respondent’s reports. A proper ERM program cannot be effectively executed if there is no leader in charge of oversight.
A final barrier is that there are no clear measures to determine if enterprise risk intelligence is being utilized. Centralized or consolidated risk reporting (one set of metrics) is critical to the success of security efforts within the organization; yet, only 31% of respondents say their organizations have specific metrics to monitor how well risks are being managed. Common metrics used are time to contain threats and attacks, reduction in unplanned system downtime, time to identify and pinpoint high-risk areas, and reduction in the number of policy violations.
Enterprise Risk Intelligence SolutionsInstalled
Many companies are implementing purpose-built risk management software for automation. More than half of respondents agree that automated risk management is critical to the success of the company. The risk management tasks most often supported by purpose-built risk management software are: risk analytics (70 percent of respondents), incident response (67 percent of respondents), policy management (59 percent of respondents) and employee monitoring and surveillance (51 percent of respondents).
To help implement risk management automation, 56% of respondents say that they are purchasing a risk management solution. The most important features of the software is ease of use, deep ecosystem integration, easily scalable, offers a suite of enterprise risk applications, and cloud delivery. Many organizations deploy a risk intelligence platform or GRC application/tool. Fifty-seven percent of respondents say their organizations deploy a risk intelligence platform or GRC application/tool and 50 percent of respondents say such a platform or tool is very effective.
The study also revealed the risk intelligence features that are most important: business continuity response, incident risk response, operational risk and compliance, threat and vulnerability mitigation.