We are now into the third week of US Cybersecurity Awareness Month, and the theme is ‘Explore. Experience. Share’, a rather general direction we’re interpreting as a call to spread knowledge and awareness of cybersecurity and its manifold challenges. Thus, we’ve been looking back at the topics we’ve addressed so far, which led us to make useful connections with the area of Enterprise Risk Management (ERM) frameworks.
While exploring possible solutions to trending types of cyberattacks such as ransomware and phishing, we found that a common issue stands out – and that is the need for a risk management approach to be appropriate or ‘proportionate’ to the complexity of an organization.
“Risk management involves understanding, analyzing and addressing risk to make sure organizations achieve their objectives. So, it must be proportionate to the complexity and type of organization involved”, The Institute of Risk Management states.
“Enterprise Risk Management (ERM) is an integrated and joined up approach to managing risk across an organization and its extended networks”.
The quantity and range of risks an organization is exposed to are undeniably expanding, especially as businesses themselves grow and become interconnected, and properly managing these risks requires more and more complex processes and procedures. With this increase in complexity, the accurate, always-on and holistic view of risk required to stay protected becomes blurry.
This is where an ERM program comes in – if executed well, it makes sure that you are aware of and handling risks appropriately according to the complexity of your organization, whether this is internally or across your extended enterprise of partners, vendors and other third-parties.
The key challenges of ERM – consistency and centralization
While helping such complex organizations wrap their arms around risk and implement a strong ERM strategy, our experts have found that consistency in the way risk is being managed across the organization is a big concern.
A lack of consistency in the risk management approach within an organization creates issues with board reporting and can consequently breed inaccuracies and prevent a suitable prioritization of security resources and budgets. Furthermore, not being able to correlate risks with strategic business objectives can mean that certain opportunities for growth or investment, for instance, can be missed, preventing the business from thriving.
An inconsistent risk management approach also poses resilience and crisis management concerns. For instance, in 2020, “public companies with mature enterprise risk management programs found that their ERM framework paid off during the pandemic”, providing a “firmer grasp on a slippery and fast-moving crisis”.
However, this issue of consistency doesn’t have an easy fix. In our experience, even in cases where the principles behind ERM are understood and the organization is technically ready to embrace an ERM program, the Enterprise Risk Matrix is decided ‘at the top’ but its application and propagation isn’t usually monitored with the attention and thoroughness it requires. This means that this matrix, or ERM framework, spreads to different parts of the organization and gets interpreted and applied inconsistently.
This causes a decentralized risk management approach with a distinct lack of consistency. As a result, you will most likely struggle with addressing the security, resilience and crisis management concerns mentioned above, or with staying protected against cyberattacks, which ultimately means that you do not have a strong ERM program.
How to make the best of ERM
As this blog has shown, for your organization to meet its objectives you need clear visibility and understanding of all the risks that may disrupt achievement of these objectives. You must be agile to seize opportunities while remaining resilient to new inter-related risks, from pandemic and supply chain disruption to cyber and privacy breaches. At the same time, you want to report on your risks easily and accurately, and to be able to show stakeholders evidence of environmental, social and governance (ESG) awareness and behaviors.
This herculean job clearly requires a centralized and consistent approach to ERM, and we dare say it cannot be easily accomplished without the help of technology and automation.
STREAM, our Integrated Risk Management platform, centralizes, automates, quantifies and reports governance, risk and compliance across the Enterprise on a single platform. With a good ERM tool such as STREAM, you can see consistency across different use cases – from third-parties to internal departments. Key benefits include: risk mitigation through controls and action tracking, consistent management approach, tracking business opportunities and objectives, and dashboard reporting.
An ERM success story
We’re proud to have deployed STREAM to help organizations of all types implement a strong ERM program, and to boast success stories such as that of our US-based client Midland States Bank (MSB). In MSB’s case study, Chief Risk Officer James Stewart mentions a few highlights of his experience with Acuity’s STREAM: “The system is extremely configurable, and reporting tools very flexible. In some instances, we are able to pull together data across all products and generate reports in minutes, when it previously required days of effort”.
“Secondly, the system provides the ability to quickly build ‘virtual views’ of the company’s ERM framework. Hence, I have the capability to put forward a top-level view that masks various features that would otherwise confuse users. Thirdly, system response time is impressive – there is no latency, which has impressed our users who have experience with other GRC platforms. Finally, having the lion’s share of our ERM framework on my desktop garners a lot of favorable comments from external stakeholders”.