What is ERM (Enterprise Risk Management)?

In my previous blog post, I noted a few trends that I expect to be prominent in 2022. Any one of those would be a good reason to focus on Enterprise Risk Management (#ERM) in the coming year. ERM is a process put in place by leadership and management to identify potential events that might affect the entity and allow managers to manage the risk within the entity’s risk envelope. In these instances, not all events are necessarily negative in themselves, e.g., a #SuperBowl versus a #climatesecurity event (deep freeze in Texas). However, conditions around those events and external factors could create activities that must be managed, such as potential protests, supply chain disruptions, or facility shutdowns.Your ERM strategy should help you identify upcoming events so you can get ahead of the game, including key issues as executive protection and #protectiveintelligence, facility resilience, and life safety issues. For those entities with the foresight to deploy a good ERM system, positive outcomes include safer and higher quality workplaces; higher likelihood of achieving strategic objectives; improved compliance and enhanced governance; reduced risk and insurance expenditures; enhanced operational efficiencies and alignment with culture; and fewer instances of unwanted events (e.g., business disruption, workplace violence, fraud, etc.).The best risk management approach is to consider physical and cyber threats as one rather than two separate issues—to which enterprises, including corporations and complex family offices, should pay especially close attention. While we have long monitored physical and cyber risks as a combined threat, many security shops typically do so in a siloed fashion, only dealing with overlapping concerns after the fact. Some of the more forward-leaning companies whose assets exist in both the physical and digital domains have already implemented ERM (think tech giants), but the rest of the pack still has a long way to go. When physical and digital threats simultaneously succeed at causing havoc, they often have an exponential impact requiring a more sophisticated response and additional resources. When organizations are not ready for a converged unwanted event, like a ransomware attack on a control system for manufacturing technology (e.g., Colonial Pipeline), they find themselves behind the 8-ball, playing an expensive and time-consuming game of catch-up. #Familyoffices might find themselves dealing with a data breach of their financial systems or personal information that negatively affects trust, the family brand, or their legacy.Insider threats require a sophisticated enterprise risk management approach due to the myriad aspects a company must monitor. Employee recruiting, on-boarding, wellness, and off-boarding are core to this challenge. This process involves HR professionals and human resource information systems (HRIS), in which an interactive physical presence is assisted by technology to assess, identify, monitor, and process information about employees and their wellness.All of these HR items need to be integrated with the organization’s larger identity management, access control, and information technology (IT) systems. For instance, it’s important for corporations to assign security credentials to a particular employee and be assured that their physical access is restricted to certain buildings. It is even more crucial for an organization’s access control systems to be able to determine if an employee has used their credentials to access different buildings at the same time—a strong indication that the employee’s access card has either been stolen or cloned. As a parallel concern, the IT team needs to know that an employee using an access point/machine in a particular office is who they say they are and not someone trying to gain access with that employee’s access card. In this case, multi-factor authentication is a key preventative strategy to combat the threat of stolen credentials.When these converged issues are not managed by an ERM system, insider risks could manifest as the theft of assets, funds, intellectual property, etc. Companies that do not employ ERM run the risk of magnified threats, whether they do so out of naivete or negligence. In either case, corporations and family offices need to have a professional review of their existing risk profile to make informed decisions about what threats are probable, what vulnerabilities exist, and what mitigations are needed.2020 was the year of the pandemic, and 2021 the year of the vaccine. Several people – including myself – have said that 2022 needs to be the year in which resilience becomes a major priority. For corporations, an ERM strategy helps ensure resilience. Does your resilience plan for 2022 include ERM? Is your company able to deal with these ERM issues today? Are you operating in the blind with regard to insider threats and potentially convergent risks? Are you able to monitor your business operations for events that present risks so you can respond to them in a timely fashion before they snowball into catastrophic consequences?It’s time for your organization to take a holistic look across your entire enterprise and employ an ERM plan to proactively manage all possible risks.