Of course, no enterprise can operate without some risk. “If there was no risk, there would be no revenue,” says Tim Weir, director of global asset protection at Accenture, the management consulting and technical services company.
“The whole idea of doing business is based on the idea of taking risk,” agrees Petri Lillqvist, director of risk management for Digita Oy, a radio and television distributor headquartered in Helsinki, Finland.
When developing an enterprise risk management process for Digita, Lillqvist started with basic questions, such as what does “manage” mean?
“Managing risks does not mean eliminating them,” he says. Rather, risks must be brought down to a level that will not be fatal to the enterprise.
The goal, explains Weir, is to “make calculated decisions daily to help manage risk to people, reputation, information, and property—in that order.”
Before an enterprise can manage its risk, it must identify potential risks and assess how risk will affect the company. A variety of formal and informal methods can be used to accomplish these tasks.
A key factor is to be selective. “If you just start thinking of all the possible risks that might harm your company, you’ll end up with a very long list that includes everything from petty thefts to an asteroid hitting your company headquarters,” Lillqvist says. “It’s about risk management, not list management,” he quips.
The company’s business objectives must serve as a starting point, Lillqvist says.
Seeking out the owner of the identified risk is another helpful tactic. At Digita, the risk owner can be a vice president or other staff member, depending on the risk. That person is responsible for assessing the need for controls, planning the actions, then implementing, reassessing, and reporting on the actions in concert with the company’s risk management process and policy.
Hulshouser and his team use brainstorming to determine probabilities, “the ‘what ifs’ that keep you up at night,” he says. The economic situation and the potential for thefts are top priorities. He scans information from government and professional organizations to stay on top of communitywide crime as well as terrorism trends and natural disaster indicators.
Weir uses visuals to help clarify the risk picture. “We use a wheel that expresses the circle of the risk life cycle,” he says. The circle starts with the identification of a specific risk, then moves through the ways to eliminate, transfer, mitigate, insure, and evaluate that risk over time.
Dick Parry, CPP, executive director of global security at Novartis Institutes of Biomedical Research, has adopted a different type of visual at the pharmaceutical research organization. He uses heat maps, a graphical representation of data that measures gaps and shows through color variations where risks are controlled.
To collect the data, says Parry, various disciplines within Novartis identify their risks, which are consolidated into a larger risk portfolio and then addressed at each business unit.
The process also includes what Parry calls a “loosely modeled risk council.” Meetings to discuss enterprise risk management are scheduled regularly, but the group also works on an ad hoc basis to address risks as they appear.
Sometimes it’s clear what the major concerns are. At Palm, for example, it is the “huge band of bloggers and fans who want to be the first in the market to give consumers the most updated information on potential purchases,” explains Acton. That puts proprietary information at extreme risk.
To address that risk, Acton and his team began shoring up internal processes. “We share less information with fewer people and share it later in the product life cycle,” he says.
The plan passed its first big test during a recent new product release. For the first time, no leaks or disclosures occurred.
Any enterprise risk management plan must recognize that risks evolve, and companies must be prepared to adjust. While the enterprise security council at transportation leader Schneider National tries to anticipate risks three years ahead, “the reality is that we are working in the one-year realm,” says Walt Fountain, CPP, director of enterprise security. “Things are changing faster than we ever expected.”
The scarcity of money and time are perennial impediments to a more effective risk management process. Difficult economic times exacerbate the problem, because cost cutting often results in less than optimum combinations of internal controls, increasing risk. Moreover, security itself is asked to do more with less. But ESRM managers cannot let these barriers stymie their efforts.
“It’s still security’s responsibility to do the best to manage global risk regardless of what resources are available at a given time,” says Boni.
To achieve those objectives, he adds, security leaders must deliver the right information to the appropriate level of management so that executives can prioritize and make appropriate choices.
Angelo at Diebold agrees, noting that in the coming year, the “biggest value the GRCOB will provide is the appropriate prioritization of resources to address risk.”
Fountain has a similar viewpoint. “It’s not that people are saying ‘Let’s not do any security because we cannot afford it,’” he says. Rather, his council has been required to do more upfront planning, gather more data, and justify return on investment (ROI) before moving forward. In anticipation of those questions, he and his team come well prepared to planning sessions.
But money isn’t the only issue. Another barrier to implementing ESRM can be perceptions about what it means to disclose risk on the part of front-line personnel and middle managers. “People have to get past the point where disclosing risks makes them feel that they are not doing their jobs,” says Parry. He advocates establishing a “no-fault scenario” so that employees won’t hide details the company needs to know.
Culture can also be a roadblock. Enterprise risk management is “an evolving concept” at Caterpillar, says Tim Williams, CPP, director of global security at the global manufacturer of construction equipment and engines.
Since Williams joined the company two years ago, the security program has expanded into the global arena with regional directors in Asia, Latin America, Europe, and the Middle East. Williams also began developing risk-based programs for the company’s global manufacturing and distribution centers.
While the company does not have a formal risk management department, Williams serves on a compliance committee and is in the process of forming an enterprise security council.