By Albert Katoen
Organizations face a myriad of privacy and cyber security risks that can have far-reaching consequences. These risk differ per department and function. To prevent multiple risk management approaches, the adoption of Enterprise Risk Management (ERM) is strongly advocated. Despite the longstanding existence of this concept, it might be surprising to learn that many (governmental) organizations have not made significant strides in implementing ERM.
Having ERM in place is beneficial for many reasons, such as:
- Standardized framework: One of the primary advantages is the avoidance of fragmented, department-specific risk management practices. When departments independently design their risk management approaches, it can lead to inconsistencies, varying risk tolerances, and a lack of a holistic view of the organization’s risk landscape. In contrast, ERM establishes a standardized framework that aligns with the organization’s objectives.
- Protecting the organization’s reputation: ERM helps protect the organization’s good image and brand. This is essential because the image of an organization has a direct relationship to sales and marketing. For instance, when a privacy authority publishes a fine for privacy issues, it can (severely) hurt the organization’s reputation.
- Resource allocation: It’s obvious important to make sure that you spend your time and money where it really counts and allocate people where they are most suited. Having ERM helps to optimize resource allocation, because the departments are more aware of the type of work that is needed to implement risk management in their departments.
- Compliance with regulations and laws: In the business world, it’s crucial to play by the rules. Not following the rules can have serious consequences. For example, if an organization doesn’t follow industry rules, it could be told it can’t launch a new product.
- Cost Reduction: When an organization puts in place ERM, it can lead to significant cost savings. These savings extend to all departments and functions. Instead of each department having its own way of dealing with risks, which can be costly, there’s a single, efficient approach that everyone follows.
- Enhanced stakeholder confidence: When an organization shows that it’s really good at managing risks, it makes people who care about the products of the organization or who do business with the organization trust it more.
- Long-term sustainability: ERM is like having a plan to ensure the organization’s success for a long time. It’s not just about dealing with problems today, but also preparing for what might happen in the future. Additionally, ERM enables innovation and growth, because the avoidance of risk can lead to creative solutions and new ways of doing business.
Implementing ERM starts with the tone at the top, because risk management flows from the top down. Top management needs to put in place proper risk governance. This includes formalizing a strategy, deciding which functions and roles are needed and what their responsibilities are, making resources available and communicating its value. A control structure is necessary to ensure the effectiveness of the ERM function, but this can be built on a tactical and operational level.
One of the first pillars in implementing ERM is establishing a risk methodology. A risk methodology refers to a structured approach or set of procedures used to identify, assess, and manage potential threats to an organization’s information systems and data. The methodology describes the risk components (threats, vulnerabilities, assets), offers a way to calculate risks, provides guidelines for conducting risk assessments, and zooms in on risk evaluation and treatment.
Another important pillar of risk management is a direct reporting line to the board of directors. Normally, a risk manager or chief risk officer provides an overview to the board into the organization’s risk landscape. Risk management should also be a regular item on the agenda of the board. The highest prioritized (privacy and cyber security) risks can be submitted to the board for decision-making.
Downsides of ERM
A downside of ERM is that it may struggle to capture and address risks. In a more decentralized approach, individuals at various levels of the organization have a more intimate understanding of specific risks within their respective areas. ERM could overlook important insights and perspectives from the people directly dealing with these risks every day. Finding the right balance between the big picture and the details is important for a complete and well-rounded approach to managing risks in an organization.
For smaller organizations, implementing ERM can often be excessive. These organizations may find that the processes and formalities of ERM outweigh the benefits, becoming burdensome in terms of time and resources. A more bottom-up risk management approach might align better with their scale and operational simplicity.
It is finally noteworthy that just having ERM in place does not represent a foolproof solution for effectively mitigating all risks. Even an ERM function by itself was most likely not sufficient to prevent large scale cyber security attacks witnessed in recent years. The success of ERM relies on the skills, dedication, and active involvement of the individuals overseeing, supporting, and participating in the process.
This article touches on some of the key aspects of implementing ERM. Looking ahead, the journey towards comprehensive risk management (in the realm of cybersecurity and privacy) is an ongoing evolution. As technology advances and threats evolve, the adaptability of ERM will be key to staying ahead of (emerging) risks.
 The ISO 3100 is about the framework, principles and processes of risk management and goes into detail in the why and how of implementing risk management: https://www.iso.org/iso-31000-risk-management.html.
 For more information see (page 4 in) ‘Reporting Cyber Risk to Boards’: https://www.eurocontrol.int/sites/default/files/2022-03/reporting-cyber-risk-to-boards-ce-20220322.pdf.