The need for Enterprise Risk Management

Jason brown, Information technology security manager, The shyft group

There seems to be a renewed interest in the need for Enterprise Risk Management (ERM). With the release of the NIST Cybersecurity Framework version 2.0, ERM has taken center stage. Govern, the new function within the framework’s core integrates itself into several other parts of the overall framework itself. A big part of governing is the need for an ERM program to be developed for the organization.

ERM is not a new concept. We need to identify IT and cyber risks within our environment and understand how to deal with them. The implementation of an enterprise risk register, which highlights all IT and cyber risks, should be brought up in conversation if it has not already. ERM is much more than just a risk register though. We also need to have difficult conversations about how we

handle risk mitigation and avoidance. This, however, would not be successful without the assistance of everyone within the organization.

Risk registry

Once a risk has been identified, it must be placed into some type of registry. This will help track what the risk is and more importantly, how you want to deal with the risk. We should also capture the level of risk that has been identified. The level of risk is typically using a naming convention such as low, moderate, and high. In a decentralized, or even a centralized IT program, you can have individual registries which all float up to an enterprise dashboard, showcasing the most important risks to the enterprise. For example, you could have several low to moderate IT-related risks for a server team to track in their registry, whereas the cybersecurity team may have a registry for IDS alerts or vulnerabilities. These can all flow to the top of an enterprise dashboard for tracking purposes to keep track of the organization’s overall risk.

"The establishment of an ERM program should be discussed from the top down"

Dealing with risk

How we deal with these risks, however, needs to be discussed throughout the enterprise. Without the assistance of executive leadership, we may not be able to mitigate the risks appropriately.

In many cases risks are being discussed, it is however our responsibility to educate our executive leadership about what the risk means. Can they understand the specifics of a vulnerability? With enough training, sure, but that is not their responsibility. We must learn to translate this lingo into meaningful conversations to come to a common understanding of what risk means to the business.

This cannot be a one-way conversation, however. If it turns out that the intended way of handling risk is not going to work, this information needs to be pushed back up to the top. A continuous feedback loop of discussing risk should also be made available to better understand the options of what can and cannot be accomplished. It is at this point that a riskbased decision can be made.

The establishment of an ERM program should be discussed from the top down. To better prepare the organization, there should be conversations around building a risk registry dashboard and how to handle risk once it is presented. Continue to have these discussions at regular intervals to stay up to date on the latest IT and cyber risks that impact your organization.