enterprisesecuritymag

There's a Framework that can Help your Business hoist its Sails

By Jane Couchman, Chief Risk Officer, Aware Super

Jane Couchman, Chief Risk Officer, Aware Super

Enterprise risk management (ERM) has the potential to be a complex, feared document that is only consulted in theory and in some instances can send your peers and colleagues jumping for cover.

That certainly was the story of the past. But now thanks to emerging technology and more sophisticated organisational thinking, ERM is increasingly being viewed as a critical element to support and transform an organisation, provide an essential early warning beacon, and be a critical enabler for success.

A framework is not a document

ERM is a key support for organisations when establishing a consistent way of doing things. Some businesses still believe that a framework is just a document, but it’s not–it’s the people, processes and systems–including technology–that are put in place to manage both compliance and risk. It’s the entire package.

Understanding your appetite for risk

Compliance is about the laws that regulate your industry. Risk though, is not proscribed by law and includes regulatory, operational, executional, and strategic considerations. When building a framework, understanding your business’ appetite for risk, identifying past trends and anticipating opportunities is the key.

In the case of superannuation, we consider things like our tolerance for operational errors and losses to ensure we have appropriate controls and protections in place to safeguard our members’ funds for retirement. On the other hand, how much strategic risk are we willing to take on to try to achieve strong investment returns for members? It’s about identifying and documenting the many risks we have or could have in our organisation and setting tolerance thresholds for each.

"You need to translate the sophisticated but often complex legislation, language and thinking that underpins ERM into simple tools that the business can use in the everyday"

This risk capability needs to be embedded into an organisation’s DNA. An effective risk culture is one that is operating in accordance with its tolerance for risk, but compliantly; it’s maximising opportunities for growth while avoiding any negative impact on members or clients as well as regulatory fines or sanctions.

You want your business to make bold decisions, but to know the boundaries in which they are making these decisions.

Data is driving development

Many of the rapid changes in ERM are coming from technology and its capacity to help accurately collect data, match and analyse it to identify current risks, blind spots and trends, as well as opportunities.

How can you get the best data possible and link it across departments to help set up early warnings about emerging exposures? How can you find out about an opportunity or positive trend early enough to make a difference?

The first step is to create well thought out business procedures that lead to insightful information. Giving the business a whole raft of confusing obligations is a common mistake that many make.

You need to translate the sophisticated but often complex legislation, language and thinking that underpins ERM into simple tools that the business can use in the everyday. Putting them into a digestible format that can be operationalized is critical.

Examples of this are providing appropriate guidance, or in the case of technology, creating easy-to-use dashboards, that help a team collect accurate and useful information they need to support their planning and strategic execution.

When it comes to technology, you need to make sure you’re automating as much of the process as you can, so you can then leave your teams to understand the links between the data and make good judgements.

Artificial intelligence (AI) is increasingly being adopted to help pick up patterns and emerging issues – allowing teams to pro-actively identify and respond to a risk before it becomes an issue. This is in some ways to secret sauce for the emerging ERM’s role in an organisation.

Rather than being seen as a handbrake to growth and development, by leveraging the incredible data insights and technological advancements, ERM becomes a critical enabler for business success.

While technology will continue to play a critical role in these advancements, people will always be needed in ERM because there will always be a need for judgement and perspective.

Advise, Challenge, Assure

With your business making bold decisions in line with set parameters that are underpinned by strong evidence and analysis, the second step in the ERM process is to offer a second opinion. ‘Have you thought about this? Is that enough?’

The pattern is: advise, challenge and assure. When done well, ERM is integrated into all facets of the business, acting as an enabler, a support, a sense check and a buoy. It can help steer your organisation to calmer waters and then help hoist its sails.

Weekly Brief

Read Also

A Cloud Services Security Playbook

A Cloud Services Security Playbook

Arun DeSouza, CISO & CPO, Nexteer Automotive
Managing Access-Point-Risk without Interfering Too Much With Business Processes Efficiency.

Managing Access-Point-Risk without Interfering Too Much With...

Luther Uthayakumaran, Head Strategy and Innovation, Sydney Water
Is your carrier keeping your SMS Two-Factor Authentication Secure?

Is your carrier keeping your SMS Two-Factor Authentication Secure?

Steve Buck, Chief of Security Business Unit, Mobileum
How Modernized Encryption Standards and TLS 1.3 May Impact Your Security Strategy

How Modernized Encryption Standards and TLS 1.3 May Impact Your...

Ben Schoenecker, CISSP, Director of Information Security, Hendrick Automotive Group
White Box Cryptography (WBC)

White Box Cryptography (WBC)

Dr. Tsirinsky, CTO, E.S. Embedded Solutions
Vulnerability Management - Don't Guess

Vulnerability Management - Don't Guess

Angelo Murano, CISSP, CRISC, CISM, Head of Information Security-ING Americas