David Letterman is not likely any time soon to titillate broadcast viewers with a top 10 list detailing the most common misunderstandings about enterprise risk management (ERM). But that doesn’t mean there’s no audience for a rundown on the Top 10 Myths about ERM.

Few companies can grow without taking risks. But poor risk management leads to surprises in business operations that can impact shareholder confidence, regulatory oversight and the bottom line. An unprecedented wave of regulatory oversight in recent years has convinced many organizations how inadequate their risk management policies and procedures really are.

Many of the world’s largest companies have responded to external and internal pressures by embarking on a journey to unify governance, risk and compliance (GRC) management across the enterprise. Yet, many organizations that don’t have a historical foundation in risk management are still struggling to come to grips with this new discipline and how to embed risk management into the business. So with that in mind, let’s take a Letterman-like look at the top 10 myths regarding ERM and how that can impact your business.

Myth Number 10: IT Risk Management = Information Security

Most information security programs place far too much emphasis on the how and what, and far too little on the why. Information risk management, on the other hand, is inherently focused on the why.

Unfortunately, there’s always far too much for IT staffs to do. There are too many vulnerabilities to remediate and too many controls to implement, so some critical deficiencies will go unmanaged. True risk management requires a business perspective on these deficiencies to better manage and prioritize the issues that threaten the organization. A check list approach to information security ignores business impact and criticality.

Myth Number Nine: CIOs Embraced Enterprise GRC

To address Sarbanes-Oxley (SOX) compliance, many companies put in place technology platforms that now support a variety of risk and compliance initiatives. SOX solutions were generally purchased with the tacit approval of IT, but few IT organizations standardized on a strategy for managing risk and compliance data; as a result, different parts of the problem are addressed by a wide and disparate range of solutions including spreadsheets, custom and commercial applications.

In numerous buying decisions, IT is too often at the table in a support role, rather than as a strategic thinker focused on the long term strategic benefits of a common GRC platform. Scattered risk and compliance data marts will cause an immense amount of pain for risk managers trying to get a clear picture of risk throughout the business.

Myth Number Eight: A Rigid, Standardized Approach is Best

ERM, similar to most business processes, is not a “one-size-fits-all” solution. It has to be customized and tailored for each firm. As Mark Olson of the Federal Reserve notes, “An effective enterprise-wide compliance-risk management program is flexible to respond to change and it is tailored to an organization's corporate strategies, business activities and external environment.” (April 10, 2006)
Companies that try to implement an out of the box methodology will likely fail. ERM methodologies and taxonomies must be adapted to a company’s legal, regulatory, economic and competitive environment, all of which can vary dramatically by industry. Further, the risk framework must be able to adapt to change over time to avoid losing competitive advantage.

Myth Number Seven: You Can Only Manage Risk from the Center

No one is likely to argue that strong, central risk management is a bad thing. Unfortunately, many organizations make the mistake of investing only in a centralized function because it’s too difficult to federate, and they don’t know how to push risk management to

You do not have flash or javascript support.

Average (1 vote)

Reply