Enterprise Risk Management as a Mitigation for Cyber-Aggression

In a connected world, multiple tools and tactics can be deployed to lower the risk of cyber-aggression disrupting business. There remains a residual risk that an attack, infiltration or unintended process failure can lead to loss of systems or data, privacy breaches and theft of IP, resulting in damage or even business failure.

Implementation of an Enterprise Risk and Assurance Management (ERAM) framework is recommended for all organisations. If used it is a wide and deep capability to reduce the likelihood and impact of cyber-aggression or process failure. In many cases the framework identifies an appetite for risk taking, in contrast to traditional risk avoidance. If utilised well a structured, phased approach can help to manage risk and protect value:

• Consistent and transparent use of risk and assurance tools streamlines enterprise risk and opportunity response i.e. moving from a ‘just do it’ and superficial risk assessment to knowledge sharing and acceptance of structured risk taking;
• Moving from a compliance model to better utilisation of cash and capital through consideration of both risk and opportunity spend i.e. using a risk appetite model to determine risk management value and spend.
  

---

Implementation of a comprehensive ERAM framework presents several challenges:

• Often Enterprise Risk and Assurance objectives are not aligned with corporate objectives. This challenge is deflected through the explicit linking of the Framework to strategy and policies.
• Senior management may not whole-heartedly support the implementation of Enterprise Risk and Assurance. This is addressed through an approval process by the executive and governance bodies and education steps in a structured implementation plan.
• The ERAM model itself may be inadequate. The use of peer review, senior and executive review and governance level approval puts the Resolution8 model to the test at each client site. The model is reviewed after the pilot phase of the implementation plan has concluded to ensure it remains fit for purpose.
• Inadequate tools for quantitative analysis and decision support can derail implementation. Risk assessment is a blend of qualitative and quantitative analysis. When supported by standardised business processes and performance measures there is a sound basis for risk and opportunity measurement. Resolution8 offers a skilled group of data and business analysts who can assist in this phase.
• A cultural mismatch, much like the challenges faced in a change management programme, can retain a silo type approach to ERAM implementation. Technology implementation and reliance means that the core competencies of Business Continuity Planning/Preparation (BCP) and technology Disaster Recovery (DR) solutions link directly to Enterprise Risk Management. Resoution8 has the expertise to introduce and implement both BCP and DR at appropriate scale for your organisation.

---

Why Enterprise – why not just Risk Management?
 
Enterprise risk and assurance management comprises:

• Aligning risk appetite and strategy through project, programme and BAU activity
• Enhancing risk response decisions – risk avoidance, reduction, sharing and acceptance
• Reducing operational surprises and losses
• Identifying and managing multiple concurrent risks
• Seizing opportunities
• Measuring and monitoring risk and assurance achievement
• Improving deployment of capital through appropriate technology decisions and protection through BCP and DR.

 
How does it work?
Implementing Enterprise Risk and Assurance Management is a five step programme and, unlike other enterprise-wide initiatives, business units can be at differing stages of achievement of the plan. The Resolution8 model distinguishes phases which are flexible enough to take into account the varying stages of evolution of ERAM across the business.
 
The five standard steps of a continuously improving Enterprise Risk and Assurance Management programme are:

• An ‘as is’ analysis
• Establish the value proposition
• Develop the ERAM model or framework
• Pilot the framework
• Review/revise/roadmap

 
If you would like to know more, or even have a current concern which needs support, get in touch: [email protected]

---