What is Enterprise Risk Management and how does it impact IT?
Enterprise Risk Management (ERM) is an ongoing process that seeks to establish the potential risks that can affect a business, in order to prevent them or reduce their impact. It may sound similar to traditional risk management, but it goes further as it brings the whole of the enterprise together during its assessment processes. That way, it can also influence business strategy and future behaviors as it should be implemented as an integral part of all decision-making processes.
Traditional risk management methods address each risk separately, and this is fine for coping with them in a limited way. However, ERM will view them in conjunction with all the other risks that could affect an organization as a whole, which allows connections between them to appear or trends to be spotted. When combined with the processes that ERM creates to prevent or reduce the overall effect of risks, a company is better protected and will be able to take advantage of the enhanced business strategies that come out of this assessment.
A common misconception is that ERM is only focused on the strategic risks affecting a company, however, it monitors and assesses any sort of risk, including reporting, compliance and operational ones. It focuses on them from an enterprise-wide perspective, which has the benefit of integrating them all in order to impact business and strategic decisions.
The Ideal Outcome of ERM
The ultimate purpose of ERM is to identify and assess the response required to prevent as many critical risks that could hamper the success of a company as possible. Aligning the risk with the business strategies that the organization is aiming for, allows for speed when reacting to problems and when creating solutions. Combining risk management throughout departments improves communication, which allows better planning when it comes to coping with those risks. This allows organizations to manage their financial and human resources more efficiently and effectively.
ERM benefits different industries in different ways.
How ERM Benefits Healthcare
Traditional risk management would consider patient safety and a reduction of medical errors as an important aspect of day-to-day planning. Because these are specific and limited scenarios, it is possible to prepare for risks associated with them and even for healthcare providers to insure themselves against loss in the event of issues with either of these. A well-run ERM process would go further than this and be able to help the healthcare provider predict their next steps, particularly with regard to being competitive but also maintaining financial viability.
HIPAA has come a long way in protecting healthcare providers who conform to its standards, but compliance is an aspect of ERM that is often overlooked from an enterprise-wide perspective. Simply complying with the requirements as part of a company may not be enough. A comprehensive view, however, can take the specific risk out of the hands of separate departments and create a plan of action that can supersede individual compliance requirements.
In order to make the enterprise-wide view easier to handle for healthcare institutions, HITRUST (the Health Information Trust Alliance) has created the Common Security Framework (CSF). This covers a number of common standards such as HIPAA, but also includes ISO, PCI and NIST in order to make compliance easier and allow the businesses to be better protected as a whole.
How ERM Affects IT
IT companies will also benefit from an ERM view rather than a restricted traditional one. Cybercrime is increasingly becoming part of the furniture for large companies, and IT businesses in particular need to be aware of vulnerabilities and how their data and systems can be protected.
Most large organizations will employ a security operations center (SOC) which needs to be proactive in order to protect the systems they manage. Taking an ERM view of the problems they face means that they can actively prepare for the effect any perceived risk will have, be aware of any vulnerabilities and know the threat to the organization that such a risk will pose. Once these are established, it becomes easier to then prevent such a problem, or if that is impossible, at least build a thorough disaster recovery plan to restore their systems and data as soon as they can.
For ERM to be successful, it needs to be an ongoing process that involves everyone in a company from its executives and directors downwards. Every part of the organization is important, as risks can occur anywhere. This means that it is imperative that all departments and activities within the company are included in the assessment.
From the first steps of identifying the potential problems to the final monitoring and constant tweaks to perfect the risk management process, a successful implementation of ERM will allow organizations to satisfy their objectives, achieve their goals and add value to the business.