Are you on board with enterprise risk management? You had better be. It's the future of how businesses will be run.
What would you do if, two months after your company went public, one of the two major markets you sell products to simply vanished? If, in the span of seven days, $500 million in sales just disappeared?
Would you throw your hands up and say, No one could have foreseen the events of 9/11, and then just stand by as the company tore off a half-dozen bad quarters? Would you just absorb the discomfiting cuts to your budget and your staff, and eschew any strategic plans you had set up to help the business grow, because, well, no one could have been prepared for such a catastrophe?
ERM is hard work. Not to sound too much like the last GOP campaign who had a similar sound bite, "We are workin hard", but Enterprise Risk Management is a culture shift and also one found in an old project managers tool kit called "Change Management".
So Why Now?
Just why ERM is important now is complex, but the reasons include IT as a primary risk to operations.
First, several macro-trends have accrued to expose operational risks to the business from IT that in the past were blissfully ignored. Start with Y2K - the realization that IT systems we depended on were vulnerable. Then came 9/11 and the (literally) thousands of risks to businesses that it exposed. Computer viruses have continually interrupted work, illuminating the risks of using bad software. More recently, the risks to a corporation's reputation have announced themselves in the form of massive thefts of personal data. There is, of course, terrorism, political unrest, war and weather, among other global risks to consider.
The reason these risks are suddenly being accounted for is because the systems are becoming ever more critical. Today, one bad IT decision can severely hamper - or even take down - a company.
The second factor driving ERM now is the regulatory environment, along with efforts within some industries to protect companies from the volatile global business environment.
For example, the Basel II Accord, an effort spearheaded by the Group of 10 countries' leading financial services stakeholders, dictates that by year-end 2006, a financial services company must carry a predetermined amount of capital to offset the level of risk found in the company, as determined by guidelines in the Accord. Unlike the first version of this regulation from 1988, Basel II addresses not just capital risk, but also operational risk, including the risks IT systems create for the company. In other words, it mandates some form of enterprise risk management.
Likewise, the Treadway Commission's Committee on Sponsoring Organizations (COSO), a voluntary private-sector organization formed in 1985 to combat fraudulent financial reporting, produced an enterprise risk management framework. The Information Systems Audit and Control Association (Isaca) developed Cobit (the Control Objective for Information and related Technology), a document that also lays out how to set up an enterprise risk management framework. Both are efforts designed to jump-start the use of ERM in corporations.
Of course, there's Sarbanes-Oxley too. While not the engine driving ERM, Sarbox might be the spark plug. CEOs, after all, don't want to go to gaol. Says David Weymouth, CIO of Barclays, the UK-based financial services company: "We've spent something like £136 million on a regulatory program. Non-compliance is a huge risk we need to manage."
The bottom line is this. Operational Risk is old and it is new. It is not something to be ignored and underfunded. It's constantly changing and requires exceptional people, processes, systems and technology to make it work.