Nowadays companies are confronted by multiple threats. Risk threatens entire enterprises, not just business units, programs or processes. The variety of challenges nowadays is much more complicated than what companies previously faced. In order to respond effectively, organizations need an integrated view on how to identify and manage their significant risks. By implementing Enterprise Risk Management (ERM), organization could achieve this feat and improve value creation.
With the large number of corporate scandals rocking the corporate world with the turn of the century, the concept of enterprise risk management has gained immense importance.
Organizations are structuring Enterprise Risk Management (ERM) to identify and manage risks to the organization. The goal is to understand and manage threats alongside risks associated with new business opportunities. Corporate disasters, market and economic pressures, and increased regulatory oversight are requiring that organizations manage risk and compliance. Where risk ignorance was once the norm, now organizations are driving toward a state of risk awareness.
The complexity of todays business environment where organizations depend not only on internal IT and processes but also on those of multiple business partners means that organizations face a plethora of interdependent IT risks. Increased liability and regulatory oversight of organizations information handling means that companies are obligated to take a more structured approach to IT risk management.
So far, IT has played a largely reactive role in ERM, a role focused on responding to IT risk and meeting IT compliance requirements. But IT is morphing into a central role that facilitates ERM, automating risk management and measurement processes.
In the future, many large globally-integrated enterprises may also benefit from implementing a centrally or optimally managed enterprise risk center (ERC). An ERC combines all of an organization’s relevant risk and control operational functions into a single operation center that can also provide even more risk visibility across the enterprise. Using segregation of duties and organizational reporting lines to avoid potential independence issues, the idea is to place an organization’s legacy operational risk functions, such as the ERM function, the network operations center, security operations center, the physical security monitoring, financial operations, and customer service or call center functions into one business unit and enable these with technology.
A fundamental goal of adopting new technology should be improvements in efficiency and risk awareness across an enterprise; the application of a widely accepted “risk language” within governance, operations, and financial process areas; and the alignment of objective setting, risk management, and organizational control capabilities. This fundamental goal should, therefore, drive the development of each organization’s ongoing ERM capabilities.