In June of 2003, we ran a long article about organizational structures. We titled it "All Over the Map," which pretty much tells you what we concluded about how security was handled at the time: a bit like a ship with no home port, passing from executive to executive. The article had examples of security variously reporting to Human Resources, Facilities, Operations, Legal, and IT. Responsibility without authority was a theme.
However, the fourth page of that article had the following prominent quote from security veteran Ed Telders: "Our job is risk management. The only difference [between types of security] is the tool kit."
Eight years later, I think we might look at that quote in the rearview mirror and realize that this essential truth would eventually lead us to where we are today. Enterprise risk management doesn't look like a fad to me. It looks like home port.
In Risk's rewards: Organizational models for ERM, contributor Constantine von Hoffman examines how this function has been pulled together at three different, forward-thinking organizations. You can also see sample organizational charts for ERM and operational risk, based on multiple real-world examples. And read the POV on risk management of the CFO-turned-COO at Providence Health.
To me, von Hoffman's report is the long-awaited sequel to "All Over the Map."
Today, enterprise risk management can be a full-blown department or a process executed by a loose confederation of teammates. The head of a function might be a CRO or the CFO. Some reporting relationships might be solid lines, some dotted lines, some matrixed. I'd argue that the specifics depend on the type of business you're in and what types of risk are most prevalent in your industry. Because that's the point: You do ERM to make smarter business decisions.
What happened between "All Over the Map" and now? A lot, of course. Social media. APTs (you know: advanced persistent terminology). Physical security information management (PSIM) and video surveillance as a service. Stuxnet. Convergence of various sorts. A near-death experience for the U.S. banking and financial system. I don't think you can point to one particular change or threat or cultural trend as the spark that's making ERM go. It's the rate of change. The sheer number of changes. Security can't be reactive because it's impossible to react quickly enough to constant change. So ERM is an effort to build a resilient, process-oriented, forward-looking organization.
Will there be problems and challenges in ERM efforts? Of course. But I think they'll be worth the effort.
What do you think?