Organizations today face greater threats than ever before from identity
thieves, hackers, terrorists, and other criminal groups, as well as from
corrupt employees, competitors, vendors, and customers. The consequences
of a single incident can erode market cap and stakeholder support and lead
to criminal prosecutions, regulatory actions, and civil litigation. All
of these, in turn, can derail an organization's strategy.
Although all organizations
practice some form of risk management, few do it effectively.
- Good managers assess
and respond to risk intuitively but informally, and they often lack
the perspective to assess how their own risks might affect the entire
- Risk is addressed
broadly during strategic planning, but the attention to risk rarely
survives the strategic planning process.
- The risk management
efforts that are in place are generally housed within silos that do
not coordinate with each other to identify cross-enterprise risks and
develop the integrated measures necessary to mitigate them.
- Having some risk
mitigation measures in place leads to a false sense of security that
the organization is well-defended. Many organizations, for example,
unduly rely on their regulatory-compliance programs to protect them,
when, in fact, the regulatory schemes were adopted to protect others.
- Lacking systems
to identify and manage risk, the board and senior management are left
blind to serious risks that threaten the organization's success.
To address these challenges,
forward-thinking organizations are turning to Enterprise Risk Management
(ERM). ERM - at its most essential level – provides a methodical framework
for identifying and managing the broad range of potential events that can
derail an organization’s strategy. It does this by:
Along the way, ERM helps establish an organizational culture of integrity,
accountability, and competence, and creates a meaningful opportunity for
the board and senior management to monitor the organization's risk-mitigation
- Linking organizational objectives with the risks that threaten them;
- Linking risk-mitigation measures with the specific risks they are
designed to mitigate.
assists boards of directors, senior management and chief risk officers
in managing risk by:
- Assessing the effectiveness
of their organization's present risk-management program.
- Assisting them
in developing and implementing ERM programs.
- Assisting them
in selecting and configuring ERM software tools.
- Training business-unit
managers in ERM.
- Keeping them abreast
of best practices in risk management.
- Providing outsourced
Internal Audit services and conducting internal investigations.
- Developing regulatory-compliance
programs in Sarbanes-Oxley, HIPAA, the USA Patriot Act, the Federal
Sentencing Guidelines, and other regulatory schemes, including customer-imposed