Value of Enterprise-wide Risk Management: argument against maintaining the status quo

B0IuYcJCUAAox9MToday is a based off several things colliding at the same time for me – discussions with friends, colleagues and some twitter banter.

Everywhere I’ve been, risk management is broken into discreet units and managed individually ostensibly due to it’s complexity, working on the assumption that what they have is enough. Even Enterprise Architecture Frameworks skip over how Risk Management is to be engaged and offer little to no support in understanding the holistic picture.

Despite the argument of organisations that they don’t believe enterprise risk management (ERM) is necessary or that the existing static, compliance based tools or technique employed are sufficient, there is a place for ERM. By assuming that the nature of the business will stay the same, as-good-as-it-gets is an arrogant disregard for the fact that environments change. There will always be a requirement to navigate risk in business, as to avoid risk is to avoid success.

  • How do you navigate risk in your business?
  • Do you use a spreadsheet compiled from compliance questions?
  • How about a pre-canned register provided by a consulting company?
  • Is risk management handled at a project or programme level without higher level visibility within the organisation?
  • Is there a single, unified view of risk management?

To disregard risks that may destroy value, you risk destroying the business; this is what static, disaggregated risk management techniques can cause. ERM, that is looking holistically at the organisation, provides a structured and disciplined process that aligns strategy, process, people and technology in order to maximise the desired outcomes and minimise the undesirable.

A holistic ERM approach allows the identification of various types of risks, providing the necessary visibility to the business. This visibility can provide the business with the ability to apply a measured and complete approach to the remediation or mitigation of risks, through tools and techniques, as well as identifying emergent risks to the organisation. As an example, a change in one area of the business’ policy due to legislative change, may have further implications though if handled in isolation, wouldn’t allow the business to be proactive.

Focusing on a single component of risk, such as looking to insure as a loss reduction technique for operational and financial risk, neglects the other risk types (of Technical, operational, financial, commercial or project-based/time based) and has the same affect as a business silo risk management model.

So what?

“So what” you say, “that sounds great but my approach to risk is perfectly fine for what I need!”. To this I call bull$hit! If you think that you can’t improve you’re either lazy or have one amazing model, and I’d love to hear from you. In EVERY SINGLE organisation I’ve ever dealt with, there has always been issues with how risk is treated; people making decisions in isolation and not understanding the wider repercussions of them. Being too risk adverse is an easy one, blocking because you don’t have another view, though this causes stagnation and a slow death to a business by a thousand cuts. Another example is putting an appropriate mitigation in place of a risk that others need to know about, this is the same for a lot of business (and personal) decisions, if you don’t know how can you account for it?

Step back and look at the Enterprise as a whole. Now find a framework, tool, napkin drawing, whatever, that can help you make sense of the overall environment and the opportunities and risks therein. Using an established and robust framework like SABSA in conjunction with ISO31000 can arm the business with the tools and and processes to cover all areas of their operation and help identify the alternate futures, through risk, and how they can be influenced to the benefit of the business. Compliance frameworks for the sake of compliance are not what I’m talking about either, in my view these are to deal with deficiencies in ERM.

The diversity and capability of available tools should be understood to aid selecting for your situation and ultimate success but there are so many to choose from it can be daunting and everyone, even me, have strong views on what should be used.I’m personally a big advocate for SABSA and as a disclaimer I’m also one of the working-group leads for the SABSA Security Services Catalogue. SABSA provides a process, management framework and model along with tools to help identify, assess and track risks,  assisting the business achieve the most from an ERM process.

To get started, and build a holistic view of the enterprise, I suggest the SABSA interview technique, business attributes model and concept of traceability. These will get you a long way to uncovering what the key stakeholders care about within the business and how you can go about measuring it. These tools combined with robust techniques of quantitive and qualitative risk assessment and management (inert your choice of control management or framework) assist in the determination of the likelihood that a given event will occur.

Common Language

As is the goal of any business function, having a common set of attributes to describe the business, and what it needs is a great way of starting to build a uniform view. An overview of the SABSA business attributes can be found here, though the full detail is available in Enterprise Security Architecture. But picking any common language and sticking to it will have a huge impact on establishing a uniform view of Enterprise Risk

Understanding the needs of Stakeholders

Making sure that you know what people care about in delivering the products and/or services your organisation brings to market is important. There are many and varied stakeholders, starting at the CEO and working around and down through finance, legal, procurement, HR and delivery teams. Mapping the business to understand the components that underpin the business’ components will help this navigation. Finding out what their constraints and concerns are is important in getting a holistic understanding. That sounds like a throw away comment, but in reality it truly comes down to finding out what they care about, any preconceptions that they may have and gives you deeper understanding of the organisation.  The SABSA interview technique – systematic process of interviewing, disassembling the content and playing back in context of the business attributes to gain clarity – is a great tool. Using the interview tool in this way sets up the ability to trace the reason for decisions or even generate requirements. There are are numerous resources out there for conducting interviews, like this, that can be used to help you.


For anyone who as has done requirements management before, being able to trace solution elements to requirements and any reasons for concessions is important. It is almost impossible to keep all requirements of a complex system in your head – I’ve been told that about 1000 requirements is the maximum for any 1 person, in reality it is more like 200-300 in a fast moving environment, less when the pressure gets turned up – so how can you keep all the risks for an entire organisation, the reason they ARE a risk and treatments with timings in your head, let alone communicate succinctly? Building a mapping of stakeholder needs and concerns to perceived risks (and opportunities) to business drivers creates a bi-directional traceability matrix. Building traceability of Business Drivers, thorough to the eventual control will allow ease of traceability back through an organisation when you need to understand why a decision was made, who made it, and what the various options at the time could have been; including how it should be measured.

Screen Shot 2015-01-25 at 4.22.19 pm

This approach makes it easier to communicate why a decision for a control, risk mitigation technique or requirement in context of a business’ need (or drivers) – be they people, processes or tools.

This traceability model includes a viability capability by ensuring that there is a feedback/monitoring loop whenever there is a new requirement that the business needs to review. Now all of these cannot be done in isolation, it needs to be part of a larger, facilitated governance programme that includes the key stakeholders (as interviewed above) and be sponsored from the top and have buy in by the people involved.


Through the use of ERM frameworks, processes and tools the business can gain the visibility necessary to identify the relevant control and treatment techniques. By having stakeholder engagement and buy-in, a common language, and traceability of decisions to business requirements, you will begin to get a holistic view of the Enterprise Risk landscape and build a functional ERM model.

These techniques and their application allow the business to challenge their assumptions and their normal operations, reducing the chance of failure.