There are several persistent views on Enterprise Risk Management, especially in the IT area, that are not necessarily close to the real environment. Many of those explain why ERM does not yet receive the recognition as a key function of a well led company. In the following I show some of the most dominant myths and compare them to the reality:
- IT Risk is mainly IT Security, while some frameworks and publications by organizations like NIST focus nearly entirely on the security factor of IT Risk Mgt [1], a large part of the IT Risk Mgt in an enterprise environment also deals with compliance, performance and availability issues. A study by Symantec showed that although security is a very important part of the Risk Mgt processes, availability and compliance are more or nearly as important [2]. For instance the IT Policy Compliance Group found that “firms spent an average of $100 per lost record in litigation, settlements, restoration, and improvements” [3].
Importance of IT security in ERM [2]
- IT Risk is based only on science and a quantitative model is enough to measure risks effectively, while a strong quantitative model is a keystone to a good risk management practice, a single reliance on these models can be devastating. A quantitative model is an abstract view on the real world. Some models are oversimplifying reality and cannot react to unforeseen disasters like the financial crisis. For instance, 49% of respondents to a survey were not satisfied with the Value-at-risk performance measure during the financial downturn [4]. A strong quantitative model along with knowledge about the business context is very important to mange risks effectively.
- IT Risk can be managed through technology alone. Although many risks can be managed through technology, the most responsible root causes of IT risks are stemming from process issues (53%), environmental configuration (51%) and staff skills (41%) [2]. IT Management Frameworks like ITIL and CoBIT, assisted through technology systems, can improve the risk management much better than a technology-only solution.
In conclusion, there are many traditional beliefs of what and how Enterprise Risk Management is being done. Most of those beliefs are true to some extent, but only grasp a part of the whole field.
References:
[1] National Institute of Standards and Technology, “Guide for Applying the Risk Management Framework to Federal Information Systems”, Department of Commerce, February 2010
[2] Symantec, "IT Risk Management Report 2: Myths and Realities", http://eval.symantec.com/mktginfo/enterprise/other_resources/b-it_risk_management_report_2_01-2008_12818026.en-us.pdf
[3] IT Policy Compliance Group, "Why Compliance Pays: Reputation and Revenues at Risk", http://www.itpolicycompliance.com/research_reports/spend_management/read.asp?ID=10 (July, 2007)
[4] Corporate Executive Board Corp., "Six Risk Managment Myths", http://www.scribd.com/doc/26301480/Six-Risk-Management-Myths
