CMP -- United Business Media

Intelligent Enterprise

Better Insight for Business Decisions

 UBM
Intelligent Enterprise - Better Insight for Business Decisions
Part of the TechWeb Network
Intelligent Enterprise
search Intelligent Enterprise
Advanced Search

RSS
Webcasts
Whitepapers
Subscribe
Home



September 18, 2001


Upside, Downside

As your business globalizes and depends more on outside forces, an enterprise approach to risk management will become increasingly important

By Chris J. Jensen

Most senior executives ply their trade in a swirl of conditions that can threaten their livelihood, that of employees, and the investments of shareholders. They must navigate conditions ranging from natural disasters that handicap business operations to opportunities lost due to the inability of current processes to execute and adapt to change. These conditions are examples of risks, which, if not managed correctly, can limit the business's ability to achieve its objectives.

EXECUTIVE SUMMARY

Chris J. Jensen

Managing risk is a core function for any global, data-centric organization, yet most companies approach that process in a piecemeal fashion. In this article, the author explains how managers have historically dealt with risk at different levels, argues the need for an enterprise approach to risk management, and defines an enterprise risk management architecture.

Consequently, in order to find smooth waters and take advantage of favorable winds, senior executives and other business leaders in intelligent enterprises need to develop and use a risk management "map" that identifies the perils, points to the safe passage, and charts the course that leads to shareholder value.

In this article, I will describe how management has historically addressed risk as well as explain the need for an architected, enterprise approach to risk management. Furthermore, I will recommend steps to implement the architecture, describe the roles needed to support it, and explain how to integrate risk management patterns with other enterprise architectures.

Traditional Approach

Historically, executive managers have viewed risk as a negative concept: something to be avoided. (As you'll see later, this perception is not necessarily correct.) They put controls into place to help minimize the chances for bad things to happen. Many public corporations now go so far as to include reports about internal controls in their annual reports, even though no regulators require them, just to show investors that risk management is a high priority.

The internal audit department usually has the task of supporting and monitoring compliance with internal control structures. Internal audit relies on the assumption that management recognizes its own responsibility for internal controls. Under this scenario, problems and threats are identified and managed in the normal course of business, not just when internal auditors identify them.

What is missing from this scenario, however, is that managers do not always understand risk beyond their own operations - the enterprise view of risk. They also often view risk in its negative connotation or as a conformance issue. Both internal audit and management often don't realize that simply avoiding risk can also inhibit the actions necessary to reap the benefits of available opportunities; without some risks, rewards would be limited. Thus, you must carefully evaluate this aspect of risk in order to attain a complete view of risk management.

For example, the traditional "silo" approach to operations management has caused some businesses to overlook enterprise risk for the sake of meeting their own objectives. In some businesses, marketing departments have rushed to establish an Internet presence, letting third-party providers establish Web sites and links to company information without considering the enterprise implications of customer privacy, information security, and business continuity. Usually, these situations are discovered when someone from enterprise systems or internal audit starts asking questions about the list of IP addresses registered to the company. This Internet presence is a risk - both an exposure and opportunity - and must be managed at an enterprise level, not by one department.

By 2003, more than 30 to 40 percent of Global 2000 companies deploying new technologies and entering new markets with e-products and services will have adopted a COBIT-like risk assessment and balanced risk/reward reporting process.

Source: "Risk Without Remorse," Meta Group, July 2000

According to the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, a financial reporting consortium, internal controls are defined as a process; effected by an entity's board of directors, management, and other personnel; and designed to provide reasonable assurance regarding the achievement of objectives in the categories of effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.

In addition, the Information Systems Audit and Control Association's Control Objectives for Information and Related Technology (COBIT) framework expands the COSO version to include internal control processes directly related to IT processes. COBIT adds IT requirements of quality, cost, and delivery along with security requirements of confidentiality, integrity, and availability.

These frameworks exist because of a business need to apply some construct to effectively manage risk, and the public accounting and internal audit professions have embraced them in their professional standards and principles. Here's the problem, however: Only business managers, not the accounting and internal audit teams, can implement these frameworks and make them a part of doing business. Until management takes an active, organized role in managing risk, it will continue to expose itself to nasty surprises. In essence, business and IT management need to cooperatively develop the risk architecture that COSO and COBIT call for in order to avoid surprises and pitfalls.

Risk Management and IT Architecture

There is an increased emphasis in IT on the importance of applying architecture disciplines to bring order to complex business and technology environments. Applying these architectures across the enterprise provides the most value to an organization. Within all data, application, business processes, and technology architectures are risks as well as opportunities. According to COSO and COBIT, well-defined architectures are a basis for a good internal control environment. Consequently, you should include enterprise risk management as a domain in the group of architectures known as enterprise architecture.

Controls are just one element of well-designed system, process, or activity. To have effective controls, you must first identify, map, and understand the risks faced at the enterprise level. Applying controls without a documented understanding of the risk management and other enterprise architectures is like flying in the fog without instruments; you won't know there's a risk ahead until you run into it.

You can also understand the need for risk management architecture through a city planning metaphor. City planners need to know the risks to which a city is exposed and build controls to limit those risks or leverage opportunities. For example, cities exposed to the risk of hurricanes or earthquakes need special building codes and standards to provide reasonable assurance that the city won't crumble or blow away. At the same time, planners can take this risk as an opportunity to design adaptable structures that quickly change to the evolving needs of the city.

Enterprise Risk Management Defined

The term "risk management" is a common phrase. The definition most often relates to individual business processes such as investments, IT project management, worker safety, and insurance. But businesses face many other risks that span the enterprise and potentially affect every process and employee. These risks include exposure of company, customer, or employee confidential and private information to unauthorized access, as well as exposure of business processes to interruption and failure.

An enterprise view of risk management reveals the interdependencies between risk management architecture, traditional enterprise architectures, and levels of abstraction. (See Figure 1.) Note the presence of three dimensions instead of two; risk management architecture is best depicted "crossing over" and through all other architecture domains and levels of abstraction (such as data, application, process, and technology).

The elements involved derive from the COBIT and COSO frameworks. For example, COBIT uses the term quality to refer to the cost and delivery of IT-related objectives. Fiduciary requirements, as defined by COSO, comprise effectiveness and efficiency of operations, reliability of information, and compliance with laws and regulations. Security requirements as defined by COBIT include confidentiality and privacy, integrity, and availability of IT information and resources.

I've filled in some of the cells to demonstrate how the security portion of the risk management architecture affects and interacts with the other architecture domains. If one of the architecture domains is not strong, the weakest link could compromise enterprise security. If, for example, the security around private customer data is well designed, it still can be compromised if the business process architecture does not consider the importance of privacy in business processes and procedures.

Organizational Value and Benefits

According to a 1999 study prepared by PricewaterhouseCoopers on behalf of the Financial and Management Accounting committee of the International Federation of Accountants called "Enhancing Shareholder Wealth by Better Managing Business Risk," the importance of the relationship of risk management to shareholder value should not be underestimated.

The study reports that businesses can move toward increased shareholder value if they look to manage risk at the enterprise level. Figure 2 depicts a form of a maturity model showing the benefits of moving risk management beyond its traditional compliance and prevention focus. It demonstrates the progression from managing the risks with compliance and prevention (the "downside") through managing to minimize the risks of uncertainty in respect to operating performance and then moving to the higher maturity level of managing opportunity risks (the "upside").

A sophisticated approach to risk management based on this framework will help you better allocate capital to risk and risk management initiatives because you can more easily determine the impact on the enterprise. For example, before decision makers decide to pursue a business merger, they could look at their company's documented risk management architecture and consider the effect of bringing new data, applications, processes, and technology into their environment. Imagine if the company being acquired had a documented risk management architecture. Understanding the impact of risk would help make a more complete cost benefit analysis, limit downside surprises, maximize opportunities, and help ease the pain associated with integrating two environments. Other benefits of this approach include giving management a better tool to use for risk assessment, measurement, and management reporting. It also affords some protection against executive liability and adverse publicity or attention from investors and other stakeholders. The use of business performance measurements such as the balanced scorecard are important to determine if the risk management approach is being applied in a manner that adds the most value.




Most Popular This Week
Kimball University: Better Business Skills for BI and Data Warehouse Professionals
Business Process Management 101: The Basics of BPM and How to Choose the Right Suite
Forrester Sees Convergence Trend In BI, Search
A Mashup Gives New Meaning to 'Military Intelligence'

IE Weekly Newsletter
Subscribe to the newsletter
    Email Address