So, What Is ERM?

A good rule of thumb in IT is that the number of definitions for a concept rises proportionately to the concept's buzz. ERM, for which we collected no fewer than a dozen definitions, is no exception. We'll use James Lam's definition.

Lam is an author and consultant who says he was the first chief risk officer at any company, a position that he pioneered at GE Capital. ERM, he says, is "the integrated management of business risk, financial risk, operational risk and risk transfer to maximize a firm's shareholder value". That is, making a company more profitable by creating a single view of all risks, internal and external, and an executive-level management strategy to deal with those risks.

Some principles underlying Lam's (or anyone's) definition of ERM include:

1. An integrated view of risk. IT, HR, finance and every other "silo" uses standardized language, metrics and tools. Many finance departments already have processes for managing risk, so it's possible that such standards will come from there. Meanwhile, Bill Sharon, CIO of advertising agency McCann Worldgroup, has borrowed heavily from a risk system developed by Nobel Prize-winning psychologists, as described in the book Against the Gods: The Remarkable Story of Risk, by Peter Bernstein.

2. A pan-corporate view of risk. ERM is not collecting each silo's risks to its own silo. It's collecting each silo's risks to each other and the company. When Sherry Higgins took a position at the FBI to lead its IT modernization effort, called Trilogy, one of her first acts was to install an enterprise risk framework. Almost immediately, she realized her first deadline was only four months out and unrealistic. "The risk to the project was obvious," Higgins says. "But I was looking at the risks to the FBI. What does that mean for intelligence analysts not getting these systems on time? When you go to [the US Congress] and deliver this news, what does that mean to funding for the FBI as a whole? The goal of ERM is to get at these risks that span stovepipes or fall between them."

3. A bottom-line view of risk. Risks always get expressed in terms of their potential impact on the business as a whole, not in terms of their impact on any given silo. When Higgins decided she needed to hire professional project managers for Trilogy, she had to sell FBI Director Robert Mueller on that. She didn't focus on the potential for the project to fail. She sold him by explaining that the FBI ran the risk of being unable to do its job.

4. A risk office's view of risk. In a growing number of companies, ERM is facilitated by an executive-level risk office that provides the expertise and resources you don't have the time or money to acquire. Many risk experts argue that if you don't have a risk office, you're not really doing ERM.

The CIO's role is the same as every other silo leader's role - to identify risks within the department and, by collaborating with leaders from other departments, to identify risks across business units. It is a support role to the risk office but a critical one. While most risk officers are fluent in financial risk, they are counting on you to identify operational risks related to IT.

5. A longitudinal view of risk. Risk is an ongoing behaviour, not a regularly scheduled process.

This stuff isn't new. Risk management hails from a lineage of related, proven practices. ERM's uncle is the quality management movement of the 70s, when manufacturers adopted quality standards that in turn led to better products. ERM's grandfather is Nobel Prize-winning game theory, a mathematical system for optimizing decisions in a competitive setting. Its principles govern risk methodologies today.

You've probably done a little bit of risk management at the project level. In a way, ERM is the same thing except, in this case, your company is the project. What is new about ERM is the breadth of its vision. ERM's idealistic goal - to unify risk management across an entire company - makes it a daunting undertaking (and so far, a rare one). George Westerman, a research scientist who is studying ERM in relation to information technology at MIT, says that in its current state, ERM reminds him of what someone once said about e-commerce in the 90s: It's like teenage sex. "Everyone wants to be doing it. Everyone thinks everybody else is doing it. Not many people are actually doing it, and no one is doing it particularly well."

"The topic is so big and scary," Westerman says, that people decide not to try. However, he adds, "It's so important to just get started."