So Why Now?

Just why ERM is important now is complex, but the reasons include IT as a primary risk to operations.

First, several macro-trends have accrued to expose operational risks to the business from IT that in the past were blissfully ignored. Start with Y2K - the realization that IT systems we depended on were vulnerable. Then came 9/11 and the (literally) thousands of risks to businesses that it exposed. Computer viruses have continually interrupted work, illuminating the risks of using bad software. More recently, the risks to a corporation's reputation have announced themselves in the form of massive thefts of personal data. There is, of course, terrorism, political unrest, war and weather, among other global risks to consider.

The reason these risks are suddenly being accounted for is because the systems are becoming ever more critical. Today, one bad IT decision can severely hamper - or even take down - a company.

The second factor driving ERM now is the regulatory environment, along with efforts within some industries to protect companies from the volatile global business environment.

For example, the Basel II Accord, an effort spearheaded by the Group of 10 countries' leading financial services stakeholders, dictates that by year-end 2006, a financial services company must carry a predetermined amount of capital to offset the level of risk found in the company, as determined by guidelines in the Accord. Unlike the first version of this regulation from 1988, Basel II addresses not just capital risk, but also operational risk, including the risks IT systems create for the company. In other words, it mandates some form of enterprise risk management.

Likewise, the Treadway Commission's Committee on Sponsoring Organizations (COSO), a voluntary private-sector organization formed in 1985 to combat fraudulent financial reporting, produced an enterprise risk management framework. The Information Systems Audit and Control Association (Isaca) developed Cobit (the Control Objective for Information and related Technology), a document that also lays out how to set up an enterprise risk management framework. Both are efforts designed to jump-start the use of ERM in corporations.

Of course, there's Sarbanes-Oxley too. While not the engine driving ERM, Sarbox might be the spark plug. CEOs, after all, don't want to go to gaol. Says David Weymouth, CIO of Barclays, the UK-based financial services company: "We've spent something like £136 million on a regulatory program. Non-compliance is a huge risk we need to manage."

McCann CIO Sharon says that for him, Sarbox sounds eerily familiar and provides good evidence that the time is right for risk management. Sharon worked in the financial services industry during the US savings and loan scandal in the late 80s. To comply with a law aimed at cleaning up the financial sector, "We spent two years adopting risk [management] processes and doing backbreaking risk assessments. After a while people said: 'We have a business to run.'" Compliance became a by-product of larger risk assessment efforts. Similarly, Sharon predicts, ERM will make compliance with Sarbox a by-product of risk management, not the focus of it.

Finally, ERM is emerging now because of a growing body of evidence that it really works:

• Westerman at MIT has identified correlations between business-IT alignment and risk confidence. That is, the more confident a CIO was in his ability to manage his operational risk, the more aligned he said he was with the business.
  
  
• J Davidson Frame, academic dean of the University of Management and Technology, worked with a company that introduced risk management and then made business unit vice presidents sign off, Sarbanes-Oxley style, on the risks that IT projects presented to the business. Project success rates increased immediately. Perhaps more important, the number of project initiatives taken on by this company decreased by 25 percent in three months.

This finding demonstrates a key part of ERM's appeal, which is mentioned over and over again by CIOs and risk experts: ERM improves decision making by helping a company avoid costly failures from operations that prove too risky.

"Right now, we're moving premises," says Weymouth. With enterprise risk management, business units can factor that into their plans and report what risks moving creates. "Say the group doing a telephony project tells us that moving affects their ability to successfully complete their project. We can now factor that in and minimize the risk to the company by shifting resources, putting the project on hold. Whatever it takes. We're able to make a better decision than if these factors weren't considered."