But I Don't Have Time for This

The experts expect you to be hard-line resisters to enterprise risk management because you don't understand it. So we posed some of your potential reservations and let them counter those reservations with reasons why you need to get on board.

Reservation: I've got a full load already, and now you're asking me to start this massive new project.

Rebuttal: Yes, some groundwork needs to be laid. But, for the most part, becoming part of an ERM-driven company doesn't mean more work or some additional bureaucratic system to administer; rather it's a new way to approach your job. If you're doing ERM right, you're not really aware that you're doing it. Besong calls it "the new normal for us". Weymouth says: "I manage through risk."

The hard part, then, is shifting your focus from a technology-centric view to a risk-centric view. For that, you can find risk experts to carry you along. See the next reservation.

Reservation: I don't have the expertise to do this or the staff with the expertise to do this. And I don't have time to take a bunch of courses or read five books.

Rebuttal: This is precisely why risk officers are here. It's the job of a corporate risk expert, such as a chief risk officer, to provide whatever tools and education IT needs to get started, says Lam.

"People don't fend for themselves here," says Gemmer of Rockwell Collins. "I used to get 15 to 20 calls a year [internally] looking for help on risk. [Now] I'm getting up to two calls a week. They just know it's the right way to do things, and they want to do a good job with it."

A risk office, whether it's one person (as Higgins had at the FBI) or a whole staff, should provide a clearinghouse of risk resources so that you don't have to learn the minutiae of, say, Monte Carlo simulations. A risk office will also enforce the standards created around your risk assessment processes and be responsible for producing digestible reports about your risks that help the company make decisions. If your company doesn't have a risk officer, you can hire a consultant to help you get started. But even the consultant will eventually recommend that you hire your own staff expert who is steeped in your business.

Reservation: I'm already instituting governance mechanisms.

Rebuttal: Peter Weill, director of the Centre for Information Systems Research at MIT, has shown that good IT governance leads to more successful companies. ERM is a framework for better IT governance. "What IT and CIOs need to realize is ERM is an opportunity," says Larry Ponemon, chairman and founder of The Ponemon Institute. "It makes you more competitive. It helps you make better decisions. It makes you smarter."

Harvey Parr, a retired director with British Telecommunications (now the BT Group), remembers one IT project for a customer that looked like it was way too risky for his company to take on. "But we went through the risk process and found that the risks were controllable. Our competitors did not bid because they had the same inclination as us. So we bid on it and did it."

Reservation: Statistics!

Rebuttal: Don't be scared. Yes, companies fully immersed in risk will use a statistical approach to assessing it; probability and economic concepts, such as annual loss expectancy, are commonly applied tools. But the risk experts know enough about the numbers, and anyway, the numbers aren't as important as the qualitative analysis.

More than any other reservation, risk experts say CIOs will cite this one. It could be because IT is a profession that rewards precision, so the natural inclination of CIOs is to want to get their probability and impact statistics exactly right.

But risk - especially on the enterprise level - is not about precision. It's about accuracy. ERM isn't designed to scientifically predict terrorists using planes to attack buildings and harm the financial sector. It's designed to measure the likelihood and impact of a catastrophe on that scale, and what steps can be taken to mitigate that risk. "Look at the World Trade Centre," says Frame. "Tens of thousands of lives were probably saved because a risk assessment a long time ago suggested that the stairways were too narrow, and the design was altered to accommodate that risk. It's unlikely that the risk process involved the stairs being highly trafficked due to a terrorist attack, but it proved useful in a terrorist attack. It wasn't a precise prediction; it was an accurate assessment."