External Reviews of Your Risk Management Function? Yes Please.
In the increasingly interconnected world many organizations operate in, risks (the likelihood a threat will exploit a vulnerability to create an impact on the organization) are no longer single elements of concern. Just as the information technology (IT) components are interconnected, so are the risks. Over time, experts have identified IT risk management as a critical component of any modern organization (Smith & McKeen, 2009 and Weiss & Solomon, 2016). Let’s review this aspect of risk management and discuss the value created and diminished by having an external review of an organization’s risk management function.
Purpose of Risk Management
In today’s world, organizations face multiple types of risk. Examples where risk comes from include program management functions, financial complexities, legal issues, inventory and supply chain efforts, and cybersecurity challenges (National Institute of Standards and Technology, 2011). How an organization oversees each of these individual risks is the goal of the risk management function within that function. The risk management function:
“brings together the best collective judgments of individuals and groups within organizations responsible for strategic planning, oversight, management, and day-to-day operations — providing both the necessary and sufficient risk response measures to adequately protect the missions and business functions of those organizations” (National Institute of Standards and Technology, 2011, p. 1)
Enterprise risk management (ERM) is this collective management of risk. It looks at all risks viewed “together within a coordinated and strategic framework” (Nocco & Stulz, 2006, p. 8). The ERM function has become increasingly important considering what Meidell and Kaarbøe (2016) note as significant scandals and crises in both management and financial aspects of organizations.
Outside Reviews of the Risk Management Function
With the importance ERM plays in an organization, having an external or outside review of the ERM function is essential. Beasley et al. (2005) identify several areas organizations should examine in such a review; specifically, whether an organization has a designated chief risk officer (CRO), what level of independence does the organization’s board of directors possess, what level of support exists from management for the ERM efforts, etc.
Avoiding Blind Spots
A central benefit of having an external review of the ERM function is identifying blind spots (such as those mentioned by Beasley et al. (2016)) in how the organization deals with risks. Traditionally, organizations viewed risks in a stove-piped manner where organizational management did not have the information to understand risk holistically and its effect on the organization (Hopper, 2019). By having an audit or review of the ERM processes, organizations can ensure they integrate risks to provide that necessary level of risk management integration for decision makers.
Avoiding ‘Box Ticking’
With cybersecurity in particular, some see compliance with risk frameworks as ‘good enough.’ Practitioners call this ‘box ticking.’ However, box ticking is far from ideal in cybersecurity risk (or any risk). As Menear (2021) notes, compliance is not security; this is a truism across the cybersecurity industry as well. Unfortunately, surveys show the same level of understanding does not always exist in corporate boardrooms (Corner, 2017).
Of course, any effort with positive outcomes has potentially negative ones as well, and an external review of an ERM is no different. If the organization considers someone internal to the organization but external to the risk management function, e.g. internal audit, the costs of reviewing ERM involve having those resources not auditing some other critical function. Economists know this as opportunity cost. While some would argue organizations overestimate it, it is not non-zero (Weiss & Kivetz, 2019). If organizations use true external elements, such as one of the big four accounting and auditing firms, there are actual costs involved. However, these costs are growing: Cohn (2019) notes fees auditors charge continue to rise; from 2017 to 2018, that rate of increase was 4.25%.
Risks are interconnected just as today’s’ IT systems are. While there are costs associated with ensuring ERM aligns appropriately to needs of the organization, the benefits outweigh any downsides. An ERM review provides an opportunity to ensure they are not missing key risk indicators as well as not missing the forest of a true cybersecurity posture for the trees of compliance requirements. Organizations should externally review the ERM function for those reasons alone.
Beasley, M. S., Clune, R., & Hermanson, D. R. (2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24(6), 521–531. https://doi.org/10.1016/j.jaccpubpol.2005.10.001
Cohn, M. (2020, January 15). Audit fees keep rising, thanks to new accounting standards. Accounting Today. Retrieved September 30, 2021, from https://www.accountingtoday.com/news/audit-fees-keep-rising-thanks-to-new-accounting-standards.
Corner, S. (2017, February 24). NZ businesses simply ‘ticking the boxes’ on cyber security. Computerworld. Retrieved September 30, 2021, from https://www.computerworld.com/article/3479645/nz-businesses-simply-ticking-the-boxes-on-cyber-security.html.
Hopper, G. (2019). The enterprise risk management function in financial institutions. Journal of Risk Management in Financial Institutions, 12(4), 328–341.
Meidell, A., & Kaarbøe, K. (2016). How the enterprise risk management function influences decision-making in the organization–a field study of a large, global oil and gas company. The British Accounting Review, 49(1), 39–55. https://doi.org/10.1016/j.bar.2016.10.005
Menear, R. (2021, May 6). CMM: Cybersecurity beyond compliance. ITProPortal. Retrieved September 30, 2021, from https://www.itproportal.com/features/cmm-cybersecurity-beyond-compliance/.
National Institute of Standards and Technology. (2011, March). Managing information security risk . Computer Security Resource Center. Retrieved September 28, 2021, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf.
Nocco, B. W., & Stulz, R. M. (2006). Enterprise risk management: theory and practice. Journal of Applied Corporate Finance, 18(4), 8–20.
Smith, H. A., & McKeen, J. D. (2009). Developments in practice XXXIII: A holistic approach to managing it-based risk. Communications of the Association for Information Systems, 25, 519–530. https://doi.org/10.17705/1cais.02541
Weiss, L., & Kivetz, R. (2019). Opportunity cost overestimation. Journal of Marketing Research, 56(3), 518–533. https://doi.org/10.1177/0022243718819474
Weiss, M. M., & Solomon, M. G. (2016). Auditing It infrastructures for compliance (2nd ed.). Jones and Bartlett Learning.