First step, often coming from the board,, was to do awareness campaign around "ERM light" aimed at trustees. Has since moved from a 12-page pamphlet to a 100+ page booklet. Often led by general counsel or CFO.
First identify risks, then assess the risks. Prioritize energies in terms of gravity of risk and the likelihood of the risk. Once you have that information plan response. Finally, continue to look for and evaluate new risks. Board of regents shouldn't need to deal with more than 10 of the top issues.
The traditional human and physical assets are finally being joined by digital assets that need to be considered.
What lessons learned?
At American university, effort was started by trustees. Have narrowed down to about 12 that will likely go to board. At Penn State, trustees also pushed ERM. Mission was to break down the silos and to get a better handle on the risks facing the institution. The process was very valuable. Went to top leaders and interviewed each about what keeps them up at night. Strategic, financial, operational and compliance risks. Leaded were grateful for the opportunity to talk about what was important to them. The visibility and the release for those leaders was liberating, and led to an outpouring of interest in mitigating the risks campus-wide. It's all about learning about "what you don't know that you don't know."
It doesn't hurt to borrow risks identified at other institutions, but always question sacred processes and traditions. I like Penn State's approach, though, because it fits better with the idea of building those relationships with campus leaders & increasing the shared ownership in the process.
What's the difference between enterprise IT risk management and enterprise risk management?
Both work hand in hand, they're not mutually exclusive and the IT process feeds into the overall risk management. Risk management should be yet another rationale for IT to have a seat at the broader institutional table. As technology continues to evolve, there is less of an us/them element.
What is IT role in overall ERM?
Building relationship with overall risk management team. Understand where the pain points are for IT. Find the common pain points and, critically, articulate the value and risks associated with IT risks. Four primary areas, is IT strategy aligned with overall strategy of institution? Analytics are critical for being able to make data driven decisions about risk and opportunity. Privacy and how your values and culture are compliant with regulations. Finally, security - spend time before the breach instead of after the breach. Also consider training and awareness of IT services, risks and opportunities for the general institution. If users don't use the tools provided, or misuse the tools, it becomes a source for risks.
How to start a process if it doesn't exist?
Don't frame it as an IT issue, talk about how risk affects the institution overall. What is the reward that meeting the risk will deliver? Doesn't need to be called "ERM" but really focus on the benefits and risks. Find your way to the leadership, or possibly approach general counsel or internal auditor and develop alliances. Get people talking about the process & develop recognition around needs.
Key points from ERM book:
Boards need to have a "noses in and fingers out" approach to ERM. The mission & the issues are different than the corporate world, and those differences need to be articulated to board members who may have a different set of experiences. Remember that it's a process of allocating resources more appropriately.
How to approach risks that are still pending?
Risk management needs to have a view into contracts for online services or tools. Cloud services can be especially difficult - cloud vendor terms can be especially onerous & issues like export control need to be taken into account. Each user who clicks "I agree" to an EULA can present a risk to the institution. Be involved with procurement and with departments to ensure that there is better understanding around risks and issues that need to be considered.
Public institutions have more transparencies & risks are much better known. Private institutions don't have the same resources. Smaller institutions don't have the same resources to bring to bear. It's also important to remember that in higher ed, not everything is measurable, or can provide a clear cost-basis because the product is educated students and contributions to society instead of discrete, purchased products. It's critical to be able to articulate the difference between higher-ed and traditional business to board members.
ERM process must have regular, long-term exposure to president/chancellor's executive council to be successful. It is very important to frame issues (IT or otherwise) in terms of the entire institution in order to get the appropriate scope and articulation of the issue. Also understand that getting the plan and the process well-developed for identifying the risks than any particular identified risk on its own. Consultants that deliver the perfect 10 risks may not be a good investment because it skips the important part they keeps the process viable long-term.
To be more proactive, it helps to look at other institutions breaches and incidents in order to learn (and more clearly articulate) risks, as well as develop appropriate responses to mitigate the identified risks. Cyber insurance can be a valuable tool, but isn't a solution on its own. Insurance also requires best practices to be followed (keeping deductibles low).
No comments:
Post a Comment