… greater compatibility with ERM and the flexibility and encouragement to tailor both risk management efforts to the organization provide the basis for integrating cybersecurity within the broader ERM framework.
[More]Ask the Experts
What is the difference between a challenge and a risk?
There is a higher level of confidence in assigning a very high likelihood if the event has already occurred than for events with some level of probability of occurring in the future.
[More]What are some proven methods to generate more active involvement of stakeholders in ERM efforts?
As in any human activity, people get involved and stay involved with ERM efforts and practices when they can see personal benefit from the involvement.
[More]What are some common strategies to identify and assess emerging risks or risks with a longer horizon?
Emerging risks, by definition, represent uncertainties caused by evolving current or near-term events and conditions. Because they are near-term, we can easily recognize changes in current events and conditions that have the potential to impact objectives and plans.
[More]What are some methods/strategies for promoting a healthy risk culture across the agency?
A useful model to think about with respect to promoting culture is the Attitude-Behavior-Culture (A-B-C) model where culture derives from repeated behaviors, behavior is influenced by attitude, and attitude is influenced by culture.
[More]What are some techniques to leverage ERM information for the Strategic Objective Review (SOR) process?
Recognizing a root cause and identifying outcomes or impacts of the key risk events that can inhibit or enable realizing the strategic goals and objectives of the agency provide greater insights into what actions, resources, and our authorities may be needed.
[More]Should agencies automatically focus resources on risks with the highest levels of residual risk, or should more energy be placed on those that may exceed established risk tolerances (regardless of residual risk level)?
ERM informs the resource allocation and internal decision-making processes and should not necessarily trigger the focus of resources in any one direction. There may be a range of other factors that agency leaders must consider when deciding where and how to address key risks.
[More]Of those ERM programs that have a formal communications program, what does it look like?
The key to an effective communication program is choosing the right communication model for a particular agency, depending on where the organization is in its ERM maturity curve.
[More]How do you consider existing controls in establishing the likelihood of the risk? Are risk responses by default internal controls?
When comparing risk responses and internal controls to the construction of a building, one could say that the risk response is more of the “blueprint” or “architectural diagram” and the internal control is the “engineered solution.”
[More]What are some effective methods to report the status and/or results of ERM activities to management?
Reporting will vary depending on leadership and how the audience best receives information. However, reporting will likely focus on the accomplishments of the ERM program, particularly as it relates to enabling an agency effectively managing risk tolerances at the goal and objective levels and risk appetite at the agency level. To accomplish this, agency leadership (more…)
[More]