Analyst Chat #38: An Enterprise Risk Management Primer

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts, My guest today is Christopher Schutze, he's director of practice cyber security at KuppingerCole analysts. And today we want to talk about enterprise risk management. Hi Christopher.
Hi Matthias. And thank you for the invitation.
Great to have you and enterprise risk management. So this sounds like something huge, something large, something really tedious. Can you give us a definition of what enterprise risk management comprises? Yeah.
Enterprise in the beginning indicates that we are talking about the big thing and maybe first I start with a short idea about it. We have traditional risk management in organizations where we handle organizational risks or things like that. And we have on the other hand, so more the it related risks. We have it risks. And for sure, we have risks regarding to the security of the it and many other risks at all. And when we talk to our customers about risks or enterprise risks, we often realize that you organizations agile organization or startups handle more specific risks. So maybe risks regarding to the it, to the it security, whereas bigger organizations like car manufacturer or insurance companies tend more to handle the enterprise risks. But what those organizations combines is that they focus on one area more than on the other and the truth. And the best idea is really to have a well-defined approach, which integrates it risk management into enterprise risk management and vice versa. So to have a look at those sinks, which can happen to you in combination, not only it and not only environmental influences to your organization or financial,
If you talk to a financial organization, for example, they consider risk management, but when you leave the it and the enterprise in front of the way, they consider something very different. They look at financial risk, they look at capital market risks, they look at fraud and this is really something where they really have a different notion, as long as you don't add the it to risk management as well. So what kinds of risks would you consider when you're talking about enterprise risk management? So when we talk about enterprise
Risk management or risk management in general, we have mainly four areas. We have a traditional hazards. So things which come from outside, such as earthquakes or bearing time or the damage to others, people property. And then for sure, that's what you already mentioned, the financial stuff. It's not only for insurance company it's for any organization. The idea of an organization is to earn money and to have money. And this is a very essential topic. Maybe things like an liquidity shortage or falling prices on the market. This is an various central risks to an organization. And another one is the operational risk. It is maybe if you offer digital services or things like this, those risks are handled in that area. And the last one. So the fourth category is strategic risk. So things which impact the objectives of your organization and this risks can be, it risks, it security, risks, or enterprise risks.
And these are mainly the four categories. And maybe I mentioned this in the, the hazard category, there are also things like terrorism or in general, a natural disaster or blackouts. And if you think about enterprise risk, it risk and it security risks, maybe as three layers and enterprise risk on the top level, a pandemic crisis, or in terrorism attack impacts the enterprise and DIT, maybe your data center is not available anymore. Or on the other hand, if you are offering digital services and you are not aware of fail or tea, you have maybe unprotected accounts like issues in identity and access management. This is more an it risk or an it security risk, but maybe combined with an terrorism attack. It's also an issue which affects your whole organization. And then it's again, an enterprise risks. And combining those single it risks with general risks is the important thing because never underestimate the probability of occurrence regarding to the impact it has to your organization. Just think about the pandemic crisis. Nobody expected it, but the impact is very high.
So we cannot clearly distinguish between enterprise risks and it risks throughout to put it the other way around as we just described many it risks can be considered immediately as enterprise, as business risks. Right?
Exactly. If an it security or it risk has impact to whole organization to your business model, then it's an enterprise risk or must be humbled. And especially also the combination of one or more things. And this is why you really should have something like an integrated process for your risk manager,
Right? That was something that I was aiming at. So when we cannot distinguish between both, there is no way of looking at it, risk alone as an isolated topic. This is something that we need to consider as something that needs to be tackled more holistically. Would you agree?
Yeah, absolutely. And I think I should explain maybe the process of how we see it in our projects, how to do an enterprise risk management as a process, because the first thing you should really be aware is the context you should know, what are the main things your company is focused in? What is the thing you earn money with? What is the environment around? What are all the impacts? This is really the first thing to understand your business, your organization. And then you can start to identify several risks. There are a lot of standards like ISO or NIST or specific security frameworks, and blueprints available to identify them, to have some basic idea and catalog for enterprise risks for it, risks and for it security risks. And then, you know, the risks and you have a context and this is where you can start to analyze.
Does it have an impact for you? What would be the impact, things like that. And then the most important thing is here. And this is where combination starts. You have to integrate them. You have to think about what happens if I have an blackouts and my backups are not available. Both things are seen as a single items are not relevant, but maybe the combination tends to that your business is not working anymore. Things like that. And after integrating them, after combining them, you can rate them. You can say, oh, the impact or the probability of occurrence is high or low or medium. And based on this, and you can create mitigating measures, can implement tools, software, processes, whatever, and monitor the risks, because what is clear, your organization changes the impact to your organization. Changes laws and regulations are changing. And these are things which have impact on your risk catalog on your risk model and at the end of your enterprise risk management. And that is why you have to monitor your risks. And this is why you have to monitor your risks,
Right? When you mentioned that you need to assess the impact that you need to also assess the impact of combined risks. I think there is also a danger when you're doing this process of overdoing it or implementing too many controls. I know many organizations are on the other end, so they really have not yet fully got to a picture of their, of their overall risk posture. But on the other hand, when you're doing an executing and exercising, this enterprise risk management, there's also a danger of yeah. Of having too much in place. How do you get to the right balance here?
Ask experts. It's the simple answer. No, as I mentioned, standards can be used. There are best practices available by public organizations by states, ISO NIST and so on. And what you mentioned, don't do too much focus on the essential bond, focus on the risks, which have the highest impact to your organizations. If they happen. That is the most important thing. And you will never achieve a level of 100% security here. That's impossible,
Right? When we think of the crisis that we are all still in to identify impact, that can be the result of more than one risk and to focus on that might also be a good idea. For example, then moving towards more scalable, more sustainable it infrastructures that move away from on premises systems that are in more danger. That might be also a good starting point to, to cover more than one risk at one time as cyber security and risk management are of course, some of your key topics being the director of practice for cybersecurity, I guess there's lots of research available. And of course, when people can contact you, what would be the first starting point that you would recommend when, when the audience wants to learn more about that topic, what would be the first starting point Christopher?
So the first step is for sure, our website KuppingerCole dot com and a good starting point would be just put the search term three steps to improve your cyber security with enterprise risk management into our search bar and search for the blog post about it is that we have a good graphics and some good, basic idea about it. And there's also some more research content linked that you can find in our research area. So this is really a good starting point.
Great. And maybe if I add this shameless self plug, of course you mentioned Osby experts. And of course we sometimes think of ourselves as being the experts. So talk to us. So thank you very much, Christopher, for joining me today. And I think this is a topic where we can choose individual areas and dive deeper into topics like enterprise risk register or the overall integration into a corporate strategy when it comes to protecting their organization. So thanks again, Christopher, I'm looking forward to having you again. Thank you. You're welcome. Bye-bye