How do the departmental risk programs of your organization come together under Enterprise Risk?

918 views2 Upvotes3 Comments

VP, Enterprise Risk Management in Software, 10,001+ employees
I come from the enterprise risk management side. When I started at my current employer, they said, "Okay, you're going to come and help set up IT risk management and then we'll get to enterprise risk management." I said, "No. We're going to set up enterprise risk management as the umbrella that provides the framework for how we look at all the different risks." Our organization is lucky in that it's a very operational company and so we know how to manage risks around employee health & safety,  physical security,fraud, compliance. All the typical things that you would find in many organizations. One of the challenges I had was trying to make sure that people understood the language around NIST CSF (National Institute of Standards & Technology Cyber Security Framework).  The CSF borrows or uses a lot of the risk language, but means something slightly different. And we're talking about so many different types of risks. For me, it is about having a common framework. I will always want people to just stop and think about what they are solving for, how much of a risk this is to our organization, what our risk appetite is around that, etc. Take health and safety for example. We have zero appetite for injuries. We have programs in place. We want everyone to go home in better condition than when they come to work. That's very mature. And the policies support the risk appetite statement. And then I talk about the methodology, which would be any OSHA standards, any requirements to implement that program. I try to give flexibility. So for cyber it might be NIST CSF, for safety it might be OSHA, and then physical security would be NFPA and all those other different requirements. I try to build consistency across roles, responsibility, and governance. You have to be clear about who's responsible for what and how you raise that up through the governance structure. How do you escalate issues? I'm a team of one and I don't lead any of these programs but I try to influence all of them. I report up through the chief risk officer to the board and to senior management, and I'm trying to get them to think strategically as well because, sure we know what risks are out there today and they're pretty mature, but every year I want them to stop and look out the window and say, "What's on the horizon. What have we not thought about?" That way we bubble up really cool things like extreme climate or geopolitical risk. We may not be able to control it but at least we can see it and we know what's coming.
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
When I was in healthcare, we were grappling with the problem where everybody had a different lens. Each lens had its own span of control. Don't cross into my space and expect to have ownership. We ended up creating a principle based governance model. So the principle is no one's allowed to own anything outside of their span of control. And then at the table we got the council together. The council had a charter and we had principles and then we said, "At that table when you're making a decision, each lens will default to the expert in that area." So if it's a legal matter with a little security added in there, legal and security would take the lead and they would have to collaborate to make the decision. What was happening for us at the time was, by having those different lenses, the IT project PMO office was literally having to go around at every meeting to get approvals to launch projects and upgrade systems. It was costing a lot of time and money. Worst of all, the risk decisions weren’t integrated. So you had one lens, highly conservative, that would issue directions that were tight, and another lens, a little less conservative, that would issue risk guidance. It was all over the place. Teams were executing and the risk guidance wasn't integrated and that created an absolute mess. So that Information Risk Governance Council, which is what we founded, brought all those lenses together and enabled them to make decisions based on these principles. There was decision-making structure in that framework too, so that we could route through decisions quickly. The first year was fantastic. We made all kinds of decisions, helped execute things, moved things along. Second year, forget it, it fell apart.
CISO, 1,001 - 5,000 employees
I'm the CSO for Travis County. That's in Austin, Texas. Risk management is a little strange where I'm at. The County isn’t mandated to do security by any specific laws outside of HIPAA, PCI and CJIS. An elected official in Texas answers to the public so counties are usually decentralized with many leaders.  I report under the  Commissioner's court, which is four commissioners, and the County judge. There are 50 other elected officials that are the same organizational level as my management (Clerks, judges, Constables, Justice of the Peace. We don't have clearly defined roles. We don't have ownership and accountability and it's extremely difficult.  

My goal is to explain to elected officials, “that's your program and you own that program.” even if you outsource a business function you still own the program. you have to answer all the questions and at the end of the day, the news article is going to say, your program had X, Y, and Z. So what are we going to do about it? It's all about protecting the brand, it's all about protecting yourself. And so just the diversity of the organization makes it extremely difficult to manage.

Content you might like

Not at all15%


A fair amount16%







Non-production DBs (Dev, Training, QA, etc.)30%


1.2k views1 Upvote

Community User in Software, 11 - 50 employees

organized a virtual escape room via - even though his team lost it was a fun subtitue for just a "virtual happy hour"
Read More Comments
10.2k views26 Upvotes63 Comments

Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
73.4k views71 Upvotes42 Comments