Given these trends, how should enterprise risk management (ERM) be approached? First, a corporate-wide ERM framework is needed to ensure that all risk is managed according to corporate-wide priorities and policies. The result should not be a large, central bureaucracy, but rather effective central control and visibility of the ongoing ERM program. Next, there must be continuous management and measurement of all business unit risk management activities. This is not an annual process, but rather a continuous, almost daily activity. This monitoring should be consolidated at the enterprise level to ensure consistency of all ERM strategy and tactics. Lastly, communication of risk strategies must be ubiquitous and consistent throughout the corporation.
The most important element of any risk management effort is managing risk to an acceptable level. In managing IT security risk, failures in one area may easily cause failures in other areas, thereby compounding the effect, as well as making compliance much harder. For example, a failure to protect a critical asset could impact the availability of critical IT services, possibly in another business unit. This is why approaching risk management in silos will ultimately fail — they lead to a narrow response to security risks. A holistic, consistent and enterprise-wide approach to managing IT risk that encompasses all key areas is the only viable approach.