Integrate ERM and Cybersecurity into Your Organization

According to the Sarbanes-Oxley Act, corporations that offer securities for public trade must use proper procedures to guarantee that there are controls over the company, one of which is Enterprise Risk Management (ERM). This is further bolstered by the Federal Information Security Management Act (FISMA), which deals with the compliance by federal government agencies with guidelines and standards instituted by the National Institute for Standards and Technology (NIST) in regards to cybersecurity.

In these guidelines, the difference between risks and problems and dealing with each is stressed. According to the NIST publication, called Integrated Enterprise-Wide Risk Management:

  • Risk is a future event with a reasonable chance of happening and the unfavorable impact it will have on achieving distinct objectives
  • Problems are conditions, or obstacles, which make it harder to accomplish the goals set by an organization
  • Risk management is an attempt to deal with events that might arise though identification of the risk, analyzing the risk, and dealing with that risk in an effective way to help achieve the desired goals with the least amount of disruption
  • Problem management deals with the current results of decisions made beforehand.

According to a recent http://www.todaysengineer.org article, the difference between the two is that risk management tends to be proactive, while problem management is more reactive. Risk management looks toward long-term risks and possible ways to lessen the impact of such risks or eliminate the risks entirely. Problem management, on the other hand, deals mostly with the here and now, and thus does not allow for long-term planning to deal with any potential problems.

However, “Integrated Enterprise-Wide Risk Management” gives businesses tools to organizations that help determine risk through a framework of three tiers, including tools such as brainstorming to come up with potential risks and ideas to deal with those risks. This multi-tiered approach can go a long way toward finding effective solutions to risks that could threaten the security of your organization.

For more information about multi-tiered risk management, visit: http://www.todaysengineer.org/2011/Sep/risk-management.asp