computerwoche.de

Archiv

Home port for security departments?

22.06.2011
In June of 2003, we ran a . We titled it "All Over the Map," which pretty much tells you what we concluded about how security was handled at the time: a bit like a ship with no home port, passing from executive to executive. The article had examples of security variously reporting to Human Resources, Facilities, Operations, Legal, and IT. Responsibility without authority was a theme.

However, the fourth page of that article had the following prominent quote from security veteran Ed Telders: "Our job is risk management. The only difference [between types of security] is the tool kit."

Eight years later, I think we might look at that quote in the rearview mirror and realize that this essential truth would eventually lead us to where we are today. Enterprise risk management doesn't look like a fad to me. It looks like home port.

In , contributor Constantine von Hoffman examines how this function has been pulled together at three different, forward-thinking organizations. You can also for ERM and operational risk, based on multiple real-world examples. And read the at Providence Health.

To me, von Hoffman's report is the long-awaited sequel to "All Over the Map."

Today, enterprise risk management can be a full-blown department or a process executed by a loose confederation of teammates. The head of a function might be a CRO or the CFO. Some reporting relationships might be solid lines, some dotted lines, some matrixed. I'd argue that the specifics depend on the type of business you're in and what types of risk are most prevalent in your industry. Because that's the point: You do ERM to make smarter business decisions.