FoxPointe Security Hub

Municipalities: Create Measurable Value through Enterprise Risk Management (ERM) Controls

June 3, 2019 by

Cyber Threat

Enterprise Risk Management

In the wake of the risks surrounding cybersecurity breaches, ever overarching regulatory scrutiny from the Office of the New York State Comptroller and the myriad other state and federal agencies, and the demands of key stakeholders, municipalities are faced with increasing audit and assurance demands on a daily basis.  How does a municipality keep up, stay focused, and apply reasonable, actionable, and measurable risk management controls? By forming an enterprise risk management services team.

The enterprise risk management services team should:

  1. Use Strategic Controls, not just tactical ones. Core to the enterprise risk management processes is identifying and assessing risks.  A key initial step is fully understanding your risk appetite.  This is a strategic choice where the amount of risk you are willing to accept in pursuit of the business strategy is chosen and communicated to all parties.  Doing so will give your team the ability to more effectively identify the risks associated with their chosen strategy and put those risks outside your appetite on hold for future consideration.
  2. Understand the Three Categories of Risk. In most cases, risks can be placed into three core categories, but there may be situations where a more finite approach to categorizing risks is needed in order to be effective.  That will be determined based on your ongoing assessment of the enterprise risk management process effectiveness.  The following three categories are seen as traditional categorizations:
    • Strategic Risk: offers potential benefits towards the company’s goal, which makes these risks a balancing act
    • Preventable Risk: offers no acceptable benefits and should be eliminated, avoided, or transferred
    • External Risk: whether offering positive or negative benefit, these risks are out of the company’s control, and as such, the focus should be on mitigating the likelihood of occurrence
  3. Once risks are identified, they should be placed into the three categories previously mentioned. This allows companies to identify both positive and negative risks for a given strategy.
  4. Now that those risks are assigned and categorized, it is time to design risk response plans for identified risks. A model that is well-defined and coordinated will have ownership and accountability of the risk in a clear, defined manner.
  5. Key to the overall risk management strategy is a multi-layered defense program across operations and business units comprised of those individuals who own the risk and are responsible for identifying and managing those risks. That, along with management assurance, the line comprised of those who are responsible for monitoring the design and operational effectiveness of controls, and the needed and appropriate independent assurance from internal and external auditors will allow you to optimize the risk response plan.

The most effective risk management controls surround where companies embed sustainable, actionable, and measurable solutions into the culture in order to remain effective. At its core, your identified and implemented solutions should be focused on a main objective—to prevent risks from occurring. Solutions that prevent risks from arising and are easily detected and monitored are the most effective.  The paired acts of risk management include objectives for strategic risks to balance risk mitigation and risk taking so they may generate value (cost evidence, higher service levels, better cybersecurity, regulatory compliance, etc.) to the company.

Carl Cadregari is an executive vice president based out of our Rochester, NY office.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal, or accounting advice.  Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, a consultant-client relationship.