Enterprise risk management (ERM) is the process of assessing risks to identify both threats to a company’s financial well-being and opportunities in the market. The goal of an ERM program is to understand an organization’s tolerance for risk, categorize it, and quantify it.When companies look at enterprise risk, the traditional approach is to look at financial risks with help from CFO services, regulatory risks and operational risks. What happens if the exchange rate drops and the interest rate rises, if new drugs don’t get FDA approval, or if your main warehouse burns down?To make the calculation, you take the potential impact of an event and multiply it by the odds of that event happening.For low-impact events, even a high probability of occurrence won’t affect the company’s total risk exposure by much, while for high-impact events, even a low probability of occurrence is potentially devastating.Focusing on business impact is a different way to think about cybersecurity, and it requires a different mindset than that of tactically responding to cybersecurity threats. Cybersecurity used to be all about preventing attacks, and a breach either occurred or it didn’t.
