Average U.S. Data Breach Tops $6.5 Million: How can ERM Help?

As I have covered in past articles, proponents of ERM face one primary challenge when presenting their program (or potential program) to management – is ERM worth the investment?

“We are all facing the same challenge of not having a clear way to quantify [the benefits of ERM],” says Puneet Kapoor, Walgreen Co.’s Director of ERM. Recent research, however, now provides the hard data that many in Kapoor’s position are seeking – significant evidence that ERM carries financial benefits alongside strategic and operational advantages.

An independent study conducted by Queen’s University Management School and University of Edinburgh Business School concludes there is “a highly significant premium of 25% for firms that had been classified as having ‘mature ERM’ according to the Risk Maturity Model.”

Former RIMS President and current international director at Jones Lang LaSalle Inc. Janice Ochenkowski states “ERM shouldn’t exist to be a profit center, a cost center or a group within an organization. Rather, it ought to serve as a catalyst for raising the awareness of risks, and reduction and mitigation of those risks. The success of a good enterprise risk management program is that operationally your managers are thinking about risk and reward as they go about their tasks on a daily basis.” Enterprise risk management is the most effective means to streamlining these processes, managing risks, and preventing the oversight around policies and procedures that lead to loss events.

When considering the effective management and prevention of future loss events, significant financial returns become evident. The challenge is communicating those benefits to their executive counterparts, who tend to view ERM as a long term, overhead cost rather than operational efficiency.

As loss events such as cyber hacks and data breaches increase – both in frequency and size – it is clear just how necessary a mature risk program is. A study from Ponemon Institute and IBM found that the average cost for corporate security breaches has jumped 23% in the past two years alone. This increase brings the average international data breach up to $3.8 million. Even more noteworthy: the average U.S. corporate data breach now tops $6.5 million.

With loss events now more likely and impactful, it is as critical as ever for organizations to adopt ERM software to assist in their risk management efforts.