RiskChat: What Is Corporate Defense Management?


Sean Lyons is the principal of Ireland-based R.I.S.C. International and a recognized corporate defense strategist. Lyons advocates that corporate defense should play a greater role in corporate strategy. In recent years his work, which includes a heck of a lot of writing (some of which I link to in our chat below) has focused on the design and development of corporate defense program blueprints.

Eric Krell: Sean, we met, virtually, two months ago when you responded to an entry in this blog. When I Googled you (a 21st-century reflex), I discovered that you have invested significant thought (and research) in risk management.

In fact, you're the architect of a cross-functional discipline you refer to as “Corporate Defense Management” (CDM). Please tell me why and how you conceived of CDM ...

Sean Lyons: My conception of CDM as a cross-functional discipline was something that evolved over a considerable period of time. My professional background was originally in internal audit, and this exposed me to certain activities which seemed to share a common high-level objective of helping to safeguard, or defend, the organization against the occurrence of potential hazards.

These activities include what I now refer to as the critical components that constitute an organization's corporate defense program – including the management of governance, risk, compliance, intelligence, security, resilience, controls, and assurance. [In this paper, Lyons interviews experts regarding their role in corporate defense.]

Eric Krell: What did you learn from your research?

Sean Lyons: I realized that each of these individual areas shared a common high-level objective and faced common challenges (as specialist areas, they also appeared to be developing in similar directions).

Very often, they also occupied the same status (or perhaps lack of status) within their organizations and tended to be viewed in a somewhat similar (negative) light. For example, some front-office staff cynically described these processes, or areas, as “business disablers.” Remember, this was during a period of sustained economic boom!

What I also noticed was that each of these activities tended to operate in silo-type structures within their organizations; they were not in alignment with one another but rather they operated in isolation, with little or no interaction, sharing of information, or indeed collaboration. In fact, they were quite often the subject of internal power struggles. Over time, I began to appreciate that these components were in fact very much interconnected, interlinked, and interdependent and quite often it was difficult to determine where one ended and another began.

With this as a backdrop, I began to consider the logic or prudence of strategically managing all of these components in a coordinated and integrated manner … and the benefits which could be derived if all of these activities were in alignment and operating in unison in order to collectively defend the organization and its multiple stakeholders. Hence the concept of corporate defense management (CDM) was born.

Eric Krell: Thanks, Sean. What you describe sounds similar to “GRC” – or governance, risk management, and compliance (and the move to manage it much more effectively and efficiently) as well as enterprise risk management (ERM). How is CDM similar to these approaches, and how is it different?

Sean Lyons: Since I began my work on CDM, there have also been significant developments occurring independently in many of the corporate defense-related components referred to above.

In my view, what has been occurring in this space over the past 10 years or so has been an evolutionary process. In particular, there has been the emergence of ERM, GRC, resiliency management, and integrated assurance, among others, and these certainly represent important stepping-stones on this evolutionary journey. [Lyons addresses that evolutionary process in this paper.]

ERM initially represented an appreciation that organizations were required to take a risk-based approach across the entire enterprise, and this involved embedding risk processes into everyday activities. GRC initially represented an attempt to go beyond risk management and was an acknowledgment of the interdependence which exists between corporate governance, risk management, and compliance (hence the acronym GRC) and an appreciation of the requirement to more closely integrate these three activities.

I appreciate, however, that over time both of these concepts have been continuously evolving and expanding beyond their initial boundaries. This unfortunately has also led to a degree of confusion in relation to the difference between ERM and GRC, and is the subject of much unproductive debate and at times unnecessary conflict.

CDM, from a risk management perspective, incorporates management of the risk component but also represents recognition that while inherent risk can perhaps be established in isolation, an organization's residual risk can only be satisfactorily determined after considering the organization's capabilities in relation to the other critical components. In relation to comparisons with GRC, CDM incorporates the integration of the governance, risk, and compliance components; however, it also recognizes the importance of integrating the intelligence, security, resilience, controls, and assurance components and, unlike GRC, does not consider these components to be subordinate to governance, risk, and compliance.

From an organization's perspective, CDM is used as the umbrella term to represent the strategic management of all of these critical components, uniting and aligning them and in the process actually building on the significant developments which have already occurred in this space. This includes incorporating the use of advances in technology and performance management techniques, where appropriate, to help achieve the organization's objectives.

Unlike traditional negative views of corporate defense, CDM should be regarded in a positive and progressive light, aimed at both safeguarding the interests of the multiple stakeholders and also adding value to the organization, where possible, through optimizing the use of resources, in order to achieve higher returns on existing investment in this space.

Eric Krell: Sean, I hear you regarding “ERM vs. GRC” confusion. I (and my readers) can vouch for the fact that there is a lot of confusion about what “GRC” is. And I still wonder how productive the debates that stem from this confusion are (and for whom they are productive).

When I spend a few minutes talking to risk experts (be they vendors or corporate managers), the vast majority of these individuals quickly make the same essential point: ERM, GRC, and the like are a means to make better decisions.

This is also what CDM's mission sounds like to me, and I appreciate your points on its holistic reach.

Before we sign off (for now), can you share a bit on how the approach is being received in Europe? Also, I know that it's a big (and American) question, but can you point to any industries or countries in the EU where innovative CDM and risk management activities are taking place right now?

Sean Lyons: Eric, I totally agree that ERM, GRC, and CDM share the common mission of helping organizations to make better decisions. In the process, they cannot only help to create more resilient organizations but can also help to enhance effectiveness through improved performance and increased productivity, and create efficiencies through eliminating duplication, reducing overheads, and minimizing unnecessary redundancy [a point Lyons addresses in greater detail in this paper].

In Europe, while CDM as a concept is still very much in its infancy, there is some evidence to suggest a greater appreciation (conceptually at least) that a coherent corporate defense program represents a strategic imperative.

From my own experience, there appears to be a growing recognition of the requirement to address the status and authority imbalance which previously existed between those with responsibility for bringing the dollar (or euro) in through the front door and those with responsibility for preventing the dollar from leaving through the back door. This view has been somewhat accelerated in the financial services industry by the performance of reviews relating to corporate governance and risk oversight failures that contributed to the financial crisis. Individual reviews, most notably the Walker Review of Corporate Governance in UK Banking Institutions, acknowledged the importance of a Risk Committee (RC) and the requirement for organizations to have a Chief Risk Officer (CRO). While the Walker Review did not quite go as far as I had hoped, it did recommend that the RC should be a board level committee and that the CRO should independently report to the RC. Similar corporate governance consultation papers have also been published by the Basel Committee on Banking Supervision, the International Corporate Governance Network (ICGN), and, more recently, the new Irish Financial Regulator.

Outside of the financial services sector, the recent publication of the ISO 31000 risk management standard and rating agency S&P's increased focus on ERM have also helped to raise the profile of risk management, and this appears to be resulting in a certain degree of change, with a greater focus on risk management.

Generally speaking, I think that it would be fair to say that there is still quite a long way to go before the CDM holistic view becomes the norm; however, there are certainly signs at an organizational level that things are indeed heading in the right direction. I guess we will just have to wait and see! ###

Discuss this Blog Entry 0

Post new comment
or to use your Business Finance ID
What's Full Disclosure?

GRC expert Eric Krell supplies the Business Finance community in-depth articles and commentary examining governance, risk, and compliance.

Blog Archive