Rock Holdings, Inc., is a US-based holding company which owns several subsidiary companies including Quicken Loans, the US’s largest mortgage lender. Due to strategic, operational and regulatory requirements, Rock Holdings has implemented quantitative risk analysis using Factor Analysis of Information Risk (FAIR). Over time, Rock Holdings’ FAIR implementation transformed the business’ enterprise risk management (ERM) program and risk culture. Along the way, Rock Holdings’ Keith Weinbaum, an enterprise risk management architect and thought leader, has led the Rock Holdings enterprise risk team.
Acquisitions, growth, digital business and financial services industry security challenges have driven an ongoing evolution of risk management at Quicken Loans and Rock Holdings over the past eight years. Rock Holdings dealt with the following pain points:
- Inability to communicate information risk in business terms
- Increasing financial legal and regulatory requirements for risk management
- Information risk not integrated into ERM
- Increasing risk complexity
There were a number of stages to the effort and, in each stage, pain points were addressed.
Once given the go-ahead for the Rock Holdings ERM project, Weinbaum began rolling out ERM to each of the (then) six companies. The risk team operationalized and instrumented ERM for each company during six overlapping four- to six-month periods. Including the company-level champions and ERM or FAIR specialists already on staff, the core risk team grew to approximately 10 people. Internal auditors and other stakeholders were also engaged. The team sent monthly email updates to the list of stakeholders from all companies.
In a constantly changing environment with multiple business units, processes and systems, ERM will never be perfect. To learn more about what went well and lessons that were learned, read “Building a Rock-Solid ERM Culture on FAIR,” the first in a new line of ISACA® Case Studies, created to offer practitioners and academicians access to practical, useful content.
Likewise, the work of evaluating risk scenarios will never be “done.” ERM is an ongoing process. Rock Holdings’ goal is to expand it to all companies and to measure all key risk scenarios. The enterprise risk team will continue to implement each component of the ERM process consistently, find best practices and spread them to all the companies.
Case studies such as this one will be featured in the ISACA® Journal and will be published in an online content library. Read the full article in the ISACA Journal vol. 3, 2020.