Due to greater focus by the international news agencies on terrorism-related events and easier access to global information, our awareness of the risk of physical and non-physical threats to the things we hold precious in our lives is becoming more of a concern to us as individuals and, indeed, the organisations for whom we work. Mark Brown explains how, in order to be most effective, security risk should be treated as a fully-integrated element of enterprise risk management.
Today, the threat landscape for the enterprise is constantly shifting. Business is facing an ever-changing myriad of security threat scenarios that cover terrorism, geopolitical concerns, physical and cyber security issues.
In particular, the cyber crime and cyber terrorism sub-categories are beginning to form significant categories of security risk in their own right with potential impacts around the physical harm of employees and associated parties involved in corporate business.
As a result of these risks, extortion (for instance, as a connected risk) could play a key role in the potential compromise of internal business controls.
Security risk cannot operate in isolation
In many cases, IT and security specialists are managing the corporate view of security risk, yet their remit is mostly limited to the domains in which they operate. This can hinder their ability to understand the significance of these risks to the higher level goals and objectives set out by the business.
The security risk management process should be an integrated part of a top down approach to enterprise risk management (ERM). If not, the value of the significant investment made by the business in managing risk at the enterprise level is lost. Put simply, there needs to be linkage to the methods used in order to measure any form of risk – including security – against determined risk appetite levels.
To gain the full advantages that ERM offers, the implementation of the risk framework needs to be holistic, duly taking into account all categories of risk. To instil a risk culture across the business, the organisation needs to know how much risk it’s willing to take and how it wants to balance risk with opportunity.
Security risk needs to be placed in the same assessment framework as other risks in order to compare and aggregate all risk against appetite levels (and against objectives). It’s then that robust and cost-effective mitigation strategies may be devised for the corporation.
Extending the risk culture
Risks change continuously so it’s crucial for organisations to define their risk appetite and review the same on a regular basis. Risk appetite, tolerance, targets and limits are not static. They must be updated in line with changes to the organisation’s situation regarding variables like the economy, markets, regulators, technology, strategy and performance.
According to the Institute of Risk Management (IRM), risk appetite is a core consideration in an enterprise risk management approach and is one of the hardest elements of implementing ERM. Once the pain of this has been addressed as part of an ERM process, though, it makes sense that security risk is linked into that process.
The Board of Directors and senior management are responsible to shareholders and other stakeholders for defining the risk appetite of the business. They need to consider the amount and type of risk an organisation can ably and actively support during the course of its operations.
To define a risk appetite for each category of risk, the Board and senior management need to take into account capital structure as well as the flexibility and loyalty of staff. A well-defined risk appetite policy ensures that a company includes a risk factor for every major strategic and tactical situation.
In practice, risk appetite will usually cover areas such as reputation, brand, liquidity/financial position/credit rating, new products, services, geographies, the supply chain, mergers and acquisitions, corporate governance/compliance, Corporate Social Responsibility and Human Resources.
Integrating security risk realises visibility across the enterprise
Including security risk within an ERM framework is the most effective way to understand what ‘security threat’ means to the business in terms of its overall goals and objectives rather than attempting to manage it separately, with only the view of the relative impact of the specific security threats that cannot be prioritised and assessed against any other threat to the business that could be equally or more harmful if not mitigated in some way.
In addition, by trying to manage security risk separately the business loses the ability to look at how security risks impact other governance functions like Health and Safety, internal controls and business continuity planning.
Security is just another driver that needs to be caught by the ERM process and brought within the measures of acceptable risk. Why? It’s the ERM process that aligns all the key threats and opportunities of the business to its stated goals and objectives. If the relevance of security threats is to be prioritised over other threats then security needs to be treated in the same way.
Similarly, the centralised approach that ERM offers enables the business to consider security threats across the enterprise and not just in isolation in specific areas. As most organisations have already invested significantly in driving a risk and opportunity-based culture around business performance, including security risk in the process further optimises effectiveness of the investment and how this then benefits the cultural approach to security threats.
London 2012 Olympic Games: the perfect example
The London 2012 Olympic Games is a good case in point. The Games’ organisers leveraged the business world’s growing understanding of risk management. Risk-based approaches to planning for the London Games showed the strong influence of the ideas and practice of risk management, for example in the creation of risk registers and dedicated monitoring systems put in place to spot issues that might have posed potential dangers.
Indeed, the rise of ‘Olympic Games risk management’ touched not only on the most visible fields of finance and security, but also on a wide range of activities such as procurement and contract management, Health and Safety, the assessment of environmental impacts and public health planning.
As the organisers of the Olympic Games have become more sophisticated in risk management during the last 30 years, so the broader discipline and profession of risk management has benefited from its example.
The concept of risk itself has taken hold in modern societies and organisations. The Olympic Games provide an ideal Case Study in the development of risk management (particularly in the sphere of major programmes where greater focus is now afforded to non-financial impacts such as security).
Defining risk appetite
How, then, can the business define risk appetite levels for security? In exactly the same way as for any other threat.
The business simply assesses its level of appetite for loss of performance against key objectives (such as operating cost base, customer retention, cash flow and reputation) and then measures the potential impact of security threats against these objectives.
As this may change across the enterprise – business by business, division by division or project by project – there needs to be a common process for the identification, assessment and mitigation of this category of risks.
Those organisations that have already invested in ERM software should now be benefiting from systematic process support to collect, measure and manage risk against appetite tolerances at all levels based on localised risk appetite. Using ERM software helps organisations to use the same risk terminology and the same scoring systems. In this way, it’s possible to compare security risks from different parts of the organisation.
At the same time, these processes also enable the aggregation of risk upwards within the organisation to measure the total exposure against enterprise-wide performance objectives. That affords visibility to senior management and the Board of a new set of management information that otherwise simply wouldn’t have been the case.
As already discussed, the hard questions start in the Boardroom. What’s the Board’s attitude towards – and appetite for – security risk? What are the specific events? How could they impact the business? What can be done to bring these potential impacts into line?
To answer all of these questions, members of the Board and senior management must first quantify what’s acceptable or not. This, in point of fact, is exactly what the ERM process is designed to deliver.
On that basis, when considering the security of the enterprise why not make use of it?
Mark Brown is Vice-President of Product Strategy at Sword Active Risk