Security professionals who learn to transcend traditional management silos to help their organizations improve risk assessment and risk mitigation will have a permanent seat at the C-suite table.
Identifying and mitigating risks across an organization is the purview of enterprise risk management (ERM), which may entail everything from avoiding litigation to assessing credit risk. A subset of ERM is enterprise security risk management (ESRM). It encompasses the more traditional security risks, such as asset protection, as well as broader security issues, such as safety, IT security, and brand integrity. The goal of both ERM and ESRM is to transcend traditional management silos to improve risk assessment and reduction. Security professionals who know how to facilitate ESRM and fit it within the broader ERM landscape will have a permanent seat at the C-suite table.
Security systems and services giant Diebold, Inc., established an ESRM model three years ago with the help of an outside consultant. In the company’s model, a committee of vice presidents from each of the functional areas participates in the initial review of broad security-related risks that the company could face globally. After the initial review, a subset of risks is addressed by affected groups whose members look at risk projections as well as mitigation efforts, says Scott Angelo, Diebold vice president and chief security officer. Results are reported through the senior vice presidents to the president and CEO.
In addition, the company established a formal Governance Risk and Compliance Oversight Board (GRCOB) to address risk related to industry regulations with which the company must comply. GRCOB members represent the lines of business that deal directly with Diebold’s customers: security and professional services, manufacturing, global software development, security operations, and sales. Other groups—such as human resources, legal, and internal audit—are brought in as needed.
The GRCOB reports to the audit committee and provides strategic planning, direction, and oversight to help subsidiaries or affiliates address risk management and compliance in a timely manner. The responsibilities, accountability, and charter of the GRCOB were set by Diebold’s board of directors.
Diebold’s approach is just one example of ESRM.
Greg Acton, CPP, director of global safety and security at mobile products company Palm, Inc., uses a different approach. He looks for root causes of the risks he wishes to mitigate by asking “the five Ws,” and he then models processes around the answers to those questions.
The models for what constitutes enterprise security risk management are exceptionally diverse. “Every model will be specific to your company,” says Dan Hooton, CPP, group security advisor, operations at Prudential PLC, an international financial services company headquartered in London. He emphasizes that the model needs “constant review to make sure it is relevant.”
There are some commonalities across models, however, such as the identification of critical processes, alignment of security objectives to the business, and a risk mitigation phase. The emphasis is on making sure that all the business organizations can demonstrate that their operational risks are being identified, prioritized, remediated, and responded to consistent with their significance and value to that business, says William C. Boni Jr., security director at communications conglomerate Motorola, Inc.
Leadership buy-in is also a factor. At most organizations, the board of directors is involved at least in periodic reviews of the risk model, its assessment, or the identification of specific risks to the organization. Often, that communication is a two-way street, with the board giving feedback on risk decisions. If the board does not become involved, the C-suite certainly does.
The level of interest within the organization can depend on the risk. “At the ERM macro level, you are talking about risks in the hundreds of millions of dollars,” says Boni.
According to Boni, Motorola established its ERM program seven years ago under the aegis of a new audit director. Boni, then the information security officer, was involved in the program from its inception along with other operational risk subject matter experts from such groups as human resources, finance, business leadership, technology, and engineering.
The risk management director, who reported to Boni, was assigned to set up the overall ERM protocols, including communication strategies and assessment tools for the global company. Outside consultants helped initially, but the templates, spreadsheets, and databases were designed specifically for Motorola.
Boni demonstrates ROI for specific recovery efforts by first establishing a baseline for typical industry expectations worldwide. By comparing Motorola’s controls with the baseline, Boni can demonstrate very specific reductions in revenue-at-risk and recovery values.
When Bob Hulshouser, CPP, was hired five years ago to be manager of corporate security services for the Las Vegas Valley Water District (LVVWD), his title did not reflect an enterprise risk management function. However, the utility’s management looked at his security job as a “synergistic arrangement where I would reach out to all functions in the company,” he says. He served as a catalyst to bring the security culture to the other levels and involve security with their processes. “They didn’t call it ERM,” he adds, but “ERM is integrated with everything we do.”
Hulshouser advocates learning different risk approaches by talking to other executives throughout the company. “You can’t protect the enterprise unless you know what their unique concerns are and how your organization blends with theirs.”
Collaboration is key, agrees Evan Wolff, director of homeland security practice at Hunton & Williams, an international law firm that consults on risk issues. That means understanding everyone’s individual objectives based on their responsibilities and knowledge of the risks inherent in their processes, he says, adding “And that’s where the enterprise security risk management model will shine.”
Of course, no enterprise can operate without some risk. “If there was no risk, there would be no revenue,” says Tim Weir, director of global asset protection at Accenture, the management consulting and technical services company.
“The whole idea of doing business is based on the idea of taking risk,” agrees Petri Lillqvist, director of risk management for Digita Oy, a radio and television distributor headquartered in Helsinki, Finland.
When developing an enterprise risk management process for Digita, Lillqvist started with basic questions, such as what does “manage” mean?
“Managing risks does not mean eliminating them,” he says. Rather, risks must be brought down to a level that will not be fatal to the enterprise.
The goal, explains Weir, is to “make calculated decisions daily to help manage risk to people, reputation, information, and property—in that order.”
Before an enterprise can manage its risk, it must identify potential risks and assess how risk will affect the company. A variety of formal and informal methods can be used to accomplish these tasks.
A key factor is to be selective. “If you just start thinking of all the possible risks that might harm your company, you’ll end up with a very long list that includes everything from petty thefts to an asteroid hitting your company headquarters,” Lillqvist says. “It’s about risk management, not list management,” he quips.
The company’s business objectives must serve as a starting point, Lillqvist says.
Seeking out the owner of the identified risk is another helpful tactic. At Digita, the risk owner can be a vice president or other staff member, depending on the risk. That person is responsible for assessing the need for controls, planning the actions, then implementing, reassessing, and reporting on the actions in concert with the company’s risk management process and policy.
Hulshouser and his team use brainstorming to determine probabilities, “the ‘what ifs’ that keep you up at night,” he says. The economic situation and the potential for thefts are top priorities. He scans information from government and professional organizations to stay on top of communitywide crime as well as terrorism trends and natural disaster indicators.
Weir uses visuals to help clarify the risk picture. “We use a wheel that expresses the circle of the risk life cycle,” he says. The circle starts with the identification of a specific risk, then moves through the ways to eliminate, transfer, mitigate, insure, and evaluate that risk over time.
Dick Parry, CPP, executive director of global security at Novartis Institutes of Biomedical Research, has adopted a different type of visual at the pharmaceutical research organization. He uses heat maps, a graphical representation of data that measures gaps and shows through color variations where risks are controlled.
To collect the data, says Parry, various disciplines within Novartis identify their risks, which are consolidated into a larger risk portfolio and then addressed at each business unit.
The process also includes what Parry calls a “loosely modeled risk council.” Meetings to discuss enterprise risk management are scheduled regularly, but the group also works on an ad hoc basis to address risks as they appear.
Sometimes it’s clear what the major concerns are. At Palm, for example, it is the “huge band of bloggers and fans who want to be the first in the market to give consumers the most updated information on potential purchases,” explains Acton. That puts proprietary information at extreme risk.
To address that risk, Acton and his team began shoring up internal processes. “We share less information with fewer people and share it later in the product life cycle,” he says.
The plan passed its first big test during a recent new product release. For the first time, no leaks or disclosures occurred.
Any enterprise risk management plan must recognize that risks evolve, and companies must be prepared to adjust. While the enterprise security council at transportation leader Schneider National tries to anticipate risks three years ahead, “the reality is that we are working in the one-year realm,” says Walt Fountain, CPP, director of enterprise security. “Things are changing faster than we ever expected.”
The scarcity of money and time are perennial impediments to a more effective risk management process. Difficult economic times exacerbate the problem, because cost cutting often results in less than optimum combinations of internal controls, increasing risk. Moreover, security itself is asked to do more with less. But ESRM managers cannot let these barriers stymie their efforts.
“It’s still security’s responsibility to do the best to manage global risk regardless of what resources are available at a given time,” says Boni.
To achieve those objectives, he adds, security leaders must deliver the right information to the appropriate level of management so that executives can prioritize and make appropriate choices.
Angelo at Diebold agrees, noting that in the coming year, the “biggest value the GRCOB will provide is the appropriate prioritization of resources to address risk.”
Fountain has a similar viewpoint. “It’s not that people are saying ‘Let’s not do any security because we cannot afford it,’” he says. Rather, his council has been required to do more upfront planning, gather more data, and justify return on investment (ROI) before moving forward. In anticipation of those questions, he and his team come well prepared to planning sessions.
But money isn’t the only issue. Another barrier to implementing ESRM can be perceptions about what it means to disclose risk on the part of front-line personnel and middle managers. “People have to get past the point where disclosing risks makes them feel that they are not doing their jobs,” says Parry. He advocates establishing a “no-fault scenario” so that employees won’t hide details the company needs to know.
Culture can also be a roadblock. Enterprise risk management is “an evolving concept” at Caterpillar, says Tim Williams, CPP, director of global security at the global manufacturer of construction equipment and engines.
Since Williams joined the company two years ago, the security program has expanded into the global arena with regional directors in Asia, Latin America, Europe, and the Middle East. Williams also began developing risk-based programs for the company’s global manufacturing and distribution centers.
While the company does not have a formal risk management department, Williams serves on a compliance committee and is in the process of forming an enterprise security council.
To overcome any perceived or real impediments to an effective security risk management process, those interviewed rely on their management skills rather than their security knowledge. Qualities such as flexibility, diplomacy, and persistence as well as the ability to conceptualize, delegate, build relationships, and deal with ambiguity are essential to an enterprise security risk management leader.
Security professionals credit courses on leadership, training on enterprise risk management, and advanced degrees in business as indispensable when polishing executive skills. Developing a thorough understanding of the enterprise’s business objectives and participating in its strategic plans are also essential.
Reaching out to coworkers is important as well. John Petruzzi, CPP, managing director of ERM at Andrews International, a firm that specializes in security and risk mitigation, advocates “simple networking 101.” That includes having lunch with counterparts and conversations with senior leaders.
“While they might not be able to tell you how your job will change in five years, they probably can tell you how theirs will,” he says.
Communicating effectively is high on everyone’s list of essential business skills. To Weir, communication means “having two ears and one mouth…being a better listener than talker.”
Making conversations relevant to the audience and speaking confidently in nontechnical terms are other components of effective communication. Petruzzi says that security professionals should know at least five processes that they are measuring monthly and “be able to articulate them in the two-minute elevator talk.”
Boni notes that “people will be a lot more supportive if they understand how your plan is going to benefit them directly.” And that support is the key to accomplishing the ESRM mission.
Mary Alice Davidson heads a publishing consultancy in Spartanburg, South Carolina. She is the former publisher and editor-in-chief of Security Management.
@ Some graphics illustrating aspects of ESRM models used by those interviewed for this article are attached below.