What are the current challenges and risks affecting corporate security departments trying to mitigate enterprise risk management on behalf of the organisations they work for? asks Dr Peter Speight CSyP DBA MSC MIRM. He is Director of Risk and Consultancy at Securitas Security Services.
Corporate security departments face many challenges as they attempt to mitigate risk on behalf of their organisations.
Firstly, they face specific security risks which can occur in the business environment, eg climate change, terrorism, financial instability, or fraud. However, there are also risks arising from the manner in which risk management itself is exercised and perceived. Ultimately, one of the greatest challenges faced by all risk management professionals is the risk of new or unfamiliar challenges remaining undetected. In this instance, I refer to ‘social media and cyber crime’. It also remains the case that it is complex and near impossible for any risk management strategy to eliminate internal malpractice, especially where it occurs at a senior level.
Broadly speaking, the practical security risks facing businesses may be placed into two categories – external and internal. External risks include events such as natural disasters, industrial accidents, IT failures, climate change, supply chain disruptions, theft, and geo-political and socio-political events (terrorism, military conflict or revolution). We only have to look at what’s going on throughout the world to realise that ‘most countries’ have a huge challenge ahead to protect us all against‘the up serge’ in terrorist activities’.
Internal risks include factors such as employee fraud or sabotage, or employee errors involving IT or security functions. Placing all of these risks into a rigid or prescriptive hierarchy is, in itself, a problematical exercise and is arguably dependant on the type of business in which a particular firm is involved.
The perception of risk varies from person to person and within corporate organisations who have varying degrees of ‘risk tolerance’ depending on their position within the global market.
In my experience it does seem that there is one factor which exists across multiple sectors of the economy; globalisation, and the various risks contingent upon it. It is often argued that corporations involved in the global businesses environment expose themselves to risks reliant on extended value chains and country/economic stabilisation.
Enterprise related risk takes many forms, such as that for carbon emissions credit trading (via London-based LCH, ICE Futures Europe, or Nasdaq OMX Commodities Europe). These offer firms a way to secure their business by achieving emissions targets. However, in 2011 alone, cyber-theft resulted in ‘the loss of carbon offsetting credits valued at 30 million Euros’. (Chaffin 2011). In some instances, risk may simply be the outcome of the firm’s core activities, eg of failing to maintain the management of the firm’s policy, strategy, structure and principles with the demands of an evolving and changing environment.
For example, the financial crash of 2008-9 is regarded as the result of growth strategies based on increasingly risky assets. Meanwhile, lobbying organisations such as the UK’s Carbon Trust argue that adverse events linked to climate change will eventually drive consumers to reject brands that are linked to those events. Also, supporters of corporate and social responsibility argue that firms that manage such risks will effectively secure competitive advantage by developing and maintaining appropriate corporate governance strategies.
Internal threats also represent significant security risks for corporations. Even as I write, the UK supermarket Tesco PLC is caught up in an accounting and reporting challenge, which has resulted in the suspension of three senior executives and an 11.6 per cent drop in share prices in a single day. It appears that there has been some internal challenges at Tesco’s but let’s wait and see what the outcome of their investigations are before casting any doubt or jumping to conclusions – I think the MD has taken the correct steps to deal with this situation. Proper financial reporting is one of the basic principles of corporate governance and Tesco, is quite clearly dealing with this at the highest level.
In my opinion, other security risks, such as IT failure and cyber crime, are inevitable. However, in practical terms, we need to try and eliminate them (as far as possible) through good practice driven by policy and regulation. Over the past years, the development of ISO 27001 (Information Security Management) has certainly provided me with the guidance and structure to address the IT ‘mind blowing’ complication of dealing with the physical, technical and procedural minefield within some of the organisations we consult with.
However, it could be argued that, in time, all companies will be subject to these types of incursions and crimes, so we need to look at, and plan for, recovery and damage limitation.
Again, ISO 27001 does provide some really good mitigation advice and, if you want to look at other standards, try ISO 22301 (Business Continuity Management Systems), ISO 31000 (Risk Management), PD 200:2011 (Crisis Management) and PD 25222 (Continuity Supply Chain Management). These all offer useful guidance which will help organisations and risk teams to develop effective risk strategies. Please see the attached diagram which was developed with Peter Consterdine (FRM) for a piece of work we delivered for a high end ‘global car manufacture / retailer’ – this demonstrates the ‘Enterprise Risk Model’ with all the associated categories.
In my experience, however, these strategies only work when driven downwards from the board room, where the executives take responsibility and accountability for the ‘risk appetite’ within their organisation; which effectively means creating an ‘effective culture’ supporting and implementing measures to mitigate and manage corporate governance. It seems to me that, in some cases, executives and COOs blame everybody else but themselves when things go wrong.
Having said that, I am a realist and companies have to ensure that they balance the benefits of enterprise risk management with the costs and implementation of all mitigation strategies. Yes, we all have to balance the return on investment, but it’s the cost of doing nothing which worries me.
Security and risk management practitioners do face challenges arising from the nature of our discipline. Also, the work we do is sometimes perceived, particularly by other management professionals, as a drain on resources. Until things go wrong…
Although enterprise risk management is now generally accepted in the corporate environment, risk management is a fairly new aspect of the overall management structure. New legislation, activist shareholders and rising insurance costs have converged to make Integrated Risk Management (IRM) more important.
According to a 2007 article by Fragniere and Sullivan, ‘Natural, geopolitical and financial disasters in the first few years of the 21st century …created a new awareness of risk among the public, businesses and lawmakers. This has spurred the development of several risk management methods, in both financial and non-financial sectors. Respectively, risk managers responsible for creating the ‘risk-enabled company’ have to balance and resource multiple mitigation strategies.’
Risk management practitioners also have specific problems in terms of achieving recognition of their contribution to profitability and justification for their investment. Simply put, successful security management eliminates problems before they impact upon performance. This, in turn, means the corporate community as a whole cannot easily appreciate the value of the exercise. So, an effective security manager may well become the victim of his or her own success.
Lastly, risk management professionals face challenges arising from their own practice and the possibility that they will fail to identify new or un-anticipated risks. As Smith and Irwin put it, managers themselves make the decisions that contribute to ‘the precursors of failure and determine the acceptability of residual risk as well as the appropriateness of mitigation strategies’.
Many risk management frameworks have now been established to meet this challenge by informing consistent best practice. (Sadgrove, 2005). For example, AS/NZS 4360:1995 in Australia, CAN/CSA-Q850-97 in Canada and JSI Q 2001:2001 in Japan. Meanwhile, after the 9-11 attacks, the UK’s Institute of Risk Management created PAS 56, subsequently replaced by BS 25999.
These are, however, largely qualitative and generic frameworks, and the degree to which they could assist in identifying specific new threats is debatable. For example, it could be argued that such frameworks encourage a normative view of security risk and therefore discourage the identification of new or unfamiliar challenges. Furthermore, frameworks and policies do not guarantee best practice. The scandal-ridden Enron Corporation, for example, reportedly had an excellent ethics policy prior to its demise (Madura, 2010).
Conclusion
In conclusion, it may be argued that corporate security and risk management departments face a wide range of challenges, both external and internal. Furthermore, these are increasing in number and complexity. Not least amongst these challenges is the fact that risk management professionals have to convince the corporate community that investment in mitigation strategies is necessary and beneficial, even where the apparent benefits are difficult to measure. Moreover, as current events suggest, security policies are useless if the corporation’s own management do not follow them.
References:
Chaffin, J., (2011), ‘Carbon trade cyber theft hits E30m’, Financial Times, 20th January, [online], available at http://www.ft.com/cms/s/0/cdb788e8-24df-11e0-895d-00144feab49a.html#axzz25Uj7ePwt > [Accessed 20th September 2014].
Tesco PLC, (2014), Preliminary Results 2013/14, [online] available at http://www.tescoplc.com/files/pdf/results/2014/prelim/prelim_2013-14_results_statement.pdf [Accessed 23rd September 2014].
Fragniere, E., and Sullivan, G., (2007), Risk Management: safeguarding company assets, Boston: Thomson.
Smith, D., and Irwin, A., (2006), ‘Complexity, risk and emergence: elements of a “management” dilemma’, Risk Management, 8(4), pp.221-226.
Sadgrove, K., (2005), The complete guide to business risk management, 2nd Edition, Aldershot: Gower.
Madura, J., (2010), Financial Markets and Institutions, 9th Edition, Mason OH: Cengage.
