Security Risk Assurance – (5) Tips for Risk Managers, CEOs and Boards

Tampa, FL – WEBWIRE – Friday, October 30, 2015

Knowing Your Security Risks

Risk ownership ends with the CEO. Boards too have assurance or oversight responsibilities especially related to the highest risks in an organization.

Risk managers, senior executives and even Boards often provide oversight to security management programs. This article provides some practical tips on how to improve your assurance function while exercising that oversight.

#1 - Know Your Security Risks – There is no security program component more important than security risk management. Security mangers have to be able to answer the question, “Are we secure”? This question requires that the organization knows their security risks, and also knows when and where risks are outside of acceptable levels.

If you don’t know the relative security risks to your people and assets, at all of the US and overseas offices, as well as risks to personnel during travel, then you are flying blind. Knowing your risks is much more than looking at a risk map and saying that “this country is Orange, and therefore a Level 4 risk”.

Security professionals need to show their ability to arrive at detailed security risk estimates using industry best practices, ideally from established and acceptable sources. Both the ISO 31000 and the American Society of Security Professionals (ASIS) standards are both excellent.

Knowing your security risks is a bit like taking a “Polaroid snap-shot”. Situations are fluid and risks change, so continuous monitoring is required to insure that the “snap-shot” becomes a movie.

#2 - Get the Metrics Right – It’s not all about the tracking the number of security incidents. Sure, when higher profile incidents occur good companies perform a lessons learned. The hope is to prevent a repeat of a similar incident. But this does little to intervene on the next incident before it occurs.

Too often I hear the supposition that, “our security program is pretty good, because we have had very few incidents over the last several years”. This comes from organizations which place too much or exclusive emphasis upon reactive metrics (incidents) within their safety and security programs. Organizations with mature risk cultures have low occurrence rates as a direct result of proactively managing security risks. They are good at assessing, communicating and managing risk at every level within their organizations.

So, get proactive. Get out in front of the next security incident which is about to occur…but hasn’t yet! Try to shape your monthly, quarterly and annual reporting to focus most on the proactive metrics. Insure security professionals have those same performance indicators in their role descriptions.

#3 – Resource to Your Risks – Managers at all levels get paid to allocate resources for the best organizational performance. Security resources include your security personnel, budgets and technology. Too often resources are not associated with maintaining risks at certain levels. This means that resources are often wasted or at least not optimized.

Whether an organization has a large or small security department, whether the budget is robust or lean, it’s important to frame the resource discussion in terms of security risk levels desired by the organization. There is a direct relationship between risk levels and spending in every organization. So, when budgets or resources are lean, be sure to you think through how this might affect overall security risk levels in the organization and where.

On the flip side, when security risks are rising, they merit a review to see if new risk levels are acceptable, or if they require resources to be reallocated to bring the risk back to lower levels. When senior executives fail to resource in the face of rising risks, then it does become relevant. When in the face of unacceptable levels of risk, then it might even rise to become gross negligence.

#4 – Insure Security Managers Know How They Help Grow Your Business – There are a whole range of operational, support and sales employees that will tell you, “We have to be able to get out there and engage people, travel - conduct business, and sometimes even operate in dangerous locations around the world”.

Macro trends show that the world is increasingly a “dangerous place”. So it’s all about managing your security risks while in those situations. We ALL take risks every day, and we ALL need to. You took a risk just going to work today, to sit down and read this article. That ideal state of “zero risks” doesn’t exist - anywhere.

Good security managers know how they can ENABLE the business to operate and grow. They do this by assessing your risk levels, and then providing solid advice about which security risks you can take, when, where, and how, focusing on limits of risk appetite and tolerance for the organization. They shouldn’t tell people to not take risks.

As a private sector security manager I tried to never tell executives that they couldn’t do something. Rather, I told them under what conditions their objectives could be done safely and securely…according to security risk matrix for the organization which established our acceptable levels of risk. However, while operating in higher risk locations, sometimes my “conditions” could be viewed as somewhat onerous too.

#5 – Oversight and Assurance Should Include the C-Suite and the Board - Risk ownership ends with the CEO. Boards too have assurance or oversight responsibilities especially related to the highest risks in an organization. This responsibility is very serious, and failing to adequately manage risks can have severe consequences. Incident and crisis can and do occur. Not every incident can be prevented. But when the ensuing investigation begins, it will look at what the organization should have known and should have done to reasonably address risks BEFORE incidents occur.

Risk management shows proactivity, and the lack of proactivity invites lawsuits to the organization, the executives and even the Board. Service sector businesses should be reminded that they still have assurance and oversight responsibilities for their people and assets that may be working overseas under contracts and/or when they perform on property belonging to another client. In other words, just because your client provides security for your employees at worksite, that doesn’t eliminate your ethical and legal responsibilities of knowing and ensuring that, your people are safe and secure.

Keeping these tips in mind should go a long way to helping provide effective security risk assurance.