Improving Security Risk Management

The security industry is moving in the direction of placing greater importance on risk management, especially where it converges with security management. This reality will eventually affect virtually all security professionals, at all levels of an organization. It will require that we change the way we think about our jobs, and the way we communicate what we do for our organizations. In some cases, it will require that we acquire and apply new skills. To be successful, we will need to also find and employ better tools.

The View From The Top - ASIS International is the preeminent global association of security professionals. Their CSO Roundtable published Enterprise Security Risk Management: How Great Risks Lead to Great Deeds; A Benchmarking Survey and White Paper in April 2011. That survey of 80 Chief Security Officers (CSO’s) and 200 security professionals indicated 80% of those organizations have formalized their risk analysis processes. Some of those professionals, 50% of those participating, stated they have a regulatory mandate to conduct Enterprise Risk Management (ERM). That message is echoed by thought leaders at the Security Executive Council, who state that enterprise risk assessments is one of those universal issues that will impact all of us in the security industry.

ERM is not a new concept. But the participation in ERM process by senior security professionals is more recent, and on the rise. Enterprise Risk Management is a framework which includes the methods and processes that drive risk management for an entire organization, including managing risks and leveraging opportunities. Those “highest risks” within the organization often must be communicated to the Board, and likewise disclosed to stakeholders.

For any organization to determine their highest, or “board level”, security risks, they must assess and know about security risks from their various business units, as well as those security risks from within the corporate offices. That would seem easy enough. We’ve all done security risk assessments. Yet, from my experience, the key question is often NOT if we are doing security risk assessments. It’s more HOW we are doing them. Are we even using a common methodology? That challenge is magnified for multinationals or organizations operating in dozens of countries, with different languages, and all with different levels of maturity and basic understanding of risk management.

The Quest for a Common Methodology – While many fellow security professionals have recognized the importance of using risk management practices in our daily duties, only recently are we beginning to find agreement or consensus around a common methodology. But that too is changing.

ISO 31000 - Risk Management - Principles and guidelines is the most recent international standard on the general subject of risk management. It is relatively new, and was published in November 2009. It is intended to be a broad-based “best practice” that can be applied to a “wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets” and “applied to any type of risk, whatever its nature, whether having positive or negative consequences”. This standard is accompanied by ISO 31010 - Risk Management - Risk Assessment techniques.

In drilling down from the macro (ERM or ESRM) toward the micro (Performing A Security Risk Assessment), ASIS already has a guideline entitled, ASIS General Security Risk Assessment Guideline. This guideline “provides a seven-step process that creates a methodology by which security risks at a specific location can be identified and communicated”. Although it was published in 2003, predating ISO 31000, many of the tenants in this 7-step process are consistent with the new ISO standard.

ASIS is also now forming a committee to develop a new Risk Assessment Standard (201X). According to Dr. Marc H. Siegel, Commissioner, Global Standards Initiative at ASIS International, this new ASIS Standard “will be aligned with the ISO31000”.

All indicators seem to point to the new ISO 31000 standard becoming that base for our common methodology. ASIS will be instrumental in specifically applying those principles into standards and guidelines for security managers and our industry.

Challenges in the Application of Security Risk Management Principles – Even with an industry trending toward risk management, and with a common methodology, there remain challenges in accepting and applying these principles.

A colleague, who is a CSO, recently told me, “statistics make my head hurt”. He explained that thus far his security department has been able to opt-out of participation in their corporate ERM process. As he opined, “security is more like art; and security risks really can’t be calculated”.

I agree, in part, that applying principles of risk does require some “estimation”. Getting to the “probability of a future event”, like any forecasting exercise, can be somewhat subjective. Often it requires using a “gut feeling”, which might be more akin to “art” than science. So, the exercise of estimating risk does requires a new skill set, one that can sometimes be uncomfortable for a professional security manager who has not yet acquired that ability.

But I would disagree with a strategy where a security department “opts-out” of the ERM process. Peter Drucker, a well-known management consultant, is often credited with the quote, “you can’t manage what you don’t measure”. His quote is cited in an April survey from the consulting firm KPMG, entitled “Risk Management - A Driver of Enterprise Value in the Emerging Environment”. This recent survey highlights that there remain significant challenges within organizations in how risk management is understood and communicated. Specifically noted are the challenges to aggregate and quantify risks, and to embed a risk culture within an organization.

A security department operating as an “island” within an organization cannot, almost by definition, be maximally effective. The constantly changing and fluid nature of the new global environment demands integration and communication with the other sections of a company.

Being successful as a security professional in tomorrow’s security industry will require buying into the concept of “risk management”, and learning how to apply it in the security field. To be successful we will need to acquire the tools, skills and comfort level to accurately estimate risks - probabilities that future security events might occur and measuring what consequence they could have on your organization.

What to Look for When Leveraging Technological Solutions – If you seek to improve security risk management, even when armed with the common methodology, technological “tools” may be desirable to effect change throughout your organization.

Multinational corporations and other world-wide organizations need new tools - to insure that security risk assessments done in Bangkok are done the same way, to the same standard, as those done in Buenos Aires and Lagos. Those tools need to be user friendly, saving time at the user level, with the objective of producing as accurate an estimate of security risks as possible, reducing “subjectivity” along the way.

To be of value to the organization, tools must enable better, more rapid communication of security risks, both horizontally and vertically, within the hierarchy – from the business unit to the Board, for faster, better decision making. These tools must also connect back into any given corporate ERM (ESRM) processes.

To enhance the security professional’s effectiveness, technological solutions have to go beyond software which merely registers or reports a risk. As security professionals, we are charged with knowing as much as possible about the security environments in which we operate. The ASIS General Security Risk Assessment Guideline (2003) says one must look at the history of previous events and incidents in any area, which we call “Situational Awareness”. And I agree that the task begins with reviewing a number of sources of information, efficiently and continually.

Tools like digital maps or GIS based applications can dramatically assist security professionals in this effort. As the ASIS guideline indicates, most of those sources of information are local. The marketplace so far has focused on providing subscription based information services. Those products provide a broad, overarching strategic account of “what is happening and where”. Unfortunately, many of those same products often fail to provide and track the locally relevant tactical data which we so desperately need to have fidelity in our security risk assessments.

High quality tools will help guide an organization in the estimation and management of security risks, using an approved methodology – like ASIS guidelines or ISO 31000. Those types of tools help bridge the gaps between language and risk culture, within different operating environments – to insure a more consistent and effective outcome within any organization.

A Final Thought - It’s clear that in today’s fast paced and rapidly changing world, the security professional’s job is becoming more and more difficult and demanding. Yet the means exist to convert that challenge into an opportunity to become more effective, more proactive, more integrated with, and more integral to the overall organization. New methods and innovative new tools make accepting and meeting this challenge not only possible, but more practical and productive than ever.

About the Authors: Mike Faessler is the President of Oversight Risk Consulting in Bogota, Colombia. Mike is a retired US Army officer, and has previously worked in a variety of security roles, including as a government contractor, and most recently in the private sector as a global head of security within the mining sector. Mark Morgan is the CIO for Oversight, and a veteran in the IT field with 30+ years experience in systems administration, programming, and IT management. In March, Oversight launched Chatter, a web based software designed to help security and risk professionals better manage their security risks around the globe. Chatter uses an ISO 31000 methodology adapted specifically for the security industry. Chatter incorporates digital maps (GIS) and social networking functions – to allow trusted colleagues to selectively exchange security based information. Chatter is on the leading edge of technological solutions available in the marketplace today.

Contact Information

Mike Faessler

President

Oversight Risk Consulting

Contact via E-mail