Created by George Campbell, Security Executive Council Emeritus Faculty member
To estimate the probability of loss in areas of concern, given known vulnerabilities.
Help management to recognize that the business has vulnerabilities that may affect customers. Eliminate plausible denial and engage management for follow-up. Obtain support for elimination of vulnerabilities. Increase participation in essential areas of risk ownership and accountability. Ideally, you want to hear: “I support your objectives in assessing these risks. I accept our responsibility to ensure remedial action on each of these corporate risks and will ask our general auditor to track resolution of each of these findings.”
Conduct multiple tests of policy-based or common-sense safeguards in a variety of protection categories over a six-week period. It's important to advertise the tests and methodology in advance and to include objectives in an annual plan. Think of the strategy in four levels or steps:
* Your protection programs and tactics are built around the achievement of clear, measurable results in terms of reduced exposure to risk. Your first step should be to clearly outline those expected results.
* Make sure that assessment programs are an essential component of corporate governance. Present assessment results to senior management and the audit committee.
* Structure your assessments around measurable criteria of effectiveness (success or failure), and measure your risk and protection elements as you have advertised in your annual plan.
* When you know the results of your metrics, thoroughly analyze and report them in a way that is responsive to management's format for action and accountability.
Where Is the Data? The data is in the risk assessments you routinely perform, which examine the adequacy of key protection measures and uncover gaps in the quality of internal controls around critical assets and business processes. If you have appropriately structured your ongoing recorded measures and have planned your risk assessment processes to provide comparative metrics, you will have:
• Results of tests that yield a percentage of protection system or process failures and successes
• Training records showing preparedness of key players
• Documented frequency and results of prior tests
• Down times of critical systems or business processes
• Specific benchmarks of protection system performance.