Sometimes great ideas come with big consequences. The continued business trends toward globalization, advantages of economic scale and strategic partnering are multiplying corporationsâ€™ opportunities, but theyâ€™re also acting to multiply the impact of risk failure. One risk failure at a single point in a company or its supplier network - particularly one picked up by the media - can now have a profound effect across the entire enterprise, placing a company in jeopardy far beyond traditional measurements. It is clear, for example, that the failure to properly design a gas pedal can create repercussions beyond the scope and imagination of an automobile companyâ€™s engineering department.
Risks occur in all size and shapes; most can be and are responded to correctly, but the failure to recognize the potential consequences of a risk failure beyond the initial report can bring serious damage to companies. Add to that the scandal-induced requirements for greater accountability and oversight, and itâ€™s clear why weâ€™ve seen an increased push from the board of directors and senior management to conduct enterprise risk assessments and follow through with robust risk management.
Traditionally, risk management has been coordinated by only a few business units of an organization. This may make sense for some industries, but for most, an approach coordinated across the enterprise will yield better risk mitigation strategies and tactics.
A Conceptual Risk Picture
As management and the board strive to develop a clearer picture of risk in their organizations, they should endeavor to look across all functional groups to review, organize and monitor the companyâ€™s diverse collection of risks. The Security Executive Council, a problem-solving research and services organization that involves a wide range of risk mitigation leaders, has analyzed many corporate enterprise risk assessment plans and strategies to identify common concerns and opportunities to create a more consistent risk oversight process. The work was part of a research initiative to create a baseline corporate risk landscape that shows securityâ€™s involvement in risk management.
The focus of the study was to identify risks that had security-related consequences and areas in which security mitigation strategies would add value to overall enterprise risk reduction. However, this process of risk identification and classification could be applicable to any function of the company.
[Figure 1: The graphic depiction of the Security Executive Councilâ€™s research: enterprise risks, business activities with security issues, and security programs/mitigation strategies.]
After analyzing numerous and diverse enterprise risk assessments, the Council identified common risks that faced corporations. These were organized into eight descriptive categories (left column of graphic).
Next, they identified activities under each category that had related security risks (second column). This list represents many of the risks the Council community has typically encountered, but is not meant to be an exhaustive list. Last, the Council drew upon the successful practices and experience of its large faculty of former security and risk professionals (its Collective Knowledgeâ„˘) to match security mitigation strategies to each "floor" of the corporation (third column).
The purpose of the research output was to provide a direct link between the business category and the potential use of a security program to mitigate the risks identified. Why security? Most security programs are designed to cross all business units; that puts the security function in a strategic position to help provide enterprise-wide protection against an array of risks. Security protection programs do not by their nature have to belong to the corporate security department. Instead, they are often shared programs in which a team comprising several business units collaborates to provide risks mitigation. Coordination with human resources for new employee background verification process is a classic example, usually employing HR, security and legal.
Council Tier 1 Leaders use this tool to map how the security function can add value through risk mitigation strategies across the enterprise. They report that displaying the risks in line with the values of the board helps them gain support and move initiatives through the organization.