Making the Case for an Operational Risk Leadership Advisory Council
A Guide for Influencing Enterprise Risk Management at the Operational Level
IntroductionWe find that, despite best intentions, enterprise risk management often fails. British Petroleum's Deepwater Horizon catastrophe is one of many examples. Risk mitigation assurance requires that we get beyond one-dimensional, compliance-only, enterprise risk "list" management. One way to do that is to embrace the concepts of enterprise risk governance and communication not only in the Boardroom but at the operational level.
This report summarizes a more detailed Security Leadership Research Institute (SLRI) Security State of the Industry project that was developed with input from academics, researchers, and risk practitioners. Companies and institutions that participated include AON, Boeing Company, Bill and Melinda Gates Foundation, Cardinal Health, Celanese, Capital One, Coles College of Business (Kennesaw State), Darla Moore School of Business' Risk and Uncertainty Management Center (University of South Carolina), Delta Air Lines, Hilltop Holdings, MITRE Corporation, MD Anderson Cancer Center (University of Texas), Procter and Gamble, Red Hat, State Street, TD Bank, and more.
We recognize that the goal of enterprise risk management is both to confront hazards and to uncover mitigation opportunities. Because this report is created with and for corporate security practitioners, its insights speak primarily to that audience for organizational protection. However, all corporate executives with an eye for risk in the enterprise can benefit from the concepts laid out here.
Enterprise Risk Management Ideals and ShortfallsFor an ERM program to work, it needs to be multi-dimensional, operationally integrated and cross-functional. This includes:
However, our observations show that enterprise risk management commonly experiences shortfalls in the following areas:
Many business leaders interviewed by the Security Executive Council recognize and understand that the siloed stand-alone risk mitigation units including Audit, Business Continuity, Compliance, Risk Management, Safety and Security, although well-intentioned, seldom serve optimally. Often each was introduced in an organic fashion at millions of dollars of expense without clear and concise cross-functional and operational performance guidance, making return on investment dubious.
We recommend that those who are working at the operational level of risk (e.g., Environmental Health, Safety, and Security) consider forming an advisory committee that reports to the executive-level risk management team. Engaged and continuously informed operational leaders can bolster a higher-level enterprise risk initiative. The concept of the operational advisory committee is a one part of the Council's Unified Risk Oversight™ (URO) model for collaborative and cost-effective risk mitigation.
What is an Operational Risk Leadership Advisory Council (ORLAC)?
It is not:
What are the Benefits of an ORLAC?
Using Processes and Frameworks to Manage Operational RiskBrand, insurance, financial, liability and resilience considerations drive risk programs to optimize outcomes for all stakeholders. There are a variety of processes and frameworks upon which to base these programs, such as ISO 310001, ExxonMobil's Operational Integrity Management System2, RMA's Operational Risk Management Framework3, and COSO's Enterprise Risk Management - Integrating with Strategy4.
A blended approach to risk identification and operational integrity assurance may be the most pragmatic option. Herb Mattord, Professor, Coles College of Business offers this advice: "Unless legally mandated, don't pursue certification to any framework unless it serves your organization's objectives. Don't be distracted from pursuing your own strategic, process-driven, metrics-based program that seeks ongoing continuous improvement."
Organizations must understand what "good protection" looks like. They may choose to consider establishing a continuum like the one below to provide context for continuous cross-functional performance.
Figure 1: Risk Continuum
Unified Risk OversightTMThe Security Executive Council's Unified Risk Oversight (URO) concept, while not a risk framework per se, should be used to help risk management governance across the enterprise. An effective URO program rests upon three foundational principles:
Businesses that have enterprise risk management programs still too often have their operations cordoned off from some departments, which can prevent the right people from getting necessary information in time. Evolving Duty of Care compliance, for example, may conflict with evolving Privacy requirements. Cross-functional governance is key to nimble team risk mitigation operations; particularly when life-safety is on the line. We propose operational risk management frameworks are another layer of internal control at the day-to-day operational level. Communication, provided by URO, is crucial to this model. The ORLAC is the middle man, to inform operational issues up to the Enterprise Risk Council.
Security's Role in Enterprise Risk Management via Operational Risk Management AssuranceWhile Enterprise Risk Management and Operational Risk Management arguably remain two distinct lenses for risk management, their combined processes and capabilities enable higher levels of integrated risk mitigation assurance and confidence. Their considerations provide a likely path to resilience when attended by persistent operational performance monitoring, anomaly detection, communications and response. As a security practitioner, your role can be that of the experienced and influential critical event responder who has witnessed if not paid a price for less thoughtful planning.
ERM + ORM + URO =
Stakeholder interview or survey questions that may be helpful in engaging responsible leaders in the ORLAC process:
In ClosingThis is a call to action for Security and other risk management leaders who now have duties and brand expectations that extend well beyond legal compliance. The clock is ticking. Companies effectively guided by a multilayered approach of enterprise risk management, operational risk management and unified risk oversight are better positioned to adapt and protect.
1A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000
2Operations Integrity Management System
3Operational Risk Management Framework
4Enterprise Risk Management - Integrating with Strategy and Performance
For more information on this topic see Risk-Based Security: Board Level Risk/ERM
Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.
Copyright Security Executive Council. Last Updated: September 10, 2018
A PDF file of this article is available below.