Unified Risk Oversight For Security Operational Excellence
A Guide for Influencing and Participating in Enterprise Risk Management
IntroductionThis report summarizes a more detailed Security Leadership Research Institute (SLRI) Security State of the Industry project. It introduces a discussion regarding organizational risk management and operational risk management frameworks. It also explores a number of considerations for engaging, integrating and governing operational and cross-functional subject matter expertise for improved risk outcomes.
This brief guide was influenced by next generation thought leader forums that convened academics, researchers, and risk practitioners. Companies and institutions that participated include AON, Boeing Company, Bill and Melinda Gates Foundation, Cardinal Health, Celanese, Capital One, Coles College of Business (Kennesaw State), Darla Moore School of Business' Risk and Uncertainty Management Center (University of South Carolina), Delta Air Lines, Hilltop Holdings, MITRE Corporation, MD Anderson Cancer Center (University of Texas), Procter and Gamble, Red Hat, State Street, TD Bank, and more.
We find, that despite best intentions, enterprise-wide risk management often fails. British Petroleum's Deepwater Horizon catastrophe is one of many examples. All-hazards risk mitigation assurance requires that we get beyond one-dimensional, compliance-only, enterprise risk "list" management.
Programs that work are multi-dimensional, operationally integrated and relevantly informed by cross-functional subject matter expertise. They include:
Enterprise Risk Management (ERM) ShortfallsA review of the literature reveals enterprise risk management has shortfalls in the 5 following areas:
As part of the SEC's Enterprise/Security Risk Alignment process, business stakeholders are interviewed. These interviews reveal compelling answers for all-hazards risk mitigation improvement. Many of the business leaders recognize and understand that the siloed stand-alone risk mitigation units including Audit, Business Continuity, Compliance, Risk Management, Safety and Security, although well-intentioned, seldom serve optimally. Often each was typically introduced in an organic fashion at millions of dollars of expense without clear and concise cross-functional and operational performance mandates. Return on investment is dubious particularly when emerging risks threaten to overwhelm sluggish planning, detection, and response. Unified Risk Oversight™ (URO) is an answer for the call for a more collaborative and cost-effective risk mitigation strategy. As a part of this concept, it is recommended that those that are working at the operational level of risk (e.g., Security) consider forming an advisory committee. Engaged and continuously informed leaders can bolster a higher-level enterprise risk initiative.
What is an Operational Risk Leadership Advisory Committee or Council (ORLAC)?What it is:
What are the Benefits of an Operational Risk Leadership Advisory Committee or Council (ORLAC)?
Using Processes and Frameworks to Manage Operational RiskBrand reputation, insurance, financial, liability and resilience considerations drive all-hazard risk programs to optimize outcomes for all stakeholders. Processes and frameworks vary. Most promise resilience but disappoint in operational performance. Recognized proven practices alternatively are capable of promoting brand loyalty and stickiness to attract and retain customers, strategic partners and talent.
A blended approach to risk identification and operational integrity assurance may be most pragmatic. Good advice includes this from Herb Mattord, Professor, Coles College of Business: "Unless legally mandated, don't pursue certification to any framework unless it serves your organization's objectives. Don't be distracted from pursuing your own strategic, process-driven, metrics-based program that seeks ongoing continuous improvement." Establishing a continuum to provide context for what good protection-in-depth looks like is prudent for cross-functional performance (see Figure 1 below).
Figure 1: Risk Continuum
A Few Examples of Operational Risk FrameworksISO 31000
Governments and international institutions are increasingly discovering that risk conditions and mitigating infrastructures are interconnected for hazard detection, emergency response and critical incident management. Adopting a risk management standard like ISO 31000, used internationally by both the private and public sectors, can provide advantages for intramural drills, exercises and tabletop scenarios.
ISO 31000:2009 has been developed on the basis of an existing standard on risk management, AS/NZS 4360:2004. The framework contains the following steps:
Revisions by 2017 are anticipated to meet the needs of practitioners to enhance governance of risk management systems (see: http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1963).
Operational Integrity Management System (OIMS)
ExxonMobil's Operational Integrity Management System (OIMS) addresses all aspects of doing business that can impact personnel and process safety, security, health, and environmental performance. It contains 11 elements including:
For more see http://www.corporate.exxonmobil.com/en/company/about-us/safety-and-health/operations-integrity-management-system
Unified Risk Oversight™
The SEC has developed a concept called Unified Risk Oversight (see Figure 2). An effective URO program rests upon three foundational principles:
Businesses typically have a risk-management program, but its operations are too often cordoned off from other departments, which can prevent the right people from getting necessary information. Communication is crucial to this model. While not a risk framework per se, it should be used to help govern risk management across the enterprise.
Figure 2: Unified Risk Oversight™ Click image to enlarge
Your Role in Enterprise Risk Management and Operational Risk Management AssuranceWhile Enterprise Risk Management and Operational Risk Management arguably remain two distinct lenses for risk management, their combined processes and capabilities enable higher levels of integrated mitigation assurance and confidence. Their considerations provide a likely path to resilience; when attended by persistent operational performance monitoring, anomaly detection, communications and response. As a security practitioner, your role can be that of the experienced and influential critical event responder who has witnessed if not paid a price for less thoughtful planning.
ERM + ORM + URO =
Stakeholder interview or survey questions that may be helpful in engaging responsible leaders in the ORLAC process:
In ClosingThis is a call to action for Security and other risk management leaders that now have presumed duties and brand expectations that extend well beyond legal compliance. These include cross-functional team acuity and return for every dollar invested. Outdated risk mitigation architectures and solutions have a short shelf-life. Practitioners can no longer sit on their historic heroic laurels.
The clock is ticking. Business needs for mitigating emerging risks and threats prevail. Companies effectively guided by enterprise risk management, operational risk management and unified risk oversight are better positioned to adapt and reinvent. Share this with your colleagues. Feedback in the form of proven frameworks and performance metrics are appreciated in advance and will be shared with our community.
Download a PDF version of this page: