Seeing Opportunity Through Risk
As security continues to move from a support function to a critical business partner, industry professionals have worked to master such skills as financial management, leadership, team building, and strategic thinking. With these skills in hand, security professionals now need a platform to allow them to manage at a higher level and integrate security needs throughout the organization while also overseeing the convergence of operational security and cybersecurity. This platform is enterprise risk management (ERM).
However, the concept of ERM can easily get lost in industry jargon or used as a convenient, but empty, buzzword. To get to the heart of ERM, security must determine the various ways that ERM is being defined and deployed and how it is influencing organizations to take action.
ERM is a holistic process used by organizations to manage risks and capitalize on opportunities. The process includes all the risks that may occur within the context of pursuing an organization’s objectives. ERM focuses on questions related to the likelihood of such risk and the degree of impact it would have on the organization if it occurred. Finally, ERM uses metrics to ensure conformance to internal and external standards, which can also be used for purposes of continuous process improvement. ERM can be a slippery term, however, because it can mean different things in different industries. Historically, for example, ERM in financial institutions has focused on financial risks, largely to the exclusion security-based risks.
It is also worth mentioning that many organizations have ESRM (enterprise security risk management) programs in effect. ESRM, which has been called the on-ramp to a full-blown ERM program, includes all the risks that security professionals or departments can expect to be involved and in which they have some experience and expertise. ESRM might include loss prevention, investigations, background screening, audits, and antifraud measures, for example, but not such topics as process risks, currency fluctuations, and liquidity risks. These latter issues would, however, typically fall within an ERM program.
For the purposes of this article, ERM includes input from the security department and is roughly equivalent to what other organizations might call ESRM. In the following discussion, several consultants weigh in on how they engage their clients to use the ERM method by gaining commitment from executives and defining the problem. The consultants then present case studies that illustrate the power of the process.
Since ERM requires a collective perspective and commitment, executive leadership is indispensable. According to Jeff Slotnick, CPP, PSP, and CSO of OR3M, an endeavor of this nature needs to have firm leadership from the top of the organizational structure. “There should be one person with absolute decision making authority who is directly responsible for the ERM process and keeps stakeholders informed,” he says. “In many organizations this is the chief security officer, or CSO. The CSO should be a full partner in the governance infrastructure of the organization. If a comprehensive assessment of any area of risk supports the need for a function-specific security role, the assignment of high accountability ensures an integrated security strategy, with less duplication of effort and overall cost.”
According to Ben Butchko, CPP, who is CEO of Butchko, Inc., it is important that this leader be able to articulate the risk to senior management in terms of consequence to the business value of the organization. “This means I need to express the risk in terms of something tangible that can be understood by the C-suite. For example, the risk of ‘X’ will result in the loss of ‘Y’ to the organization, expressed in dollars and cents. Where and how this is reported is also crucial. Many a good risk assessment gets placed on a shelf and gathers dust. It is filled with countless spreadsheets, graphs, and data points, yet lacks a clear and compelling narrative that punches across the principal themes of the analysis and frames the conclusions clearly in the first or second page.”
It takes a knowledgeable, articulate, and trusted executive sponsor to justify sufficient resources in the form of time commitment, funding, and facilities necessary for an ERM program. Often the ERM process stalls before it gets started because the value of the process cannot be articulated until a complete assessment is conducted.
Definition and Analysis
Defining the scope of the project is the first step in ERM. However, the danger is that the security professional may not receive the whole picture. According to Ray Bernard, PSP, president of RBCS, “risk identification is usually narrowly focused on the major risk factors, and often doesn’t take into account aggregate risk.”
The cumulative experiences of the consultants interviewed for this article indicate that the ideal method is to insist upon an “all-hazards” risk approach even if the initiative is driven from an incident or newly uncovered risk. If the consultant can become involved at an initial stage, the scope of the project can be broadened to improve the process. For example, Butchko’s team was involved early on in an analysis of a new administrative headquarters office and expanded warehousing operation. During initial meetings, Butchko learned that the company was working to ensure compliance with existing regulations. This became a pivotal moment for the organization, and Butchko created the basis of a plan that would later provide a solid foundation for the company’s entire security program, including compliance issues.
Because executive buy-in and commitment have already been established, capturing the requirements needed to meet the organization’s goals, mission, obligations, and legal responsibilities will help clarify the scope. The enterprise will also want to consider critical operational objectives, assets, functions, services, and products. Finally, determining risk scenarios on events that could adversely affect the critical operations and functions of the organization should be reviewed.
The next step in this process is to conduct a comprehensive risk assessment to determine potential threat scenarios. Sometimes the risk assessment uncovers individual issues that can be remedied. For example, Butchko conducted a risk assessment on a luxury hotel that is routinely visited by government dignitaries. In the process of assessing the perimeter gate operations and procedures, the team learned that the gate guards were routinely reporting the imminent arrival of a dignitary’s vehicle or helicopter over an unencrypted VHF radio. Butchko’s team recognized this communications vulnerability, which hotel security was not aware of.
ERM in Action
Once the stage is set, with executive buy-in, analysis performed, and risk assessment in hand, security managers can devise a comprehensive ERM program. Following are three case studies that illustrate how ERM was used to address compliance, organizational, and legal issues.
When Butchko’s team conducted a qualitative risk assessment at a manufacturing company’s headquarters and distribution facility, compliance was a key issue. The company participated in Customs-Trade Partnership Against Terrorism, a voluntary supply-chain security program led by U.S. Customs and Border Protection. To qualify for certification, organizations must have a documented process for determining and alleviating risks through their international supply chain to gain expedited processing of cargo. Butchko’s client also was subject to the Chemical Facility Anti-Terrorism Standards, a set of U.S. government security regulations for high-risk chemical facilities.
Butchko helped organize a team that included principal consultants with expertise in risk assessment and threat and intelligence assessment, as well as engineering, systems design, and security. Butchko also included three members of the client’s organization including the vice president of warehousing as well as the facility, loss prevention, and security team.
Although the client team members intentionally maintained distance during the information-gathering process—to ensure its objectivity and integrity—they were involved in supporting the assessment through participation in personnel interviews. By doing this, Butchko was able to quickly secure buy-in and improved the odds of success by having staff participate in producing the results. Additionally, Butchko created institutional knowledge and continuity, which helped support and justify the long-term security plan.
The plan included recommendations that were prioritized by their value in reducing risk and operational costs. An implementation-planning template was provided as a project management tool. This tool was updated on a monthly basis to track the progress of the security program. The assessment results and planning tool were then used to develop the security master plan.
The company implemented aspects of the plan with initial priority going to the items that were easiest to accomplish. Next, complicated issues requiring significant financial investment were sent out for bids. Examples of significant projects included an upgraded and integrated physical security system, a new security operations center, consolidation of guard force management into a companywide contract, and establishment of active-shooter policies, procedures, training, and exercises at all sites.
Butchko’s client has now been following this plan for five years, and more that 90 percent of the recommendations have been implemented, with another 5 percent planned for this year. In addition, buildings that have been constructed during this period followed the plan provided in the original assessment, allowing them to become operational with few issues.
Slotnick was recently hired by a large enterprise client with facilities around the world as part of an integrated consulting team that also included representatives of three other consultancies. They were all organized around a technology and services platform called Virtual Security Operations Center—Risk Assessment, or vSOCra. “This technology platform allowed us to conduct individual assessments for the client against a common ERM standard and aggregate the information in real time,” said Slotnick. “As a result, the lead assessor was able to immediately apply analytics to the data collected and conduct trend analysis.”
This integrated team conducted all-hazards risk threat and vulnerability assessments for seven of the client’s sites in the continental United States. Although the client had engaged in some high-level risk assessments, it had never conducted an in-depth assessment of its facilities following a common process and standard, nor had the client developed a master plan. Instead, each site had been left to provide for its own needs.
With the client’s collaboration, Slotnick and the other consultants reviewed past documentation and historical records to determine past security procedures. They also conducted interviews to determine that a high level of risk existed for workplace violence and metal theft.
Using the vSOCra platform, the consulting team uploaded facility drawings and operational data for each facility, site plans, security operational policies and procedures, and past threat reports, as well as information from law enforcement agencies such as response time and capabilities. Other data points included historical threat information, labor shift data, and the number of employees, contractors, and visitors.
The team included entry control procedures; emergency response, business continuity, and crisis plans; and, finally, guard services information such as contracts, post orders, security policies, standards, procedures, metrics, and action plans. Armed with this information, each consultant conducted site interviews and compared the information to the data collected from their on-site tours. They also assessed the physical security subsystems such as access control, video surveillance, intrusion detection, and site communications.
An analysis of this information led the team to determine what risks were most likely and what security measures could mitigate them. Then the client and the team discussed strategies for mitigation and a roadmap was formed that would create short-term and long-term improvements.
The most pressing issue was the dissimilar physical security equipment. Because each location managed its own security equipment, programs and solutions became siloed. The company signed on to a plan that would move all equipment to a standard platform organized around a centralized security operations center.
Contracts with multiple contract security firms mirrored the problem with equipment. The company opted to move to an enterprise-level guard service as opposed to independent contracts at each site.
All of the company’s policies were revamped to incorporate these changes. These new policies include an improved enterprise-level emergency response plan, business continuity plan, and physical security process and procedure plan that will eventually save the organization time, money, and potential risk. The company will be monitoring the progress of the plan for the next three years, making adjustments as needed.
Liability. Bernard conducted an assessment of a large retail operation that found that frontline managers, not security, were first responders for misconduct allegations. “Since they were not trained for this response,”says Bernard, “they often increased the company’s potential liability by making statements or acting in ways that could seem prejudicial to one or more of the involved parties. It was common for a promise to ‘handle someone’ to be made by these managers without any investigations process that would independently verify the truth of the allegation.”
According to Bernard, false allegations had occurred several times, yielding unwritten reprimands. This led to employee distrust and dissatisfaction and also put the organization in jeopardy. No one in security or senior management was aware of this practice until it was uncovered by the risk assessment.
The remedy? A risk committee to monitor overall progress on potentially high-liability or high-impact risks. According to Bernard, this is now becoming a more common practice. The committee comprises senior managers who oversee the various risk treatment initiatives in their areas of responsibility. Representatives from facilities, human resources, legal, and security are the core members of the risk committee. These members are also part of a decision panel that selects others in the organization for temporary committees established for highly sensitive or potentially high-impact investigations. Such investigations may need to exclude specific personnel to avoid actions that might be perceived as prejudiced or discriminatory.
The risk committee mandated that all managers undergo training on incident reporting procedures. The committee established a requirement that all incidents be reported to HR and security for investigation. Since these policies have been implemented, there have been no reports of false allegations or wrongful handling of incidents.
One lesson learned from all of these case studies is that security must be vigilant in creating a persistent, independent assessment of the organization’s risks. Security must also monitor and measure the people, processes, and technology that undergird these programs.
“ERM is not a new concept,” says Slotnick. “It is a basic principle of management. Continuous improvement demands the right data at the right time in the right context and measured over time, as do continuous compliance and risk management. Every discipline inside a company needs to do this. Security is no different.”
Ron Worman is founder and managing director of The Sage Group. Sage consults with CSOs and executive teams to develop ERM plans.