How CSOs Can Build Robust Risk Management Foundations
ASIS International defines risk management as the process of identifying, assessing, and prioritizing risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Chief security officers (CSOs) and aspiring CSOs must prioritize risk management for several critical reasons. As protectors of an organization’s assets—including physical, financial, and intellectual property—CSOs must identify potential threats and vulnerabilities and develop strategies to mitigate them. Effective risk management enables CSOs to ensure business continuity by identifying potential disruptions and developing plans to minimize their impact. This ensures that the organization can continue to operate, even in the face of unexpected events.
Risk management is also essential to ensure legal and regulatory requirement compliance. CSOs must understand the relevant regulations and develop processes to ensure the organization adheres to them. A security breach or incident can severely damage an organization's reputation. Therefore, risk management helps CSOs identify and mitigate potential risks, reducing the likelihood of negative publicity or damage to the organization’s reputation. Finally, effective risk management can help CSOs identify areas to reduce costs. By mitigating potential risks, CSOs can reduce the likelihood of costly incidents and associated expenses.
CSOs manage risks to an organization's assets, people, and operations. To achieve this, they must consider three key principles regarding risk management—risk assessments, mitigation, and ongoing monitoring and evaluation.
Risk Assessments
Risk assessments help CSOs identify potential risks that could impact the organization. This involves evaluating internal and external threats, analyzing vulnerabilities, and identifying the critical assets that require protection. By conducting thorough risk assessments, CSOs can determine the appropriate resources to allocate for risk mitigation.
Mitigation
CSOs must understand the entire business operation to understand how an event involving these identified assets would affect operations. Working with stakeholders—including senior leadership, employees, and customers—to better understand this will allow the CSO to develop controls to reduce or mitigate identified risks. They may implement physical security measures, information security protocols, business continuity plans, and disaster recovery plans as part of their risk mitigation strategy.
Monitoring and Evaluation
CSOs must continuously monitor and evaluate the effectiveness of their risk management strategies. This process requires regular reviews and updates to risk assessments, mitigation strategies, and policies to ensure they remain relevant and effective. Security leaders should also monitor and analyze security incidents, continue conducting regular audits and assessments, and stay up to date with emerging threats and vulnerabilities. CSOs should regularly communicate with stakeholders to ensure they are aware of risks and the steps the organization is taking to manage them.
Incorporating risk management into the CSO’s role comes with several challenges. The first challenge is balancing protecting the organization from risks while achieving business objectives. The CSO needs to identify and evaluate risks while ensuring the organization can operate efficiently and profitably. To do so, the CSO must deeply understand the organization’s goals and priorities and communicate effectively with stakeholders at all levels. The ability to articulate risk in the language of business is imperative to getting stakeholder buy in. The CSO must show the financial impact of a risk, then explain how the suggested mitigation strategy will protect the business from loss.
For instance, during a risk assessment, the CSO identifies a power generator that is vulnerable to attack. He or she wants to add a perimeter fence to limit access, as well as cameras and alarms to more closely monitor the area where this vital piece of machinery is located. In order to secure a budget for their project, the CSO will need to explain why securing the generator is important, the impact to the business if it is attacked and disabled, and how the cost of their mitigation strategies will offset this potential loss.
The second challenge is staying ahead of emerging risks and threats. New risks and vulnerabilities may arise as technology and the business environment evolves. A current example is the rapid evolution of artificial intelligence (AI). While AI promises many benefits to business, threat actors will also find numerous ways to utilize this new technology for nefarious purposes. CSOs must remain up-to-date with emerging threats and adjust their risk management strategies accordingly. Failure to keep up with these emerging risks can lead to significant security breaches and financial losses for the organization.
A security department, on its own, can only do so much. Safety and security must be front of mind for every employee to maximize effectiveness. A risk management culture creates awareness and an open line of communication between security and employees This allows potential threats to be identified and mitigated before they cause loss. Workplace violence is a good example. Training employees to identify threatening behaivior, and the importance of reporting that behavior to security, allows the business to intervene before a situation escalates.
Building a risk management culture throughout the organization can be a significant challenge for CSOs. This requires implementing effective risk management practices and ensuring that employees understand the importance of risk management and are motivated to comply with risk management policies and procedures. Such a cultural shift requires effective communication, training, and leadership from the CSO and senior executives. Without a risk management culture, the organization may be more vulnerable to risks and threats.
CSOs can measure the success of their risk management program by following a set of critical steps. They should define clear goals and objectives for their risk management program and develop key performance indicators (KPIs) that align with these goals and objectives.
A useful KPI is one that is specific, measurable, relevant, and tied to a specific goal or outcome. A good KPI would be tracking the number of cars vandalized in a parking garage over a week. By comparing this to the number of incidents in similar facilities, the security team can determine areas that may need increased security measures, such as additional patrols, better cameras, or improved access control. A less useful KPI would be just tracking the number of security officers on duty at a site. This is measurable, but not actionable or specific. Tracking this metric does not offer any insight on the effectiveness of deterring criminal activity.
Good KPIs will allow the CSO to monitor the effectiveness of risk mitigation strategies through periodic audits, testing, and incident response exercises and revise their strategies when necessary. They can measure the success of their risk management program and track progress toward their goals and objectives.
Where to Start
So, where can aspiring CSOs hone their risk management skills? Security professionals should start by understanding the fundamental risk management principles, including identifying, assessing, prioritizing, and mitigating risks. Attending ASIS training programs and conferences can provide them with the latest best practices and techniques in risk management. Collaborating with other experts in the field, such as risk management consultants and cybersecurity professionals, can provide valuable insights into best practices and new techniques.
The ASIS CSO Center has designed a CSO Development Pyramid program that consolidates a tremendous amount of resources that address the wide range of knowledge and skills required of a successful CSO. This would be an excellent place for aspiring CSOs to focus their development efforts (this resource library is currently only available to ASIS CSO Center members).
Participating in simulations and exercises can help develop practical skills and risk management experience. The U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the ASIS CSO Center for Leadership and Development regularly provide thse types of training opportunities. Creating a comprehensive risk management plan that includes risk assessments, risk mitigation strategies, and a crisis management plan can provide CSOs and aspiring leaders with practical experience in risk management and help improve their skills over time.
Lastly, security leaders must learn how to explain the depth of their work and risk mitigation measures. I have seen firsthand the importance of risk management, but many other business leaders have not. Making the business case for security is an essential skill for a CSO. When a sound security plan is in place and incidents are defeated or mitigated before they disrupt operations, it is natural for the business to wonder why they are investing so much in a seemingly unnecessary security program.
A solid risk management program provides an organized system the CSO can use to demonstrate that “nothing happens” due to the amount of hard work and resources expended. It allows the CSO to demonstrate the value and effectiveness of their program by establishing specific, measurable metrics and tangible results.
Scott Wolford, CPP, ACC is a security manager for Nationwide Insurance in Columbus, Ohio. He is the current chair for the ASIS Columbus Chapter and a member of the ASIS CSO Center for Leadership and Development Content Committee. Wolford is an International Coaching Federation associate certified coach. He owns Beyond the Blue Professional Coaching, where he helps public and private sector professionals transition to new roles and achieve their ambitions.