Leadership & Management Column / Security Leadership and Management / Columns

Managing Risk Across the Enterprise

The key to the risk-based security program is that no matter what issue you examine, every one of them affects the reputation of the enterprise in one manner or another.

Over the course of the last 18 months we have conducted a fairly exhaustive review of all of the elements that comprise an effective program to identify and analyze the full scope of risks that an enterprise faces while operating domestically or globally. We also explored effective methodologies to examine risk mitigation solution options that can be deployed across the enterprise.

The chart that we provided depicts the various elements of a comprehensive risk-based security program. The key to the risk-based security program is that no matter what issue you examine, every one of them affects the reputation of the enterprise in one manner or another. Understanding the links, dependencies and potential impact of each element of a sound risk-based security program is fundamental to an organization’s ability to effectively deploy this type of program and, ultimately, holistically manage the enterprise’s entire risk portfolio.

The first step is developing an initial risk profile of the enterprise. We have yet to find a single company that has in one place collected the full scope of documentation necessary to create a true snapshot of the enterprise’s risk portfolio. Developing a matrix of current and emerging risks through the implementation of a comprehensive risk intelligence program is absolutely vital. As we previously discussed, there are several different approaches to establishing a comprehensive program to gather risk intelligence. At the end of the day, what is most important is having an effective risk intelligence program for the enterprise, not how it is organized or what function owns it.

Critical elements of the risk intelligence process include: the establishment of the key intelligence questions and the gathering, analysis, processing and distributing of the risk intelligence to those functions that have a legitimate need for the information. The data gathered through the risk intelligence program is also a vital element of the strategic planning process for the enterprise. A trusted risk intelligence program is also critical to ensuring that management has highly accurate and trusted data to utilize in their decision-making process.

Once the risk matrix has been populated, management must then prioritize the risks and determine which are the most critical to the viability, survivability and resilience of the enterprise. When that prioritization has been completed, various functions within the organization can be tasked to design the appropriate solution for the risk involved. Those solutions may involve complex and expensive methodologies to effectively mitigate a given risk. Other risks may involve inexpensive and easy to implement mitigation solutions, third party transfer of the risk through some form of insurance instrument, or the enterprise may simply decide that the probability of the risk occurring is so remote that while an incident could be devastating, the cost to mitigate the risk results in the enterprise simply accepting the risk without deploying any mitigation solutions.

Another key take-away involves the establishment of sound policies, procedures and processes across the enterprise. These provide the foundation for effectively managing the enterprise, establishing the guidelines under which all personnel and functions are expected to operate, and implementing appropriate controls to ensure the long-term viability of the enterprise. Of course, it is necessary to ensure that staff members are thoroughly trained on their roles, responsibilities and accountabilities.

Validation of the design and functionality of policies, procedures, processes and controls are measured through audits, inspections and evaluations. If failures occur or weaknesses are identified in controls, it is vital that an inquiry is conducted to determine the root cause for the failure of the particular management system involved. Once a determination of the cause of a particular failure is made, an appropriate solution can be crafted that prevents the failure from reoccurring. A similar process of evaluation takes place when a risk morphs over time or a new risk evolves which requires an evaluation of the current management systems involved to apply appropriate revisions to mitigate the change to the risks.

Hopefully, through this series our readers have gained a more comprehensive understanding of the full scope of risk that must be gathered, analyzed and mitigated as part of effectively managing an enterprise’s risk portfolio. 

 

About the Authors: Jerry J. Brennan is the founder and Chief Operating Officer of Security Management Resources (SMR Group), the world’s leading executive search firm exclusively focused in corporate security. Lynn Mattice is Managing Director of Mattice and Associates, a management consultancy focused at the development and alignment of Enterprise Risk Management and Business Intelligence Programs, as well as Intellectual Property Protection and Cybersecurity. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Jerry Brennan

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

July 2014

2014 July

In the July issue of Security Magazine, read about how the NFL is balancing security with fan experience to make sure sporting events are running smoothly. If you're doing any traveling this summer, be sure to read the 5 hot spots for business travel security, also, employers can track on-the-go employees with new mobile apps. Also, check out the latest news and industry innovations for the security industry.

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+