As a security professional, how do you add value to your organization? We all know that the value of security is often hard to prove – after all, how do you gauge the impact of an event that doesn’t happen because security has prevented it from happening, and then make a convincing case to the C-suite about how much money you’re saving the business?
Going forward, the argument is not just about security metrics. It’s also about how security contributes to the organization’s bottom line. How? Through enterprise security risk management (ESRM).
As the security profession has matured, security professionals have become more involved in managing risks that were once outside the scope of the traditional security mission. The evolution of the profession has allowed us to become more knowledgeable of the business. This in turn sets the stage for security professionals to become involved in activities that add value to the business. Debra van Opstal, who wrote a report for the Council on Competitiveness called “Transform. The Resilient Economy: Integrating Competitiveness and Security,” states the benefits of ESRM perfectly:
“When security is integrated across the business organization, there are direct financial benefits; streamlined processes, elimination of unnecessary redundancy, improved productivity and often lower insurance
Those are some hard facts that you can bring to the C-suite.
Traditional enterprise risk management (ERM) programs assess a wide range of financial issues that could affect a company’s profitability (and in fact bond-rating agencies have begun to look at ERM to determine if any of these issues could hurt the company’s ability to repay its debts); however, these programs rarely if ever look at physical or IT security, business continuity, or brand protection. To illustrate how important ESRM is, and how it works, let’s look at this last item – brand protection.
How important is brand protection to your company? The answer is, very. One survey shows that two-thirds of the assets of the top U.S. companies are not physical, while the World Intellectual Property Organization (WIPO) estimates that intellectual property represents as much as 75 percent of the value of the Fortune 500.
The bottom line is this simple equation: Innovation = Intellectual Property = Products = Jobs. At its very core, the loss of intellectual property, whether through theft, counterfeiting, or diversion, adversely affects the world's economies. Given that, how important is brand protection to the security department? The answer is, it should be just as important as it is to the company. But protecting the brand is an amorphous challenge, not an easy one to wrap our arms around. This is where ESRM fits in.
At the heart of ESRM lies the notion that security must be engaged actively with and supporting every business unit, since every one of those units has its own challenges that could affect the company's reputation and brands. At a pharmaceutical firm where I was involved in an ESRM effort as a senior security executive, this meant that the security department needed to engage with R&D; sales and marketing; manufacturing; logistics; customer service; product complaints; third-party firms; human resources; and, information technology.
The adoption of ESRM principles with business processes assists the company in identifying and quantifying risks. Mapping the risks enables your company to better prioritize the efforts which need to be taken as well as to determine what resources are necessary to achieve those objectives. For a pharmaceutical company the ESRM process often begins with an assessment of business development efforts. Mergers and acquisitions present prime opportunities for the theft of intellectual property (IP). Continuing with the life cycle of product development, an assessment of the research and development initiatives is appropriate, followed by the ESRM evaluation of clinical trials. This process is continued through manufacturing, packaging, distribution and returns. In each phase of the product life cycle there are opportunities for security professionals to assess risks and provide business oriented solutions.
We developed a cross-functional product integrity team that was supported by senior management to identify and then prioritize risks to our brands. We were further charged with the responsibility of collaboratively identifying solutions to several key risks and communicating those recommendations to senior management.
The first requirement was to identify key internal stakeholders to participate on this team. The group comprised representatives from security, manufacturing, legal, quality assurance, marketing/sales, and public affairs. Corporate security was asked to lead the team.
We then focused on developing the group’s mission, identifying the processes which we would employ, and then began to map the risks to our products.
This initiative was successful in melding several functional security areas (Physical Security; Personnel Security; IT Security and Information Security) with various business processes. We objectively examined existing procedures, business objectives and technology solutions, and developed recommendations.
The holistic risk assessment of each of our products included an environmental scan that provided us with a true global perspective. Included within this scan were country specific laws and regulations; patent and trademark concerns; company marketing and sales matters; enforcement and regulatory resources; and, the supply chain.
Building from that process, the group developed specific strategies designed to protect the brand. Some of these strategies were geographically focused while others were product-specific strategies. In the end, several business units were tasked with certain deliverables.
This process was no small feat for a large company; however, the team’s efforts increased communication and facilitated the development and implementation of key processes and services. Just as important was that the team helped to overcome a range of serious threats to the brand, from counterfeiting to copyright and trademark infringement to supply chain security. Our efforts led to measureable ROI in areas where we reduced our risks and improved our brand protection efficiencies.
If you think that only a few large companies are putting ESRM programs into play, you’re wrong. In a 2010 survey on ESRM conducted by the CSO Roundtable of ASIS International, more than 50 percent of the chief security officers from Fortune 500-size organizations said that they and their departments were involved in researching, prioritizing, mitigating, or evaluating non-security risks in their organizations. Nearly 60 percent of respondents said that their organizations had advisory groups – like the team described above – that cut across different departments and silos to facilitate the risk management process.
Managing the huge range of risks that companies face is not getting easier. Rather, it’s becoming an increasingly complex venture, as more regulations and legislation add additional challenges to the business of doing business.
More so than ever before, security professionals are collaborating and communicating across all business units. To that end, we should strive to break down silos to effect a focused, holistic effort which increases the management of risks throughout the company.