Risk management too often is perilously fragmented and insufficiently funded. Managing the overall risk equation is assuredly a CEO-level and management team obligation. But the design and execution of effective strategies to identify and moderate risk is, of necessity, complex and typically spread among numerous organizational silos.
The core mission or activities of an enterprise more readily attract investment and executive attention. Obtaining the tools, budgets and focus adequately to protect people, critical intellectual property, brand and other assets is too often not viewed as a first-tier priority. At least until something bad happens.
It is illusory to think that any organization can eliminate all risk. The objective must be to mitigate risk effectively, and to internalize that we must live with a certain amount of risk.
To do so starts with identifying systematically the range and type of risks – the threat vectors – that are relevant to your enterprise. It helps perhaps to think of risk in two clusters: natural disasters and man-made risk. Typically, the largest amount of impactful risk seems to rest in the latter category – man-made risk such as terrorism, espionage, geopolitical conflict, insider threats, criminal activity (perhaps especially cyber attack) or significant accidents.
An organization’s list of threat vectors must be prioritized for focus and investment. Each can be measured and quantified roughly as the sum of three variables: threat, vulnerability and consequences. Mitigating each specific category of risk requires a two-part strategy: (1) protect and prevent – hardening assets, monitoring threats and generally increasing resiliency prior to an event; and (2) respond and recover – the activities required following an event.
Threats in the modern era are arguably more complex, viral and potentially more rapidly consequential. The pervasive and growing dependencies of virtually all organizations upon complex technology systems and networks has both intensified and complicated the overall risk management mission.
The interdependencies between IT network assets and physical security assets creates both new risk and new tools to protect assets. How can organizations forge a more integrated, nimble and effective risk-management plan and culture?
First, effective risk management requires that organizations focus on this challenge, from top to bottom. The culture of the place has to make risk management a continuous priority at all levels of the organization. Successful airlines, for example, have a relentless focus on operational safety – one component of their overall risk profile. They plan, train, exercise, monitor, manage, invest and daily work to mitigate this operational risk. The company’s core mission is therefore defined by this focus.
Effective risk management strategies today are built by multi-disciplined teams – financial, technical and operational. They look at the organization’s assets – people, physical infrastructure, supply chain, intellectual property, brand value, customers and duty of care – and develop tools and approaches that have integrative utility to protect the whole. Successful strategies recognize that a fusion of risk-related intelligence and close alignment of necessarily interdependent responsibilities will be required.
Second, risk management in this era requires a special, arguably almost preeminent focus on understanding the risks associated with IT networks and on measures to harden those networks and technology assets. Doing so entails, for example, understanding how IT vulnerabilities can themselves become an avenue of attack upon physical assets. Providing the appropriate protection requires cross-discipline cooperation and continuous reassessments as network vulnerabilities evolve. This is not just the work of the IT department.
In short, business and government leaders must raise the bar and focus intently on managing the uniquely complex and damaging threats not only to IT networks but also for those physical assets that are accessed via IT networks. Three trends are worth noting:
Risk Management Centers. Government agencies and corporations increasingly are upgrading and investing more in consolidated risk management and security operations centers. These assets and their staff become the center of gravity for defining and sustaining the two-part risk management mission: protect and prevent; respond and recover. Their mandate includes organizing the multi-disciplinary teams needed to manage risk, train employees and lead a program of exercises that allow leaders to practice incident response. When a crisis occurs, larger pre-configured teams surge to support crisis management.
Risk Management Software Platforms. The global market presents many worthy products that can support specific aspects of risk mitigation, including automated building management systems, access control, asset tracking (including blue force tracking), intelligent cameras, video recorders, targeted social media monitoring, sophisticated IT network security tools, travel risk alerts, key employee travel monitoring and much more.
Relying on technology that is not tied to any one particular technology brand or product can be a pragmatic approach. Physical Security Information Management (PSIM) software is one such tool.
These software platforms provide a comprehensive integration capability that can be integral to an organization’s risk management strategy. A PSIM platform continuously fuses and instantly correlates vast amounts of data gathered from any number or virtually any type, brand or generation of physical security system or sensor, as well as from networked management applications such as building management systems, IT network alarms, business intelligence data platforms and more. The result is actionable intelligence that empowers decision makers from a single organization or multiple entities – however geographically dispersed – to collaborate in real time.
Subscription Services. Increasingly, technologies such as PSIM software platforms and the tools that they integrate into a common interface are made available to the market via pure subscription services pricing or lease-to-own business models. Adding technology to an organization’s risk-management toolkit, in other words, need not require a daunting capital investment. Moreover, some such acquisitions actually deliver considerable operational efficiencies.