Security risk management has become increasingly critical in the rapidly evolving business landscape. Organizations today face various potential threats, from cyber attacks to natural disasters, that can disrupt operations and impact their bottom line. Managing these risks effectively ensures business continuity and safeguards the organization’s reputation.
A recent report titled “The Influence of Security Risk Management: Understanding Security’s Corporate Sphere of Risk Influence” provides valuable insights into this complex field.
Authored by Dr. Michael Coole, Nicola Lockhart, and Jennifer Medbury, researchers and lecturers at Edith Cowan University, and published by ASIS International, the report delves into the intricacies of security risk management in corporate settings.
It highlights the importance of risk management in achieving organizational objectives, discusses the concept of control in risk management, and explores the limitations of risk management models.
In this article, we will dissect the key findings of this report and discuss their implications for businesses. We will also provide specific examples from the report to illustrate these insights.
If you’re a business leader looking to enhance your organization’s risk management strategies or a professional in the field, this article will offer valuable perspectives to help you understand your approach.
Understanding the Role of Risk Management in Organizations
Risk management is not just a peripheral function but integral to successfully attaining organizational objectives. The report underscores this point, emphasizing that risk management should be a top-down process, managed and verified from above. This approach aligns with the administrative function of all managers, suggesting that risk management should be integrated into all levels of organizational hierarchy and activity.
For instance, the report highlights the two most common terms across all Standards, guidelines, and instruments related to risk management: “Risk” and “Management”. The prominence of these terms underscores the task focus of these documents and the overarching concept of risk in the context of organizational operations.
The term “Management,” appearing second in frequency, supports the notion that the management of risk forms a key role in the successful attainment of organizational objectives. This implies that risk management is about mitigating threats and strategically managing these risks to align with the organization’s goals.
In practical terms, this means identifying potential risks that disrupt the supply chain, implementing measures to mitigate these risks, and developing contingency plans to ensure business continuity. For example, a company might identify a potential natural disaster risk disrupting its supply chain. The management would then work on strategies to mitigate this risk, such as diversifying their suppliers or increasing their inventory of critical supplies.
In essence, understanding and managing risk is a strategic function that can significantly impact an organization’s ability to achieve its objectives. Effective risk management requires a comprehensive understanding of the organization’s operations, the potential risks it faces, and the strategies to mitigate these risks.
The Concept of Control in Risk Management
The concept of “control” plays a pivotal role in risk management. In the context of the report, “control” is seen as a core managerial element of risk management. It suggests that risk management is about verifying whether everything occurs in conformity with the adopted plan, the issued instructions, and established principles. This implies that risk management should be a top-down process, dictated to, managed by, and verified from above.
Simultaneously, the report also highlights the role of “controls” as treatment strategies put in place to manage evaluated risks. These controls are system variables designed to manage the evaluated risks effectively. For instance, a control could be a new policy implemented to mitigate the risk of data breaches, such as requiring all employees to undergo cybersecurity training.
An example from the report that illustrates this concept is the high frequency of the term “control” in the combined Standards, guidelines, and instruments related to risk management. The term “control” ranked 22nd with a weighting of 0.25%, suggesting that a core managerial element of risk management is the concept of control.
On the other hand, the term “controls” as treatment strategies also appeared high on the count analysis, ranked 18th with a weighting of 0.28%. This highlights the importance of implementing effective controls as part of the risk management process.
In summary, the concept of control in risk management is twofold. It involves managerial control to ensure that risk management strategies align with the organization’s objectives and operational controls to mitigate evaluated risks effectively.
Limitations of Risk Management Models
While risk management models are valuable tools for organizations, they are not without their limitations. The report discusses the concept of “The Unknown Unknowns” to illustrate this point. This refers to risks arising from situations so unexpected that they would not be considered in standard risk management models.
An example from the report that illustrates this concept is the reference to Donald Rumsfeld’s famous quote about “known knowns,” “known unknowns,” and “unknown unknowns.” This quote highlights the inherent limitations of risk management models, as they can’t account for every possible risk due to the unpredictability and complexity of the real world.
Risk management models are designed to help organizations objectively view situations, make assessments based on predetermined metrics, and mitigate cognitive bias as far as practically possible. However, these models are often limited to the most common occurrences of the process being modelled, and some details may be left out.
This limitation underscores the importance of complementing risk management models with other strategies, such as maintaining a flexible and adaptable approach to risk management, continually monitoring and updating risk assessments, and fostering a culture of risk awareness within the organization.
Whilerisk management models are an essential part of an organization’s risk management strategy, they should not be relied upon as the sole method of identifying and managing risks. Organizations must be aware of their limitations and employ additional strategies to manage the “unknown unknowns.”
The Role of Regulation in Security Management
Regulation plays a significant role in shaping the landscape of security management. The report suggests that security managers in highly regulated industries or sectors have a better chance of achieving risk influence. This is because these industries often have stringent compliance requirements that necessitate robust risk management strategies.
For example, industries considered to be critical infrastructure, such as energy, healthcare, telecommunications, and financial services, are typically subject to extensive regulation. These regulations often require organizations to implement specific risk management measures, such as conducting regular risk assessments, implementing certain security controls, and reporting on their risk management activities.
However, the report also notes that the influence of regulation on security management can depend on where in the organizational structure the security department reports to. For instance, security departments that report to departments with a compliance or regulatory obligation, such as Health and Safety, are typically treated as having more influence than those that report to other departments.
One participant in the report’s focus group discussion argued, “…if security had the same regulatory stickiness that health and safety has, we wouldn’t be having this conversation.” This statement underscores the potential for regulation to elevate the status and influence of security management within organizations.
In conclusion, while regulation can impose certain constraints, it can also serve as a powerful driver for robust security risk management. Organizations in highly regulated industries have an opportunity to leverage these regulations to enhance their risk management strategies and increase their influence in this area.
The Importance of Leadership Qualities in Risk Management
The report emphasizes that the sphere of risk influence in security is often a factor of an individual’s personal attributes, rather than something tied to the corporate security sector function. This highlights the importance of leadership qualities in achieving the necessary degree of risk influence.
The report identifies several key leadership qualities that contribute to effective risk management. These include charisma, personability, empathy, foresight, business communication ability, education, deep understanding of security body of knowledge and theory, personal connections and network, flexibility, and the ability to make and leverage C-Suite relationships.
For instance, one participant in the report’s focus group discussion stated, “influence is achieved through personal networks… through constant tests and adjustments…through representing the problem to the people and speaking to the right ones, it’s about gaining their trust, and with a degree of panache along the way.”
This quote illustrates how personal attributes and leadership qualities can significantly impact a security professional’s ability to influence risk management strategies within an organization.
In conclusion, while technical knowledge and skills are crucial in security risk management, the importance of leadership qualities should not be underestimated. Security professionals who possess these qualities are likely to be more effective in influencing risk management strategies and achieving the desired outcomes for their organizations.
The report “The Influence of Security Risk Management: Understanding Security’s Corporate Sphere of Risk Influence” provides valuable insights into the complex field of security risk management. It underscores the importance of risk management in achieving organizational objectives, highlights the role of control in risk management, and explores the limitations of risk management models. It also discusses the impact of regulation on security management and emphasizes the importance of leadership qualities in risk management.
The insights from this report have significant implications for businesses. They highlight the need for a comprehensive, top-down approach to risk management that integrates risk management into all levels of organizational hierarchy and activity. They also underscore the importance of implementing effective controls to manage evaluated risks and the need for flexibility and adaptability in managing the “unknown unknowns.”
Moreover, the report’s findings emphasize the potential for regulation to elevate the status and influence of security management within organizations, particularly in highly regulated industries. They also highlight the critical role of leadership qualities in achieving the necessary degree of risk influence.
Can we help you?
We leverage our expertise in business continuity and crisis management to help organizations implement effective risk management strategies.
Whether it’s helping you understand your risk landscape, developing robust risk management processes, or providing training to enhance your team’s leadership qualities, we’re here to help you navigate your organization’s unique challenges and opportunities.
Conduct us to learn more and discuss how we might be able to work together to improve your resilience strategies.