Regulations are increasingly making board members accountable, with risks needing to be coherently addressed at every level of the company
Sometimes great ideas come with big consequences. The continued business trends toward globalization, advantages of economic scale and strategic partnering are multiplying corporations’ opportunities, but they’re also acting to multiply the impact of risk failure.
One risk failure at a single point in a company or its supplier network – particularly one picked up on by the media – can now have a profound effect across the entire enterprise, placing a company in jeopardy far beyond traditional measurements. It is clear, for example, that the failure to properly design a gas pedal can create repercussions that extend far beyond the scope and imagination of an automobile company’s engineering department.
Risks occur in all shapes and sizes; most can be – and are – responded to correctly, but the failure to recognize the potential consequences of a risk failure beyond the initial report can bring serious damage to companies. Add to that the scandal-induced requirements for greater accountability and oversight, and it’s clear why there has been an increased push from boards of directors and senior management to conduct enterprise risk assessments and follow through with robust risk management procedures.
Traditionally, risk management has been coordinated by just a few business units within an organization. This may make sense for some industries, but for most, an approach coordinated across the enterprise will yield better risk mitigation strategies and tactics. As management and the board strive to develop a clearer picture of risk in their organizations, they should endeavor to look across all functional groups to review, organize and monitor the company’s diverse collection of risks.
The Security Executive Council, a problem-solving research and services organization that involves a wide range of risk mitigation leaders, has analyzed many corporate enterprise risk assessment plans and strategies to identify common concerns and opportunities to create a more consistent risk oversight process. The work formed part of a research initiative to create a baseline corporate risk landscape that shows security’s involvement in risk management, and is summarized in Board-level risk security program elements, below.
The focus of the study was to identify risks that had security-related consequences and areas in which security mitigation strategies would add value to overall enterprise risk reduction; this process of risk identification and classification could be applicable to any function of the company, however.
After analyzing numerous and diverse enterprise risk assessments, the council identified common risks that faced corporations. These were organized into eight descriptive categories (‘Board level risk categories’). Next, the council identified activities under each category that had related security risks (‘Business areas with security-related risk’). This list represents many of the risks the council community has typically encountered, but is not meant to be exhaustive. Lastly, the council drew upon the successful practices and experience of its large faculty of former security and risk professionals (its collective knowledge) to match security mitigation strategies to each ‘floor’ of the corporation (‘Security program’).
The purpose of the research output was to provide a direct link between each business category and the potential use of a security program to mitigate the risks identified. Why security? Most security programs are designed to cross all business units; that puts the security function in a strategic position to help provide enterprise-wide protection against an array of risks.
Security protection programs do not, by their nature, have to belong to the corporate security department. Instead, they are often shared programs in which a team comprising several business units collaborates to provide risk mitigation. Coordination with human resources for a new employee background verification process is a classic example, usually employing HR, security and legal.
Council members use this tool to map out how the security function can add value through risk mitigation strategies employed across the enterprise. They report that displaying the risks in line with the values of the board helps them gain support and move initiatives through the organization.
Enterprise risk councils
To enhance their focus on the risks confronting their organizations, companies are increasingly moving to establish enterprise risk councils (ERCs) composed of key business leaders who offer broader perspectives on the various risk concerns that could affect the business. The ERC format is designed to provide the same holistic approach to risk mitigation that the board provides for identifying and understanding risk.
The ERC carries out its duties by allocating resources, analyzing the cost benefits of mitigation solutions and providing report card information to senior management for review with the board of directors. In this model, the audit committee reviews and analyzes the ERC’s success in accomplishing its duties. The audit committee’s reports are used in part to determine executive compensation in connection with risk management and mitigation. The simple absence of a risk event does not guarantee bonus compensation, but the board’s compensation decision should be driven by management’s attention to identifying and managing risks.
It is critical that all functions play a role in understanding the new risk landscape. The corporate secretary has the opportunity and possibly the obligation to promote and govern board-level risk analysis. The research and conceptual graphic provided here were intended for security leaders, but this same process could be used with all staff groups and revisited regularly within the company. Having a common ‘picture’ to help create a risk-aware enterprise and a model of unified risk oversight can be a useful exercise.
Security's role in risk management
Many companies have found that some proactive security programs must be considered during, and integrated into, planning for new product and business program introduction.
Risk losses are too often considered to be one-time variable expenses for which planning cannot be justified; in fact, the opposite is true. Such events as fraud and criminal attacks are normal in the global marketplace. Determining the extent of those risks, examining the cost of mitigation and including that cost as part of the fixed cost is necessary for a product launch.
A recent global supply chain study conducted by Stanford University demonstrated that the security program’s inclusion in the basic movement of goods in the supply chain not only reduced shrinkage but also enhanced productivity, lowered costs and increased the speed of shipments involved in the study.
Board-level risk security program elements