I recently reviewed a colleague’s draft metrics deck at his request. His organization is making a corporate-wide push for all business units to maintain a set of metrics to support a broader and deeper perspective on enterprise risk management.
My basic conclusion was that the security organization had relatively few existing charts that would be of value for this deeper dive on enterprise risk. Security was too focused on asking “how much” and counting things. Actionable, risk-focused metrics find their real potential value in what lies behind this data. How well are we engaged in learning?
The security department had organized its approach in several buckets of activity. Here are some comments regarding a few of the buckets.
• Site Security Operations. These are the first responders, the most customer-facing security entity and the biggest budget item by far. These operations consume 1,800 hours per week across 10 locations, logging several hundred activities per site. Multiple spreadsheets allowed me to drill down on the numbers, but there was nothing about what they mean. What locations are demanding more resources or presenting greater risk than others? What performance measures with what results are being found for the contract guard service? What business units are the most and least attentive to following security protocols? What has been learned about alarms and their responses? What are the top five key performance indicators for this set of activities, and what do they say about Security’s contribution to the protection of the company?
• Site Risk Assessments. Security has conducted 63 security surveys/assessments in the past six months. This should be a revealing spotlight on the effectiveness of safeguards as well as business unit risk and compliance. Where are the soft spots in the protection strategy? What common vulnerabilities or gaps were identified? What percent of those were found across the sample? How many recommendations were provided, and what percent have been implemented? Importantly, how were those recommendations addressed?
• Security Project Involvement. There are 237 projects under way or completed. How many targeted risks or locations of concern will be impacted? How much more secure are the locations that received equipment through these projects? Are any of these projects calculated to reduce the cost of security to the customer? What percent were completed on time and on or under budget? If I’m the boss, why should I be interested in this data?
• Investigations by Business Unit and by Type. Of 274 investigations, 62 percent were in business units with 15 percent of the headcount and 45 percent of the top 100 most critical business processes. Is this significant, and what does it say about the state of security at these locations? Are there any common denominators found across multiple investigations? What are the root cause findings from investigation post-mortems? If I’m the CEO or a member of the Board, what is this data telling me about the attention of managers to enterprise protection? When you connect the dots across investigations and incidents, what have you learned that needs to be passed on to influence and inform?
• Hours to Customer Service. The company has already paid for the hours. What has it received for that investment? For example, what is the ratio of hours of guard patrol to reduction or elimination of known risks?
• Background Checks. What has Security learned from 14,254 background checks? Are there more derogatory findings in specific recruitment pools or vendor groups? The metric HR cares about is cycle time to completion.
Think about the context of our colleague’s focus: management wants a deeper dive on risk. Consider how Security’s unique, almost singular, perspective on risk can engage, advise and integrate its programs with the enterprise risk management strategy.