Security's Role in Enterprise Risk Management

What are your responsibilities in managing risk for the total enterprise?

My grandson Randy called me this morning to let me know that he and two of his buddies would be leaving later in the day to drive from Atlanta to Las Vegas. Randy's barely 21 and he's known to have done unwise things in his short life, so I told him to be careful because a long drive like that was risky. He assured me he would. When I hung up I pondered on the word "risky." The risk in this case is that the car could crash and that Randy could be injured or killed (God forbid).

In security-speak, Randy is the asset and a traffic crash is the threat. If Randy would let me, I'd manage this risk by keeping him home or canceling the trip. The first option, keeping him home, moves the asset out of harm's way. The second option, canceling the trip, eliminates the threat. Simply stated, risk is a function of two variables: asset and threat. Remove either or both, and risk disappears. Risk is determined by the dynamic relationship between asset and threat. The implication for the chief security officer of an enterprise is the need to adjust protective measures relative to risk. We can see the principle in action when DHS informs the nation (asset) of a possible terrorist act (threat).

Characteristics of the Asset
Risk assessment begins to get complicated when we characterize the asset. To do so, we ask a three-part question: If the asset were lost, damaged or destroyed, what would be the probable impact on human life, physical property and process? When the asset is life, we can count the number of people likely to be affected in certain ways. We can use dollars to determine probable impact because actuarial groups have calculated the dollar value of a life, as well as limbs and bodily functions.

As to the impact on physical property, we have a handle on the dollar cost of repair or replacement.

Determining probable impact on process is a bit more complicated. Process is a combination of work activities that perform a function. In a manufacturing setting, process can be a series of activities that construct a product on an assembly line; in an information technology environment, process can produce decision-related information by electronic manipulation of data.

Loss of process can be minor, such as a partial and temporary interruption, or major, such as total and permanent shutdown. The loss-of-process impact is measurable in the dollars spent returning the process to normal operation and the dollars lost in the meantime from sales not made.

Although disparate, the three impact characteristics of an asset are amenable to dollar conversion, a rough measuring stick that can help in estimating the magnitude of consequences should an adverse event take place. The measuring stick is also a decision-making tool. If Asset A has a greater value than Asset B, it stands to reason that the protective measures for A should be greater than those for B.

Characteristics of the Threat
Threats are two-dimensional. The first dimension is called the threat element, the entity that precipitates an adverse event. The threat element is like the sword held aloft by a single horsehair above the head of Damocles. If the horsehair breaks, the sword falls. In the real world, terrorists, criminals and Mother Nature are threat elements.

The second dimension is the threat occurrence. If the sword plunges into Damocles, we have a threat occurrence. Examples of occurrences in the real world are the explosion of a bomb planted by a terrorist, the theft of valuables by a criminal and the collapse of a building during an earthquake.

Let's go down one more level in the examination of asset and threat. An asset can be either non-meaningful or meaningful. Non-meaningful assets are assets whose loss, damage or destruction would have no significant effect on the enterprise. In this category are office supplies, furniture and the like.

This content continues onto the next page...