The risk management failures of the financial community have left their mark on businesses of all types, through both the global economic crisis they ushered in and the resulting scrutiny of corporate risk oversight. The oversight role of the board of directors has been the target of proposed and implemented reforms including the Security and Exchange Commission’s enhanced proxy disclosure rules and the Dodd-Frank Wall Street Reform and Consumer Protection Act.
Board directors have commonly been held responsible for the risks that impact their organizations, but the increased transparency of the new requirements helps raise their profile and creates a greater potential for personal accountability in case of failure. While some boards are focusing on risk oversight more earnestly than others, many are re-examining their structure and processes to ensure that risk is appropriately identified, managed, and monitored. The security function will continue to feel the impacts of these changes as boards of directors work to adjust to new requirements and broadened expectations.
The Oversight-Management Cycle
Risk oversight is sometimes confused with risk management; however, the two are complementary but separate functions. Risk oversight entails “setting the tone at the top” — specifying the culture of the company, identifying and prioritizing the risks the company faces, defining its risk appetite and monitoring management’s handling of risk to ensure it is in step with that appetite and culture. Risk management, on the other hand, is the implementation of policies and procedures to transfer or mitigate the identified risks that cannot be accepted by the organization. Risk oversight directs risk management, and both either directly or indirectly influence the security function.
The full board is responsible for risk oversight, but portions of it are generally handled by board audit or risk committees, which are increasingly being assisted by outside parties, says Dick Lefler, former vice president and CSO of American Express and current Chairman and Dean of Emeritus Faculty for the Security Executive Council.
“In the last two or three years, we have begun to see more consulting services specifically engaged by large global companies to come in and systematically identify risk in all the different parts of the enterprise, then group and prioritize those risks,” he says. “Clearly, companies are increasingly embracing an enterprise risk management approach using distinct business and staff units to collectively work together and manage risk. The use of consultants to capture and identify risk is a complementary skill set that a lot of ERM teams are using to help them get an enterprise picture and understanding of the risk.
“It also provides an independent perspective for the board to understand what the risks are so that they can influence the CEO and the senior management team to provide resources to the ERM group to manage those risks,” Lefler adds.
Ideally, risk oversight and risk management work together in a continuous cycle, Lefler says. The board systematically identifies and prioritizes risk — whether through audit and risk committees or with the help of consultants. Those findings and decisions are discussed with the CEO and/or the ERM team, which then creates or modifies plans to address the identified risks and presents results to the board. Once the proposed solutions are in place, the board monitors and audits the risk posture of the organization to determine whether the existing processes are managing risk effectively in line with the risk appetite, and the cycle begins again.
Regardless of where security lies in the circle above, it is incumbent on security leaders to ensure that the significant risks under their purview are being clearly communicated up the chain to inform the board’s decision on risk management priorities and resources. Likewise, the security function should have a clear understanding of the corporate risk strategy and appetite as defined by the board and senior management, so that security strategy and operational decisions can follow the board’s philosophy. Without this two-way flow of information, neither can be entirely effective.