Analyzing Board-Level RiskYields Positive Results
Security leaders can enhance their ability to both communicate risk effectively and align with board strategies by learning to see security risks the way the business is likely to see them.
Research by the Security Executive Council has identified common enterprise risks that can be organized into eight descriptive board-level risk categories: Financial, Business Continuity & Resiliency, Reputation & Ethics, Human Capital, Information, Legal, Regulatory Compliance & Liability, New & Emerging Markets, and Physical/Premises & Product.
Security leaders can learn by attempting to group every identified security risk, as well as all security programs and initiatives, into one of those categories (note that all organizations are unique, and more or fewer categories may be used depending on industry and size). This grouping can also be compared to the critical organizational risks the board has identified. This way, the security function can present a direct link between each business category and the potential use of a security program to mitigate the risks identified. It can lead to a number of positive results:
1. Improved communication. Because the flow of information is critical to effective risk management and effective risk oversight, it behooves the security leader to communicate risks and solutions in a framework with which the board is already familiar. Grouping risks in board-level categories creates this framework, ensuring the information presented can be easily understood.
2. A business-first perspective. Any business unit can easily become so mired in its own operations, requirements and challenges that the broader goals and needs of the enterprise become obscured. This exercise enables security leaders who fall victim to such a mindset to break out of their narrowed view and see their function through the eyes of the business.
A business-first perspective is crucial if the security leader is to honestly answer questions such as, “If certain security programs do not easily fit into one of the board’s risk categories, do they represent an appropriate use of resources?”, or “Is security neglecting to manage any aspect of the risks the board has identified as critical?” Questions like these must be answered in order for security to align with business strategy, and they are best answered before the board asks them.
3. Value identification. When security initiatives are presented in the context of board risk categories, the board may benefit from a clearer view of how and where security adds value to the organization. In addition, the analysis may uncover untapped opportunities for security to help reduce redundancies, assist other functions or expand programs to create new value. In this regard, well-documented metrics provide enormous value to all parties.
4. Strengthened support. The Security Executive Council helps conduct board-level risk analyses based on its research of corporate enterprise risk assessment plans and strategies. Security leaders who have undergone this analysis report that displaying the risks in line with the values of the board helps them gain support and move initiatives through the organization.
Challenges in Board Risk Management
The security function will encounter a number of challenges to managing the identified board-level risks, particularly where the lines of communication are weak or where the board’s interest in risk oversight is aesthetic or shallow.
If the board has not communicated the enterprise risk appetite and priorities effectively, the security leader may glean some knowledge by studying the organization’s 10-K statements, if it is a public company. Kenneth Kasten, formerly with Carlson Companies and now emeritus faculty with the Security Executive Council, has analyzed the identified risk factors of 10-K statements for more than 40 organizations and has found some broad commonalities in risk concerns.