“Protection of customer data is one issue many companies recognize as a significant risk,” Kasten says. “Those companies whose offerings are intellectual are more likely to emphasize the protection of ideas — patents and such. Manufacturing companies seem to focus more on the protection of physical assets and property. Those who offer a service are more inclined to stress the need for business resilience, and those offering a product are more likely to express a concern about upstream suppliers, downstream vendors and partners whose performance impacts product delivery.”
Kasten cautions that not all 10-K risk factor statements are created equal. “Some companies have done a good job with embracing the intent of the document by acknowledging ownership of risk and providing specific, meaningful and actionable comment; while other companies are not quite there yet,” he says. “In either case, there is ample opportunity for security leaders to support company efforts with 10-K risk identification, clarification and mitigation.”
Another challenge to board-level risk management, according to Lefler, is found in the increasing number of business functions being performed by third parties. “From that point of view, a lot of your risk lies with somebody else’s employees, goods and services,” Lefler says. “The radical shift is that you are now managing risk relationships as opposed to managing the risks themselves.”
Security’s responsibility shifts from vetting internal employees, for instance, to working with Legal to develop contracts that limit the risk exposure presented by contractors who are vetting their own hires. The security leader must now act as an agent of influence — not only on his or her own senior management, but on the management of the contracted manufacturer.
“This flattening of organizations has resulted in employees and security managers being constrained from resourcing the management of identified risk,” Lefler says. “There is tremendous pressure on security leaders to properly manage identified risk exposure, but the economic downturn has significantly impacted the available resources to address problems. This has required security to reach out rapidly to find service providers for cost-effective solutions to risk issues — that is very challenging.”
However rough the road may be, managing risk in alignment with board priorities is not only a worthwhile goal but a crucial one. There is no evidence that the board’s emphasis on risk will abate; in fact, it is quite the opposite. Security leaders who have not already begun to shift their thinking and their strategies in this direction may find themselves quickly falling behind.
By considering their place in the oversight-management cycle, analyzing security risks in a board context and confronting board risk management challenges, security leaders can better serve their organizations and perhaps enhance their job security.
Marleah Blades is Senior Editor for the Security Executive Council (SEC), a problem-solving research and services organization focused on helping businesses effectively manage and mitigate risk. The Council provides strategy, insight and proven practices that cannot be found anywhere else. For information or comments on board level risk issues, e-mail firstname.lastname@example.org. Follow the Council at securityexecutivecouncil.com, or on Facebook and Twitter.