In our conversations with the risk and resilience consulting community one of their expressed challenges is in helping organizations understand how risk intersects with their client's organizational value. They also point to the master planning process. This can be a hinge point that can leverage a thorough assessment. That assessment’s value relies on the organization's ability to lead and navigate change.
If we pause for a moment and understand the forces at work that the consulting community must be aware of, we can appreciate the work they perform.
From the highest levels of most organizations today, public or private, there is the imperative of securing the core. This means optimizing the organization's management of human resources (people), how they are deployed, how they are measured (processes), and, finally, the tools they use to perform their tasks (technology). The budget this represents is not the "innovation" budget. It is the "keeping the lights on budget." And shaving small percentages from this budget could represent a significant amount of money.
The language we use to describe this effort change is critical. Cutting a budget is different than improving the quality of how our products or services are designed, managed and delivered. In the latter, we are truly defining roles and value exchanges between roles so that we eliminate non-value added tasks. The end-goal is to drive velocity (time to value) and the value that aligns with the organizational goal and business model.
The consulting community has the opportunity to help the organization pinpoint those areas that will do this. They can also help educate and articulate change in such a way that the organization's executives and employees can understand.
There are consultants who make the "change" issue part of their training and consulting practice. We were able to have a series of conversations with them. One is David Nicastro, principal with Secure Source International. Nicastro is usually in the middle of sweeping changes that are occurring in how executives view risk around the world. A large part of his services revolve around executive protection that allows him access to the core of the organization's leadership. Many times organizations turn to him to launch optimization or innovation projects in security, eventually leading a team of disparate resources around the world to a common operating picture.
According to Nicastro the best way to lead change is to understand how the organization conducts business through the perspective of its leaders.
"We are able to earn the trust of senior executives by spending a great deal of time understanding how they drive organizational value," said Nicastro. "This step is crucial before understanding what risks would endanger the delivery of that value. What we are finding is that most organizations do not have the ability to capture information, analyze or communicate information effectively. This leads to the inability to leverage that information and tactically apply it to the risk case. Leveraging the data could be in the delivery of a coordinated response during an incident, or it could be analyzing it for predictive and/or proactive planning for a future response. But the real leverage comes from measuring the data over time so that we can optimize and improve the delivery of valuable services to the organization."
Jeffrey Slotnick, CPP, PSP who has delivered risk and resilience consulting and training for years through his firm Setracon, agrees.
"We are change agents for our executive clients. We must collect the right information during our assessments so that we can paint a compelling picture that resonates with a diverse audience; executives, security operations and line of business managers," Slotnick said. "The way we, as consultants, gather that data, organize it, and report on it, will make or break the change effort and in the worst case, leave behind vulnerabilities and risks that could have been mitigated."