Think Outside the Box

How to get past checklists and find real ROI in regulatory compliance

A maturity model provides a sensible, phased approach to putting a management system into place. If the checklist approach seems to be the only way to deal with an immediate deadline, then the overall plan should be to somehow put the minimal compliance requirements in place, and then move on to develop a management system and establish a sustainable security risk and compliance program.

To support a phased approach to management system implementation, ASIS has developed and released the Organizational Resilience Maturity Model, now an ANSI Standard (see resources sidebar). The genius of the standard is that it takes into account two realistic situations for an organization’s security program:

1. The security program consists of reactive, ad hoc activities; no clearly defined management process is in place; the overall program is an unstructured collection of security procedures and controls that provides two main metrics: costs and numbers of security incidents; performance and security-effectiveness is not visible to management or measurable; or

2. Management is (or is likely to be) skeptical of a new security or compliance “methodology” or “standard,” with concerns for cost and potential negative impact or burden on the business.


The Phases of Organizational Resilience

Using this maturity model, an organization can achieve and maintain and appropriate level of security (including compliance requirements), as well as emergency preparedness and business continuity, in a progressive approach that takes into account the current state of security risk management within the organization.

The descriptions of the maturity model’s phases are tailored for this article’s focus, and are more fully described and related to organizational resilience in the standard’s own document.


Phase One: Pre-awareness

Describes a state where there is a lack of understanding in an organization regarding one or more business functions related to security risk, such as emergency preparedness and business continuity. Realization is triggered by a disruptive event, expressed stakeholder concerns, contractual requirements, government regulations or risk assessment results — causing the organization to consider exploring a more proactive approach. Once the organization becomes aware of the need or the potential benefits of a more structured and organized management approach, it is ready for the next phase.

Phase Two: Project Approach

Management becomes willing to test the concept and establish a trial project to explore the benefits. The brilliance of this phase is that it doesn’t require a permanent commitment from management, which in some cases cannot be obtained without clear evidence that a management system approach would be of value. Attention is focused on “low handing fruit” issues, rather than on emphasizing the management system framework structure — after all, management is more interested in (and will base its decisions on) the results and value to be obtained, rather than in the details of how to obtain them.

Two things are actually being tested here: the business contribution of the management system being exercised or implemented, and the ability of the security practitioner (or whoever is the “Project Leader”) to obtain results.

Phase Three: Program Approach

Now the view shifts from specific issues to division- or organization-wide issues. Risk management applications are selected for their chances of demonstrating success and awareness. Senior management is aware of the importance of the items being addressed, and of the need for pre-planning and a systematic approach. The management system is still in a pilot testing mode, but parts of the organization are applying the elements of the maturity model and testing action plans to make a business case for implementing the management system in full.

Phase Four: Systems Approach

The pieces are put together in the iterative continual improvement process (described as Plan, Do, Check, Act or PDCA) that is the core of the management system. This is the point where the security program and its compliance elements cease to be just a collection of procedures and controls and becomes a structured program in which senior and middle management are appropriately engaged and committed to their assigned roles of organizational responsibility.

Phase Five: Management System