Creating the reality of unified risk oversight

April 14, 2017
Boeing and SEC host industry CSO event discussing best practices for risk management and oversight

If there was one constant that resonated among those attending the Security Executive Council’s (SEC) two-day Next Generation Security Leader (NGSL) event this week it was that risk is constantly evolving and communication is key to mitigating it. Held live in three Boeing Company locations in Renton, Wash., Mesa, Ariz., and Crystal City, Va., the gathering of more than 100 top industry CSOs featured the theme of driving unified risk oversight through global security operation centers (GSOCs). The SEC, the leading research and advisory firm focused on corporate security risk mitigation solutions, has been working with Fortune 500 companies and other organizations for more than a decade to help them transform their risk and security operations into proactive information centers that align with the business strategies of executive management.

The increased spotlight on board-level risk due to greater transparency of regulatory and compliance requirements has raised the specter of personal accountability in the C-Suite in times of crisis. While many boards have made it a priority to break down their internal corporate silos to ensure that management can quickly identify, monitor and manage risk, others are still struggling to create a roadmap that can help them govern risk management across the enterprise.

CSOs and security directors from Boeing, Starbucks, Corning, Mitre, State Street, Delta Airlines and Disney explained how each has worked with their C-Suites to help them better understand the risk paradigm. The fact that risk oversight is often confused with risk management is a subtlety that can sometimes create disastrous consequences.

Although the two are complementary functions, they require a separate approach. Risk oversight is a responsibility that is handled by the entire executive board, with portions being handled by board audit or risk committees and other outside parties. Risk oversight is defined by the “corporate culture,” which helps identify and prioritize the risks faced by the company so it can assess and define its risk appetite.  Risk management, however, is the imple­mentation of policies and procedures to transfer or mitigate the identified risks that cannot be accepted by the organization. Risk oversight directs risk man­agement, and both either directly or indirectly influence the security function

SEC Managing Director Bob Hayes, who previously served as CSO of Georgia Pacific and as security operations manager at 3M, was one of the first security executives to successfully implement unified management of corporate security, computer security, and business conduct and compliance programs in a Fortune 100 company. He opened the program saying that risk is the glue that binds every security person at the event and that he thinks that risk is rapidly becoming the common operating language of business.

He cited a recent SEC research project where more than 50 major corporations shared their enterprise risk assessments. From the standpoint of commonality, all 50 companies in 18 different vertical markets shared risk issues in the areas of financial, brand, human capital, information and legal risk, along with ethics, resiliency, regulatory and compliance concerns.

“Risk management has evolved and this new unified risk oversight model our research has featured stresses that all the stakeholders in an organization are all getting the information about risk so it can be properly addressed,” Hayes says. “How many corporate executives sit down and agree what the organization’s risks really are, what each functions’ roles are and what the boundaries are for each organization – where does one start and the others begin? Risk management is a team sport. If you are still thinking about reinforced silos you are missing the trend. Unified risk oversight is a cross-functional exercise.”

In a recent SEC research report, which was discussed during the event, it stressed the increasing accountability regulations are having on the corporate board and how each function of the organization has board level risks to address and goes on to ask the question: “Is each element of the business doing its part?” The only way to ensure they are is to create a process of unified risk oversight.  

The report continues: “Sometimes great ideas come with big consequences. The continued business trends toward globalization, advantages of economic scale and strategic partnering are multiplying corporations’ opportunities, but they’re also acting to multiply the impact of risk failure. One risk failure at a single point in a company or its supplier network - particularly one picked up by the media - can now have a profound effect across the entire enterprise, placing a company in jeopardy far beyond traditional measurements. It is clear, for example, that the failure to properly design a gas pedal can create repercussions beyond the scope and imagination of an automobile company’s engineering department.

“Risks occur in all size and shapes; most can be and are responded to correctly, but the failure to recognize the potential consequences of a risk failure beyond the initial report can bring serious damage to companies. Add to that the scandal-induced requirements for greater accountability and oversight, and it’s clear why we’ve seen an increased push from the board of directors and senior management to conduct enterprise risk assessments and follow through with robust risk management. Traditionally, risk management has been coordinated by only a few business units of an organization. This may make sense for some industries, but for most, an approach coordinated across the enterprise will yield better risk mitigation strategies and tactics.”

For Alan Borntrager, head of global safety and security, and business resilience at Red Hat, the world’s leading provider of open-sourced software solutions, molding the security and risk function around its unique corporate culture has been job one. The organization fosters an environment of the “best idea” wins no matter where it comes from. So in such an open setting almost any type of security implementation could be taken as an infringement on the creative corporate atmosphere.

“The branding component of what our global security operations center is becoming is a significant marketing event. We want to make sure we embrace the cultural influences of Red Hat, and that the security operations center was not seen as Draconian,  heavy-handed or the first step in the creation of a Nanny State,” explains Borntrager, whose team took huge steps to be inclusive and transparent  with staff while building out the company’s formal security and risk environment, including its new GSOC.

“It is still a Global Security Operations Center, but branding it through our own marketing team to be the Information and Analysis Center (ISAAC), resonated much better with our culture and our organization, but in the Red Hat world it is synonymous with a traditional GSOC,” says Borntrager regarding ISAAC, which was launched in March of 2016, providing Red Hat its first-ever global operations center. “Our goal was to create a center that allowed us to support the operational risk council. The challenge, at least in our first year, was that the enterprise risk effort was like a snapshot in time. It was very static and very much a paper exercise. We weren’t doing anything from a management perspective; we were doing a great job from an enterprise risk perspective, but there was little management of total operations.”

Borntrager feels like, with the branding and establishment of an ISAAC to the facilitation of a new operational risk council, it is helping his security team better assess some of those emerging risks Red Hat is facing. He also thinks it will create a strategy that enables it to support a cross-functional team that can assist in the intelligent risk mitigation processes and prevents his department from being segmented into a security-only function.

When it comes to risk, the banking and financial sectors present an entirely new set of issues. Some companies do risk framework or risk management very well. Other companies that are not as mature don’t really focus on operational risk; instead, they are focused on credit, liquidity and financial risk. Operational risk takes a back seat. But because companies are now forced to report all risk, these organizations are more than happy to ramp up their operational risk strategies to ensure compliance.

The consensus among CSO attendees was that as management and the board strive to develop a clearer picture of risk in their organizations, they should endeavor to look across all functional groups to review, organize and monitor their company’s diverse collection of risks.

About the Author: Steve Lasky is the Editorial Director of SouthComm Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s top security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 26-year member of ASIS.