Objective: To visually convey our understanding of and response to a risk event, to show how that risk links to applicable metrics, and to demonstrate that measures are being taken to mitigate future risk.
Results Sought: There are multiple advantages to this type of presentation. a)
• You inform management in a way that demonstrates the competence of your lessons-learned analysis;
• You influence change by assigning accountability both for contributing causes and follow-up actions; and
• You provide benchmarks for assessing the quality of proposed countermeasures.
Where is the data? You will need to find data that will help you objectively identify the causes (not symptoms) of the risk event, select the best means to better prevent and/or respond to a similar event in the future, and measure the effectiveness of each of the selected countermeasures. In this example, the incident postmortem uncovered data seen in contributing causes, and each of the selected countermeasures in mitigating actions have an associated metric in the measures column.
Risk Management Strategy : We have limited time with senior management, so we need creative ways to influence change, to inform and demonstrate our competence. The “measures map” above is a visually engaging method of presenting findings from an incident postmortem. It enables measurement of performance, status and cost tracking during the reporting process. It is also a useful way to brief constituents or staff on a proposed risk mitigation strategy. Build the map collaboratively with affected business unit personnel and other governance team members as you walk through the incident postmortem. This demonstrates corporate leadership and more clearly influences accountability for successful risk management going forward.
It is wise to periodically evaluate a variety of post-incident maps to identify common causes and opportunities for selecting countermeasures that may beneficially impact multiple business process vulnerabilities.
George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased through the Security Executive Council Web site, www.csoexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.