The Evolution of the Security Leader into a Strategic Risk Advisor
1. From Guns, Gates and Guards to Strategic Business Advisor
The Evolution of the Security Leader through ERM
Managing Risk | Maximising Opportunity
2. Published by Control Risks, Cottons Centre, Cottons Lane, London SE1 2QG. Control Risks Group Limited (‘the Company’) endeavours to ensure the accuracy of all information supplied. Advice and opinions given represent the best judgement of the
Company, but subject to Section 2 (1) Unfair Contract Terms Act 1977, where applicable, the Company shall in no case be liable for any claims, or special, incidental or consequential damages, whether caused by the Company’s negligence (or that of any
member of its staff) or in any other way.
Copyright: Control Risks Group Limited 2014. All rights reserved. Reproduction in whole or in part prohibited without the prior consent of the Company.
3. TABLE OF CONTENTS
Introduction 1
Why ERM? 4
What is ERM? 6
Phase 1: Understand the Organization 6
Phase 2: Develop an ERM Framework 7
Phase 3: Execute the Risk Management Process 7
Phase 4: Implement and Maintain 8
What is the Security Leader’s Role in ERM? 9
Developing the Knowledge and Skills for Success 11
Security and Risk Management 11
Business Acumen 13
Leadership 15
Ongoing Relevance of ERM 17
Appendix: Knowledge, Skills and Attitudes of Risk Leaders 18
About the Authors 19
4. 1
From Guns, Gates and Guards to Strategic Business Advisor – The Evolution of the Security Leader through ERM
Introduction
Control Risks defines enterprise risk management
(ERM) as the holistic approach to risks across an
organization. A successful ERM framework
doesn’t create barriers to business strategy: it
enables growth and the realization of
opportunities, often by breaking down barriers
within an organization. Security leaders are
uniquely well-positioned to contribute to ERM in
their organizations and can draw upon ERM to
transform their traditional functions into
forward-looking, strategic leadership roles.
Over the last two decades, businesses have
expanded their global reach as they stretch into
far-flung pockets of the world in pursuit of new
opportunities, better margins and growing
markets. This trend has accelerated in recent
years, as slowing growth in the developed world
has spurred a push into emerging markets. As
operations, supply chains and workforces become
increasingly global, businesses face new and
more varied risks. And it’s not just geography.
Increasingly, organizations are broadening their
definition of what constitutes a risk to include a
broader set of political actors, communities, single
issue groups and competitors, as well as natural
hazards, regulatory changes, contractual
deficiencies, industry dynamics and financial
market upheavals.
The complexities of the risk landscape have
increased, and so too has the understanding that
risk and reward are two sides of the same coin. In
response, boards of directors are demanding
more effective approaches to understanding and
managing these risks in order to successfully
reap the opportunities they pursue. With
increasing frequency, we hear security leaders
say that their companies’ boards want to
implement risk management frameworks that
give them confidence that risks to their enterprises
are being identified, prioritized and managed
consistently. These security leaders are being
asked to support enterprise risk management
(ERM) programs within their companies.
“The days of sitting back and reacting to
situations are over,” says Bob Graves, Senior
Director of Global Security at Abbott Laboratories.
In companies where the concept of risk
management has evolved, security leaders must
evolve in turn to remain relevant. For some, it
may mean recognizing that the “solution may not
be gates, guns, and guards,” says Rob Ream,
Senior Manager of Global Security, Crisis and
Emergency Management at BHP Billiton. “It may
be a process, or a system, or a behavior.”
5. From Guns, Gates and Guards to Strategic Business Advisor - The Evolution of the Security Leader through ERM
2
ERM presents enormous opportunities for security
leaders to develop and transform their own roles
– and those of their departments – within their
organizations. Regardless of whether they lead
ERM efforts or take on a support role, the security
leaders we’ve spoken with have found that their
backgrounds, training and experience have made
them key players in the ERM process. By nature
and by training, security leaders already know how
to make decisions by looking through the lens of
risk. In addition, they are often adept at the kinds
of collaboration that are inherent to ERM. Many
security leaders already help their legal
departments comply with workplace safety
requirements, consult with their IT departments on
the physical security of network assets, work with
their chief operating officers on business continuity,
and assist their HR departments with investigations
and background checks. In this sense, security
leaders are particularly well positioned to help
other department heads appreciate the common
challenges they face and embrace their role in a
larger risk management paradigm.
This whitepaper provides the reader with insights
into how the security leader can use ERM to
transform his or her role into that of a risk leader and
a strategy leader. The paper starts by describing the
basic principles and purposes of ERM. This is
followed by the identification of the different roles that
the security leader can play in supporting and leading
the ERM process. Finally, the paper will provide the
reader with ideas on how to plan the security leader’s
role in the ERM process from start to finish.
One security leader used ERM to ensure his corporate security department remained relevant in
the organization. Like many security departments, his had been out of sync with the rest of the
company and had been seen as a cost center misaligned with the rest of the business. To restore
his department’s stature, the security leader asked his counterparts in other departments to
participate in a risk assessment and revised his budget to align with the results. A few months later,
the company’s leadership announced an initiative to substantially increase the amount of revenue
generated from emerging markets. Having already laid the foundation for a risk management
framework with his earlier initiative, the security leader was able to coordinate company-wide efforts
to support the expansion to new markets while still protecting the organization.
6.
7. From Guns, Gates and Guards to Strategic Business Advisor - The Evolution of the Security Leader through ERM
4
Organizations manage risks all the time. Many of
these efforts are informal and occur in the backs of
people’s minds or scrawled on notepads. Often,
they are driven by specific incidents and managed
on an ad hoc basis. The result is often an
uncoordinated, siloed approach to risk
management. Different parts of an organization
focus on different risks, and even when two
departments focus on the same risk, they are
unlikely to coordinate efforts. ERM brings structure
to the chaos. By imposing a formal process, it
ensures that all perspectives are considered, that
mitigation efforts are prioritized and unified, and
that nothing is overlooked.
Enterprise risk management, or ERM, first became
a widely recognized part of corporate parlance
following the passage of the Sarbanes-Oxley Act
in the United States in 2002. The law, a response
to several high-profile corporate frauds, imposed
new financial reporting and management
requirements on publicly traded companies. In
order to comply with the new regulations, many
companies began using ERM frameworks like the
COSO1
ERM-Integrated framework. For this
reason, ERM is often associated with financial
controls and regulatory compliance.
ERM in the truest sense is much broader than that.
Put simply, ERM is an umbrella program that
companies may use to coordinate all of their risk
management activities. It provides a framework for
governance, risk and compliance activities, all
within the broader context of reaching business
objectives. An increasing number of organizations
are formalizing their risk management in this way.
One recent study found that 24.6% of mainly U.S.
companies surveyed in 2013 had ERM processes
in place, up considerably from 8.8% in 2009.2
The rising popularity of ERM is not just a reflection
of increasingly global business operations: it is
also a response to new and more diverse risks.
The next big disruption to a business could come
from sources as wide-ranging as a terrorist
attack, political unrest, a cyber attack or a
corruption investigation.
Because ERM begins with an assessment of an
organization’s goals and values, it means that risk
management decisions are made with business
objectives in mind and are bound by the
organization’s value system. When not applied
strategically, risk management activities can be
perceived as reactive or as a drag on productivity:
just a series of unnecessary hoops to jump through.
A strong ERM program ensures that mitigation
strategies serve a business purpose. For example,
if there is concern that the time required to properly
vet a potential business partner will jeopardize the
success of a new project, an ERM program
provides a mechanism for evaluating and making
that decision.
ERM can also make risk management more
efficient. Organizations are under constant
pressure to do more with less. An ERM program
helps a company prioritize limited resources
wisely and focus on the risks that matter most to
be able to address those risks in a coordinated
and coherent manner.
Why ERM?
In the best of cases, ERM programs can
help drive cultural change within an
organization. One company used
enterprise risk management to make sure
it was properly addressing risks as it
merged four separate business units under
a single corporate umbrella. What it found
was that the process also helped drive a
culture of collaboration among disparate
parts of the organization.
1
Committee of Sponsoring
Organizations of the
Treadway Commission
2
Mark Beasley, Bruce
Branson, and Bonnie
Hancock, Report on the
Current State of Enterprise
Risk Oversight:
Opportunities to Strengthen
Integration with Strategy,
North Carolina State
University ERM Initiative,
June 2014, http://erm.ncsu.
edu/az/erm/i/chan/library/
AICPA_ERM_Research_
Study_20142.pdf.
8.
9. From Guns, Gates and Guards to Strategic Business Advisor - The Evolution of the Security Leader through ERM
6
What is ERM?
On the surface, the idea of identifying and centrally
managing an organization’s risks is compellingly
simple. In practice it can be incredibly complex. Few
risks fall neatly within a single department’s remit,
and many transcend international boundaries.
Indeed, making order out of such complexity is one
of the greatest benefits of an ERM program.
Although there are different ways to approach it, one
effective approach involves a four-phase life cycle.
Phase 1: Understand the Organization
Centrally managing an organization’s risks
requires understanding senior leadership’s
perspectives and business goals to build a
common vision of what success looks like for the
organization. It also involves understanding the
internal and external context in which the
organization operates, as well as how the
organization currently manages risks. Becoming
familiar with this background helps ensure that
the ERM program is tailored to the organization’s
culture, operations and business objectives.
At one international food company, this initial
phase involved extensive interviews with the
company’s leaders about the nature of their
business, where they saw the company going in
the next few years, and how they believed they
could get there. These interviews also identified
the overarching risk environment surrounding
the company and what current risk management
methods were already in place. In this particular
company, the interviews revealed a very
Scope the
ERM program
Establish a
governance
structure
Develop the
RM framework
Develop the
RM process
Determine
existing
capabilities
Define a vision
& roadmap
Validate &
determine
top risks
Identify &
Analyse Risks
Develop a RM
Schedule / plan
Develop risk
mitigation
strategies
Manage &
monitor risks
Support & expand
the program
EVALUATE
CAPABILITIES
BUILD RM
CAPACITY
ASSESS
RISKS
MITIGATE
AND MANAGE
RISKS
1
PHASE
2
PHASE
3
PHASE
4
PHASE
ERM
10. 7
From Guns, Gates and Guards to Strategic Business Advisor – The Evolution of the Security Leader through ERM
top-down decision-making structure—a cultural
element that informed subsequent phases of
the ERM process.
Phase 2: Develop an ERM Framework
The next step is to develop the ERM framework. An
effective ERM program requires a risk committee or
other governance structure that is responsible for
monitoring risks, overseeing the implementation of
risk management plans, and promoting risk
management efforts throughout the organization.
Once the governance structure is in place, the
organizationcanbegintoformalizeriskmanagement
processes, such as defining the organization’s risk
appetite, outlining responsibilities for risk “owners,”
and establishing mechanisms for risk
communications, reporting, and accountability. For
many organizations, this can be accomplished by
developing an ERM policy.
In phase 1, the food company mentioned above
identified the types of outcomes that it had to
avoid: financial losses above a certain magnitude,
investigations by the US Food and Drug
Administration and supply chain disruptions that
would cause a product shortage. In phase 2, the
company translated these outcomes into
quantifiable, formalized risk appetite thresholds.
In other words, they determined how big a loss
was too big? To make these decisions, the
company pulled together a committee comprised
of departmental leaders who would have a role in
the risk management process—everyone from
human resources and security to the audit and
compliance departments.
Phase 3: Execute the Risk Management
Process
Managing risks through an ERM process requires
working with the organization’s senior leaders to
reach a consensus on the top risks to the enterprise.
Assessing risks with clear and consistent criteria
allows the organization to prioritize which risks to
address first. Understanding who will do this work
is equally important. Once the leaders have agreed
which risks to focus on, they can begin designating
“owners” for each risk and approving strategies for
how to monitor and mitigate each risk. These
decisions are often recorded in a risk register.
Standard practice for ERM programs is to
identify risks through a bottom-up process that
solicits input from all corners of the enterprise.
11. From Guns, Gates and Guards to Strategic Business Advisor - The Evolution of the Security Leader through ERM
8
Because the aforementioned food company had
a well-established top-down dynamic, it decided
to use only senior leaders for its risk assessment
process. The company convened a two-day
workshop to share different perspectives of the
risks the organization faced, debate the potential
impact of each risk to the business, and
determine what the top risks to the organization
were. The leaders outlined plans for mitigating
each risk, and assigned members of the
committee convened in phase 2 to oversee
individual mitigation efforts.
Phase 4: Implement and Maintain
Once a plan is developed, it is up to the entire
organization to execute it – from senior leadership
to shift worker. Depending on the nature of each
risk, these plans may involve just one individual or
the entire organization. Sometimes they may require
hiring outside help to augment the organization’s
capabilities. Regardless of the scope of the plans,
there must be a reporting structure that gives risk
managers visibility into how different risks are being
managed across the organization and allows them
to notify leadership of any substantial changes in
the company’s risk exposure.
Several of top risks that the food company identified
were exacerbated by the absence of business
continuity plans throughout the organization, and
the risk committee directed each of the company’s
locations to develop continuity plans with the help
of an outside consultant. Another major risk was
fluctuations in the price of the commodities that
went into the company’s products. To manage this
risk, the risk committee developed “key risk
indicators”—early warning signs that would portend
an impending change in the market. For each risk,
the company developed measures and metrics that
the risk committee used to track the company’s
exposure and report back to senior leadership and
the board of directors.
ERM is a dynamic, ongoing process. Each of the
phases must be revisited periodically so that the risk
management framework accurately reflects the
organization’s current goals, capabilities and
priorities. The frequency of these updates should
match the organization’s needs. Some companies
revisit their ERM process semi-annually; others do
so every few years.
12. 9
From Guns, Gates and Guards to Strategic Business Advisor – The Evolution of the Security Leader through ERM
What is the Security Leader’s Role in ERM?
The role of a security leader within a company’s
ERM program is usually determined by two general
criteria: the company’s appetite for ERM and the
security leader’s own inclination for ERM.
The company’s appetite for ERM is influenced by
several factors, such as:
Type of industry
Companies in sectors with a preponderance of
physical safety and security risks—such as oil and
gas or mining and minerals—are more likely to have
deep-rooted sensitivity to mature risk management
and therefore a strong appetite for ERM programs.
Likewise, companies in highly regulated industries
(such as pharmaceuticals or finance) tend to be
open to more holistic risk management approaches.
On the other end of the spectrum, companies that
operate in environments where the risks are fairly
static and well known and where they face few
regulatory requirements may see less need for an
ERM program.
Previous crisis experience
Nothing demonstrates the need for a risk
management program like a serious crisis. As a
result, many companies develop an intense interest
in ERM following a crisis in their organization. This
interest is often driven by a company’s board of
directors, who are seeking to avoid a repeat and to
demonstrate their duty of care to shareholders,
employees and customers.
Company culture
Leadership plays a key role in setting the tone for
an organization’s culture. Highly entrepreneurial
organizations tend to see risk-taking as integral to
their success. Some such organizations perceive
risk management as a hindrance to progress
rather than as a strategic enhancement. In
organizations where the core business is culturally
dominant over other functions, developing a
strong ERM program may also pose a challenge.
In both cases, key leaders must be firmly “behind”
the ERM concept in order to re-frame the
organization’s perception of risk mitigation as an
opportunity and to drive the effort.
How a security leader contributes to an ERM
program is a function of how inclined that person is
to embrace a broader role. That inclination may be
influenced by his or her existing knowledge, skills
and attitude in the areas of security and risk
management, business acumen and leadership
and is influenced by the following:
Experience
Security leaders tell us that they draw upon their
previous experience operating with other
departments, and those who are already
comfortable outside of their silos, particularly in a
leadership role, find ERM leadership easier. Security
13. From Guns, Gates and Guards to Strategic Business Advisor - The Evolution of the Security Leader through ERM
10
leaders also vary in their exposure to other risk
management disciplines (e.g., business continuity
and crisis management), their experience with
industry standards like ISO31000, ISO22301 and
NFPA1600 and their experience with leading
through change. If one is already perceived as a
leader in cross-departmental functions and is seen
as a resident expert in risk management, a
leadership role in ERM is often a natural fit. For
others, the ERM process is an ideal opportunity to
develop that experience.
Desire to learn
Gaps in experience and formal knowledge can be
overcome: there are no obstacles. Much of the
required knowledge and skills of risk management,
business acumen and leadership can be taught.
Some security leaders meet the challenges of ERM
by arming themselves with information. Control
Risks has a longstanding relationship with one
security leader who immersed himself in ERM
methodology by attending conferences, taking
training courses, joining risk management
organizations, and consuming as much information
on best practices as he could find. Another security
leader satisfied her similar appetite for knowledge
by seeking out colleagues, peers within her industry
and consultants who could share their experiences
with her.
The diagram below depicts the different
combinations of company appetite and security
leader inclination, and the type of role a security
leader would play in an ERM program as a result.
Little to no
role in informal risk
management programs
Opportunity to
influence mature
ERM program
Opportunity to
take initiative, own
ERM program, instill
risk culture in organization
Owns or heavily
influences ERM
program
Factors affecting
a security
leader’s role in an
ERM program
COMAPNY’SAPPETITEFORERM
SECURITY LEADER’S INCLINATION TOWARD ERM
A manufacturing firm instituted an ERM program as part of a rebuilding effort following a damaging
fraud scandal. It tapped the security leader to run the process. This did not mean that the security
department supplanted the finance and legal departments in monitoring and managing the risk of
fraud. Rather, security helped balance those efforts with the other risks the company faced. But this
was not just an organizational decision; it was also a personnel decision. The security leader had
strong business acumen and viewed the role of security as always present but never an obstacle.
He was able to transfer this vision to the overall risk management approach, helping to bolster risk
management’s place within the company.
In another example, a financial services company turned to its chief financial officer to run its ERM
process, in large part because of its concern with regulatory compliance risks. The security leader’s
role went far beyond simply managing security risks, however. His familiarity with the company’s
global footprint and his relationships with the heads of many other departments made him an
indispensable promoter of the ERM process. He was able to reassure other business leaders who
were wary of or confused by the process, convincing them to participate more fully in the program.
14. 11
From Guns, Gates and Guards to Strategic Business Advisor – The Evolution of the Security Leader through ERM
Developing the Knowledge and Skills for Success
Any security leader interested in ERM should consider
where he or she might fall on the chart in the previous
section. Understanding one’s own abilities and the
organizational context will provide a clear sense of
where to start. By focusing on the three areas
—security and risk management, business acumen,
and leadership—the security leader will be able to
influence both the organization’s appetite for ERM
and his or her own ability to deliver it.
Security and risk management
The security leader’s understanding of and
experience in managing security risks, and
recognizing how that knowledge and skills can
apply to non-security risks.
Business acumen
The security leader’s familiarity with the overarching
business, its goals and how it functions.
Leadership
The security leader’s ability to influence the
organization and its appetite for ERM.
Boards of directors tell us they want more from their
security functions. Security leaders who possess
this combination of abilities will be able to speak
directly to their organizations’ boards and senior
leaders and advise them on intelligent, risk-based
decisions about executing business strategy and
maximizing opportunity. This enhanced role helps
shift the perception of security from a cost center to
a driver of the business.
Security and Risk Management
The archetypal security leader is most comfortable
in the physical security space. He or she understands
quite well how to detect, identify, classify, deter,
delay, respond to and eliminate threats from
disgruntled employees, criminals and terrorists. New
and emerging threats and risks that are less tangible,
however, would likely take this traditional security
leader far outside his or her comfort zone. Through
its work with security leaders globally and across
industries, Control Risks knows that few security
leaders now fit the traditional mold. Many never fit
that mold in the first place, and others have already
had to venture outside of it in response to the
complexities of the modern business environment.
Control Risks believes that security leaders are
well positioned to make the shift from ad hoc,
response-oriented risk management efforts to a
15. From Guns, Gates and Guards to Strategic Business Advisor - The Evolution of the Security Leader through ERM
12
“Security leaders are effective when they are comfortable
with being uncomfortable.” Matt Ryan, Director of
Corporate Security Worldwide, The Hershey Company
formalized ERM framework because their security
expertise aligns very well with ERM methodology.
Much as with traditional security concerns,
managing a broader set of threats and risks involves
considering the likelihood each risk will materialize,
the organization’s vulnerability to it, and the potential
consequences that may arise (see the sidebar on a
methodological approach to risk assessment).
From there the security leader can select and
implement measures to prevent risks from occurring
and to mitigate their impact if they do.
These threat identification, prevention and
response concepts are central to any security
leader’s experience. Applying them beyond the
security domain can promote holistic risk
management throughout an organization. One
security leader was successful applying
business continuity frameworks to his company’s
ERM program. Another applied quantitative
skills from a fraud risk management background
towards an evidence-based enterprise-wide risk
assessment process.
Incorporating risk management methodology
throughout an entire enterprise takes some finesse.
Some companies find additional training or hiring
outside expertise particularly helpful when first
launching an ERM program. Security leaders
should use the newness of the process to their
advantage: “[Security leaders] don’t need the
solution at the beginning of the conversation, but
rather the tools to ask the right questions and come
back with suggestions,” notes Bob Graves, Senior
A Methodological Approach to Risk Assessment
Applying a risk assessment methodology is one way security leaders can use core security
principles as a starting point for contributing to their organizations’ ERM programs. Such an
approach provides a structure for identifying and comparing risks.
One of the areas where Control Risks uses a proprietary methodology for identifying and
managing risks is in its security consulting work. Based on the ISO 31000 framework, the
methodology supports a best-practice approach that feeds naturally into an enterprise risk
framework. It involves three phases: threat assessment, risk assessment and risk treatment.
A threat assessment establishes context. Threats are external factors and events that can
cause harm. The threat assessment is a systematic review of all the threats an organization
may face.
The risk assessment considers the likelihood that a threat will affect the organization along
with the impact that it would have. Simply stated, risk is a measure of the vulnerability to a
threat in terms of likelihood and impact. The first step in conducting a risk assessment is risk
identification: determining which of the threats identified in the threat assessment pose an
actual risk to an organization’s people, assets, information and reputation. The next step is to
analyze the identified risks. This process involves assigning a likelihood and impact rating to
each of the risks and then prioritizing them, listing the risks on a risk “register” in order of
priority to determine which require immediate action. The final step is to evaluate the risks to
determine the appropriate response to each. The organization can choose to tolerate risks
(accept without making any changes), terminate them (decide to cease operations because
the risk is too high), transfer them (purchase insurance or employ a third party contractor), or
treat them.
Risk treatment is the final phase, in which the organization develops a plan to mitigate those
risks that it deems need treatment.
Although this framework was originally developed to focus specifically on security threats, it is
easily adaptable for use in supporting a company’s ERM program.
16. 13
From Guns, Gates and Guards to Strategic Business Advisor – The Evolution of the Security Leader through ERM
“I have a desire to really understand our core business. For example, I regularly spend time in the field, walking
in the footsteps of the service delivery guys, to understand our business and where it has to interface with risk.”
Rob Ream, Senior Manager of Global Security, Crisis and Emergency Management, BHP Billiton
Director of Global Security at Abbott Laboratories.
In this subtle way, security leaders can reposition
themselves as adding value to the business.
Business Acumen
To become leaders of ERM strategy, security
leaders must understand the business in its
broadest sense and be aligned with its goals. By
combining business acumen with their existing risk
management expertise, security leaders can
position themselves to advise business leaders on
smart, risk-based decisions.
Security leaders who started their careers in
government environments or were “groomed” in
positions with limited exposure to the business will
have to use their own initiative to hone business
acumen. One of the pitfalls for security leaders who
come from rule-based government organizations is
to approach the business from that same rule-based
perspective. Although it may be relevant in areas
where security has to set minimum standards from
which an organization cannot deviate, the security
leader will still have to be able to answer the “why”
question: “Why does security apply this rule and
what is the value to the business?” The inability to
answer that question convincingly can have dire
consequences – it will oftentimes lead to disregard
or to sloppy execution of minimum standards. This
results in ineffective prevention, causing loss and
reaffirming the business’s lack of faith in the security
program. Answering the “why” question convincingly
hinges on the ability to articulate the risk to the
business posed by a security issue and to
demonstrate how effective mitigation improves the
company’s chances of success.
Start with understanding the business strategy. What
are the strategic objectives for the organization for the
next 3-5 years? How does the organization want to
develop and grow? Which markets, products,
services and priorities does the business want to
focus on? What are internal and external pressures
on the business? “It is critical to align your ERM
program to your organization’s strategic planning
process,” says Katherine Chadwick-Johnson, Global
Program Manager & ERM Program Director of
Harsco Corporation. “As security directors, we also
have to acknowledge that security risks are merely
one type of risk our companies face – and that
security risks should be evaluated and managed as
any other type of operational or strategic risk. This is
important, as it lends increased credibility to the
security discipline, and emphasizes a harmonized
approach to risk management.” If the security leader
17. From Guns, Gates and Guards to Strategic Business Advisor - The Evolution of the Security Leader through ERM
14
combines this deep understanding of the business
with risk management expertise, he or she is able to
partner with business leaders. He or she will now be
able to help them identify the risks, develop a
reasonable estimate for the likelihood and impact of
those risks on their business, expand their perception
of risk priorities and guide them to better risk-based
decisions. Control Risks recently helped one security
leader develop quantitative performance indicators
that accurately reflected his organization’s business
priorities and objectives. Linking risk management
metrics to business goals allowed the security leader
to consistently, regularly and accurately demonstrate
to business leaders the effectiveness and efficiency
of different risk mitigation strategies.
Developing business acumen can take time. For
security leaders, the first step is to look beyond their
security teams; success in ERM demands a much
broader perspective. It is vital that the security leader
be familiar with the operations and goals of other
areas of the business and be able to “speak their
language.”Onesecurityleadergainedthisperspective
byspendingmoretimewithhiscompany’stechnology
and engineering teams and community relations
department to understand how risks intersect across
the enterprise. Another plunged into his company’s
financials, reviewing annual reports and independent
analysts’ assessments of the company. His security
team became so adept at understanding financial
risks that they eventually took on an active role in
managing them. This process elevated his team’s
reputation from being the “security guys” to being the
“risk guys.”
Security leaders who understand and articulate the
business’s strategy are able to:
• Shift from “rule” to “reason”
• Speak the language of the business
• Translate “security” to “risk”
• Combine risk knowledge and experience with
understanding of the business objectives,
metrics and processes in order to build the
business case for investing in risk management
in order to maximize opportunity
Cyber Security: An Enterprise Risk
In many respects, cyber security is a classic enterprise risk. Often, cyber security is viewed as an
IT issue, but the risks that cyber threats pose and the mitigations they require truly cut across the
whole organization. Think for a moment about all the sensitive information your organization stores
and who is responsible for it; all departments manage varying degrees of confidential and
competitive information. The finance department controls accounting information, the human
resource department stores personal data about employees, the sales team keeps client records
and pricing strategies, security keeps schematics of physical security and often employees’ travel
itineraries, the legal department keeps records on negotiation strategies, and executives have
access to high-level corporate strategy documents.
Now consider what would happen if some of this information were somehow stolen off your
company’s computers. The most important factor in the response might not be kicking the thieves
out of your network but rather how the organization manages the crisis overall. In fact, a 2013 study
found that having an incident response plan in place is the biggest factor in reducing the cost of a
cyber breach.3
Depending on the nature of the crisis, a response may involve closely coordinated
public relations and legal strategies, and perhaps the active participation of the CEO.
Just as preparing and responding to cyber risks should involve all parts of an organization,
understanding how cyber risks stack up against other risks also requires an organization-wide
perspective. ERM frameworks are an ideal tool for all of this. Indeed, best practices for cybersecurity
increasingly focus less on technical controls and more on a holistic risk management framework.
Organizations that do this are not immune to network breaches, but they are better prepared to
handle breaches when they occur. A well-documented enterprise approach to managing cyber
risks can assuage regulators, facilitate broader access to cyber insurance and reassure investors.
And that’s good for a company’s bottom line.
3
https://www4.symantec.
com/mktginfo/
whitepaper/053013_GL_
NA_WP_Ponemon-2013-
Cost-of-a-Data-Breach-
Report_daiNA_cta72382.pdf
18. 15
From Guns, Gates and Guards to Strategic Business Advisor – The Evolution of the Security Leader through ERM
By increasing risk management expertise and business
acumen, the security leader becomes increasingly
inclined to embrace ERM; which is one of the two
driving factors affecting a security leader’s role in an
ERM program. So what can the security leader do to
improve the organization’s attitude towards ERM?
Leadership
A truly effective leader has the potential to transform
his or her organization’s appetite for ERM – this is
the other driving factor behind a security leader’s
role in an ERM program. Leadership is about
influencing and changing the behavior of others to
achieve the goals that the leader determines are
worth attaining. To be able to do that, a leader
needs to develop or enhance the following abilities4
:
• Vision and creativity: The ability to define the goal
• Passion: The ability to pass on the commitment
to that goal
• Interaction: The ability to communicate vision
and passion in a way that will be understood
• Empowerment: The ability to give others the trust
and means to reach the goal, and making that
behavior something intrinsic, something of their own
In order to lead an organization through the ERM
process, a security leader must transform into a risk
leader. As described above, the first phase of the
ERM life cycle involves developing the ERM vision
and roadmap. Risk leaders who want to creatively
develop a vision for risk management that will mobilize
the organization understand that they must work
closely with others from both inside and outside the
organization. Successful risk leaders involve all
domains in the enterprise. In order to fully understand
who the key risk influencers are, risk leaders conduct
a critical organizational analysis and study the
organizational design to understand how the
company makes decisions and incentivizes behavior.5
They must also be sensitive to cultural differences
within the organization and the geographies in which
it operates. Cultural sensitivity helps a leader to
understand what is achievable and workable—and
what isn’t—and to use that understanding to formulate
a risk management vision.
Passion and interaction are closely intertwined.
Developing and implementing this “passionate
communication” is hard work. To be successful, the
risk leader must combine all of his or her skills,
passion and energy and engage a wide range of
experts and other supporters on a personal,
professional, tactical and strategic level. Mentoring,
coaching and training can boost the risk leader’s
effectiveness in this process. A risk leader might
consider training and coaching on communications
(including presentation and media training) to
develop and enhance his or her ability to passionately
deliver a message in a clear and succinct way. A
“The journey is just as important as the destination – it takes time to build competency
and appetite to create the right groundswell of support and enthusiasm.” Wesley Bull,
Senior Director of Global Security & Investigations, Nvidia
4
“Leadership, a
communication perspective,”
Michael Z. Hackman and
Craig E. Johnson, Waveland
Press, 2004
5
For a broader discussion of
this, see Alison Taylor, Risk:
An Organizational
Perspective, Control Risks
and Columbia University,
2014. http://www.controlrisks.
com/en/services/integrity-
risk/risk-an-organizational-
perspective
19. From Guns, Gates and Guards to Strategic Business Advisor - The Evolution of the Security Leader through ERM
16
support team around the risk leader can help
expand his or her “passionate reach” by preparing
the risk leader for specific performances and helping
him or her by acting as a sounding board for ideas.
When internal resources are insufficient, risk leaders
may look outside the organization. Control Risks
often supports risk leaders by assisting in the
development of their ERM communication strategies
as well as communications material such as
presentations and media articles.
Finally, risk leaders empower people in their
organizations to help them execute the risk
management vision. Transformational leadership
requires understanding how to empower others.
Within an organization, this means ensuring others
have access to the information, authority and funds
they need to achieve goals and explore creative
solutions. Successful risk leaders embed this
approach throughout their ERM programs. In phase
2 of the ERM life cycle, security leaders should lay
the foundation for empowering the people in their
organization to manage risks successfully. This
consists of:
• Building a risk governance structure with roles
and responsibilities of each stakeholder within
the risk management program
• Defining the framework, process, and tools that
are required to execute risk management
• Helping those actively involved in the ERM
development to understand when they are
expected to complete their risk assessment
activities, across all parts of the organization
In phase 3 of the life cycle – executing the ERM
process – the risk leader breaks down barriers
within the organization by actively involving and
empowering people throughout the organization in
the risk assessment and risk treatment processes.
This all needs to be done in ways that allow those
involved to recognize that they are crucial to the
success of the ERM program. Their energy,
commitment and involvement will ultimately
determine the organization’s ability to execute its
strategy successfully by managing risk and
maximizing opportunity.
20. 17
From Guns, Gates and Guards to Strategic Business Advisor – The Evolution of the Security Leader through ERM
Ongoing Relevance of ERM
One of the great advantages of ERM for security
leaders is that it creates a dynamic framework and
an ongoing process. The risk landscape is always
changing, and it will shift as the organization and
the environment change. This goes beyond external
threats like protests, natural disasters and political
unrest; ERM’s much broader remit includes
changes to laws and regulatory frameworks and
fluctuations in the financial markets. ERM will also
need to address changes in business objectives
and strategies. Those who lead and contribute to
ERM programs will – with each revolution of the
ERM life cycle – grow further beyond the traditional
perceived boundaries of the security function and
into a valued role as a contributor to the
organization’s growth and success.
21. From Guns, Gates and Guards to Strategic Business Advisor - The Evolution of the Security Leader through ERM
18
Appendix:
Knowledge, Skills and Attitudes of Risk Leaders
Security leaders who want to improve their
capability to support ERM programs may find it
helpful to focus on specific types of knowledge,
skills and attitudes that will help them succeed.
The matrix is derived from the “Competency
definitions” from the “Security Industry Survey of
Risks and Professional Competencies” by University
of Phoenix/ASIS Foundation, 2014.
Security and Risk
Management
Business Leadership
Knowledge
(“understands…”)
… global security issues
… security industry-related
trends, standards and best-
practices
... security-related science,
technology, engineering
and math (STEM)
… (enterprise) risk
management
… business objectives and
priorities
… key business, financial
and legal metrics
… key business processes
… the impact of national
and organizational cultures
on employee (risk) behavior
… how to engage diverse
groups of people effectively
… how to develop a vision
Skills
(“can
successfully…”)
… make security-related
decisions
… identify and implement
security goals that are
related to business goals
… develop and enforce
security and crisis
procedures
… speak the business,
financial and legal language
of business executives
… analyze and understand
stakeholder interests
… align risk approach to
business priorities
… prioritize
… coach people … express
thoughts verbally in a
succinct, logical manner
… communicate with others
to persuade them to act on
risk-related issues
… empower others to help
them achieve the agreed
objectives
Attitude
(“enjoys…”)
… data-driven processes
… applying security
approaches to reduce risk
… data-driven processes
… learning and developing
new ideas
… engaging with colleagues
in other parts of the
organization
… working with other
people to achieve
objectives
… staying calm and in
control when under
pressure
… learning and developing
new ideas
The Risk Leader’s Knowledge, Skills and Attitude matrix:
22. 19
From Guns, Gates and Guards to Strategic Business Advisor – The Evolution of the Security Leader through ERM
About the Authors
Acknowledgements
In the process of compiling this white paper, Control Risks consulted with a focus group of security professionals who are involved with their own
organizations’ enterprise risk management programs. This paper benefitted greatly from the insights and input of this accomplished and dynamic group.
They include:
• Wesley Bull, Senior Director of Global Security & Investigations, Nvidia
• Katherine Chadwick-Johnson, Global Program Manager & ERM Program Director, Harsco Corporation
• Bob Graves, Senior Director of Global Security, Abbott Laboratories
• Rob Ream, Senior Manager of Global Security, Crisis and Emergency Management, BHP Billiton
• Matt Ryan, Director of Corporate Security Worldwide, The Hershey Company
• John Turey, Senior Director of Enterprise Risk Management & Global Security, TE Connectivity
Jeroen Meijer is Managing Director of Consulting
of Control Risks’ Crisis & Security Consulting team
in the Americas. He advises clients on issues
related to risk management, security management,
crisis management, business continuity and crisis
communications. Prior to joining Control Risks,
Jeroen was a communications trainer in The
Netherlands and an 18-year veteran of the Royal
Netherlands Navy.
Marco Leijnse is Director of Control Risks’ Security
Risk Consulting team in the North America. He advises
clients on issues related to risk management, security
governance, management, and compliance. Prior to
joining Control Risks, Marco was a program manager
in the financial services industry in Australia. He served
both in the Royal Netherlands Navy as well as the
Royal Australian Navy. Marco is a certified Governance
Risk and Compliance Professional (GRCP).
Nadav Davidai is a Senior Consultant for Control
Risks’ Crisis & Resilience Consulting team in
Washington DC, where he is a Certified Business
Continuity Professional (CBCP) and certified
Governance Risk and Compliance Professional
(GRCP). Prior to joining Control Risks, Nadav was
a graduate fellow with the Terrorist Financing and
Financial Crimes division of the U.S. Department
of Treasury.
communicationsamericas@controlrisks.com
