Mark S. Beasley, PhD, CPA at North Carolina State University was the first professional who started us thinking in terms of business risks being managed as a portfolio instead of the traditional model where each function or department focuses on their associated risks independent of each other. On the surface it seems like a reasonable, efficient, and cost effective approach. In reality it requires a holistic approach to risk management that requires goals, objectives, leadership and often education across functions to move forward.
In September 2010 the IBM Global Technology Services produced a Thought Leadership White Paper, Taming the data demons: leveraging information in the age of risk. The focus of the document was to look at the risks associated with data which they described as the “new world currency” and the framework and advantages of a holistic approach to data risk management. To take that a step further, this same approach should also be applied to other areas within the risk portfolio because in the world of “high tech,” “inter-operability” and “virtual” risks can no longer be managed effectively in the old “stove pipe” or functional mentality and be effective because both the nature of the assets and the protection of those assets has changed.
Competitiveness in the global marketplace depends on speed and responsiveness because technology has evolved to a level where this expectation is reasonable. Technology has also created its own language – Internet, thumb drives, virtual, telecommuting, servers, server farms, VPN – and the list goes on and on. Companies have as many if not more “soft assets” as they do “hard assets.” The protection of those assets is not “a data issue or a risk issue; it is a management issue.”
The protection of the business assets depends on a holistic approach that blends the layers of risk mitigation (security) with the business culture from the top down. The approach promotes and capitalizes on strong interconnectivity between functions and creates an enterprise risk avoidance program. This kind of program requires layers of security created to protect the physical and logical assets that are critical or important to the business using a blend of people, processes, and technology without hindering the speed or responsiveness that the organization provides to its customers. An effective program requires management oversight and the blending of human resources, facilities management, security, finance, IT/technology, and other departments as necessary. Much like a three-legged stool cannot stand without all three legs, effective guardianship is not possible without a blend of people, processes, and technology.
The holistic approach to risk also has other benefits for companies. There is a ROI in the creation of comprehensive security program that focuses on logical and physical assets using an interconnected model. A comprehensive security program reduces missteps and unnecessary or redundant costs, reduces fraud and misappropriation losses, identifies inefficiencies, increases productivity, and is responsive to the customer while creating a happier employee experience. The information that is gathered in creating the program provides management with valuable information about the threats to the organization and the probability and criticality that those threats could be realized. This allows management to strategically decide how they want to manage risks using risk avoidance, risk reduction, risk spreading, risk transfer, or risk acceptance. Finally the holistic approach to risk not only manages the risks to the business, it also provides a platform to meet the applicable regulatory compliance requirements that are an inherent part of any business operation.
Plan. Protect. Prosper.
Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.