With this in mind, how can the modern day organisation benefit from an holistic approach, and what tools or skills would the holistic risk manager need to apply?
In the late 1990s, a new breed of risk manager appeared in the US with the title of Chief Risk Officer (CRO), requiring a lot more expertise and exercising a great deal more authority. The aim of the CRO was still the same as that of the role of any security and risk manager, namely: "To identify all risks, analyse and quantify them before determining whether to mitigate, absorb or transfer them".
How, though, does the CRO's role differ from that of the risk management process as we know it?
What made CROs slightly different is that this position was a direct result of recognition by the management of many major corporations that the different types of risks faced by any organisation should no longer be split between various departments and managed in isolation.
The major benefit of this holistic approach is that a greater understanding of the effects of certain risks and threats on the business can be obtained, and with it a more accurate picture of how best to address them. One of the biggest benefits can be that, when one department looks at addressing their risks, the solutions sought would always try to avoid transferring them within the organisation to another area at either the same or a higher cost. Another plus point is that risks are prioritised more efficiently when each type of threat is viewed alongside others. Time and/or money can then be allocated far more effectively.
Another important benefit of the 'holistic' approach to risk management is that it requires input from all departments and – crucially – the management. In this way, it brings security issues back into the Boardroom, highlighting the role of security in enhancing shareholder value rather than appearing as merely another unwelcome or unnecessary expenditure. One of the great ironies in relation to security matters in the past was that companies were watching the pennies on the security manager's budget while the pounds were often quietly disappearing through fraud or some other (often ignored) internal form of crime.
Holistic risk management objectives
What, then, are the major objectives behind adopting an holistic risk management strategy?
In essence, such a policy would be aimed at enhancing shareholder value through protecting the assets of the business, reducing expenditures on immaterial risks, improving capital efficiency, building investor or market confidence, exploiting areas of risk-based advantage, demonstrating duty of care and ensuring compliance with the law and providing stability/fewer interruptions in business activities.
The starting point for using this approach to risk and threat is to list all the assets of the business – including its buildings, equipment, finances, products and services, personnel, information and even reputation. It's then necessary to review all areas and list the possible threats facing each. Take into account outside influences such as suppliers, contractors, market factors, legislation, the environment and new technology.
For each area there are three salient questions that must be asked. What can go wrong? What is the probability of something going wrong? What would be the consequences if something did go wrong?
The task before the holistic risk manager is to then bring all of these strands together and develop a risk management strategy that addresses each of the issues outlined, and find ways of developing it. Risk assessments are fairly commonplace in most businesses, but with such a large task at hand there are many pitfalls that could prevent you from reaching your goal.
Common problems when conducting the risk assessment can be a lack of accurate information, resources or co-operation within the company, a lack of experience and/or education on important factors or a failure to predict new or unexpected risks. Following the events of September 11 2001, many organisations woke up to the fact that they did indeed need to think of the unthinkable, and adopt a flexible risk detection and management process to suit.
Risks and threats have become so diverse over the last few years, reminding us all that the past is not necessarily a good indicator of the 'next big threat around the corner'.
What does the assessment demand?
The key to conducting an holistic risk assessment is having the processes in place to obtain accurate information, both industry-related and specific to site from both internal and external sources. Having obtained such information, and using sensible evaluation techniques based on knowledge and experience, the company can then respond in the appropriate manner.
The major benefit of an holistic approach to security and risk management is that a greater understanding of the effects of certain risks and threats to the business may be obtained, and with it a more accurate picture of how the in-house professional mig
Having listed all potential threats to the business, as well as their probability of occurring and their likely effects, the risk manager and/or his or her team will then need to prioritise the risks based on their singular impact or collective impact on the organisation as a whole.
Security and risk awareness embedded into the company culture is often the dream of a security manager. With an holistic approach to risk management this can be achieved. The CRO or holistic risk manager will often call on the heads of each department – security, health and safety (and fire protection), facilities management, human resources, IT, treasury and finance, public relations, marketing and general business operations – for information and advice, raising awareness and forging relationships with each group.
With regular briefings, each department can be involved in the whole process of risk management, directly contributing to the decision-making process and appreciating the greater and wider issues faced by the company at large. Arguments over expenditure or budgets lessen as financial managers understand the motivation for risk mitigation expenditures, and can appreciate the likely effects on the 'bottom line'.
The right structure breeds success
The structuring of a team within the organisation will be very important to the success of the project. Involving key people across the board will ensure that the aims are more easily understood, and that each department adopts a certain amount of responsibility to see that guidelines or policy is followed, but it's not without its problems. It would be unusual if everybody agreed with all the decisions being made.
However, as this process is based largely on collection and analysis of data rather than any personal motivation, the reasoning behind each decision is likely to be sensible and acceptable to most professionals.
Some companies choose to employ outside specialists to provide the supportive data or a 'second opinion' on the likely threats or problems in that particular area where the company feels it doesn't possess the necessary experience (or where a big expenditure is recommended and there isn't the confidence to commit finances without more proof).
A good team of people and an efficient reporting structure are almost as important as the calibre of the risk manager leading the project. One of the things to remember when picking the right team is that the candidates need to have a flexible approach to whatever task is at hand. This process is not for the institutionalised types, but rather for those who (for want of a better phrase) are able to 'think outside the box'.
The word 'risk' comes from the Italian word 'Risicare', which literally means 'to dare'. Like the card game entitled risk, risk management involves having to make a choice. A good one could mean that you'll 'win', but make a bad choice and you'll probably lose.
You're right. It's a gamble – but if you do your groundwork then making the right choices should become much easier.
That said, a good risk manager accepts that risk is a part of life and is forever changing. It stands to reason, then, that the 'project' of risk management should be both continual and regularly updated.
Most larger organisations prefer to transfer the majority of their risk problems via insurance. That said, this is not always the best course of action to take, as this and other forms of risk transfer only act to reduce the impact of loss. In no way do t
Assessing the risks involved
Once the objectives are laid out and the structure is in place to conduct the holistic risk management project, the next task involves addressing those risks outlined.
Many companies decide to prioritise, addressing the Top 6-to-10 items while leaving the remainder to be handled by the appropriate department when both time and budgets allow. Some companies choose to look at all of their threats together. Ultimately, the choice of how to manage your list will depend on the size of the company, the time and resources available and the size of the list. Your basic options are to either eliminate the risk, reduce it, transfer it, spread it or ignore it.
Elimination of a risk is seldom achievable. If you decide to reduce or mitigate the risk, that will involve taking measures to limit exposure to (or the effects of) the risk. In practice, transferring the risk will mean that you pass it on to another party by way of contracting-out or insurance cover. Spreading the risk means that key activities are dispersed, but in such a way that, if one part of a system or process fails, sufficient elements remain behind to maintain business activity.
Most larger organisations prefer to transfer the majority of their risk problems via insurance. That said, this is not always the best course of action to take, as this and other forms of risk transfer only act to reduce the impact of loss. In no way do they prevent a loss-making event from occurring. This should be one of the last options used, as avoidance or control at source is usually much more cost-effective.
It should also be one of the last options for a public company as share values often depend on uninterrupted earnings and company reputation. If the organisation is shown to have been 'exposed' (whether covered by insurance or otherwise), then share values may well begin to nosedive.
Remember, too, that if you opt to outsource services you don't necessarily 'outsource' the image impact. You'll always retain an element of liability, and it's usually the case that your company's image will suffer more than that of the contractors.
In all cases, whatever option you choose it will certainly be the case that risk reporting is the key to satisfying the Board and company shareholders that issues are being addressed successfully, and that compliance with stated rules and regulations is assured.
In 1999, the Turnbull Report proved quite a motivational factor in bringing security and risk-related issues to management's attention. It provided guidance to companies listed on the London Stock Exchange on a risk-based approach to internal controls. In some Boardrooms, the message has permeated to such an extent that directors are insisting on a more integrated view of risk – at least in part because regulators are demanding greater accountability from them.
Chief executive officers are now realising the need for a full-time person or team. Someone who can think and worry about risks all the time. That way, someone is accountable if anything should go wrong.
Regulatory pressure brought to bear
Regulatory pressures – in particular capital adequacy, allocation and accountability issues – are compelling many companies to centre on risk as a major area of their business activity. Still reeling from the effects of September 11 2001 and the scandals of Enron and World Com, there's now tremendous pressure for corporations to re-evaluate the importance of risk management (including security), and the potentially devastating effects that poor risk management can have on the company in both the short and longer terms.
Holistic risk management considers the business policies and objectives of the company together with the risks and threats from every sphere, and then attempts to find the right balance from all the available risk mitigation options. If correctly structured, business growth will be the end result.
Source
SMT
Postscript
William Robinson is a specialist risk advisor with Ian Johnson Associates, the independent security and risk management consultancy (www.ija.co.uk)
No comments yet