Rebecca Sherouse, Head of Account Management and Security Advisory, HiveWatch explores the three key steps to a mature risk management approach.
Out of all the things we’ve learned about security, nothing is more true than the fact that no two security programs are exactly the same.
What is always the same, however, is the need for businesses to create resilient organizations that proactively monitor and prepare for credible risks that are posed to their organization and the employees that support it.
Risk, as it’s used here, means the likelihood and subsequent impact of a threat event occurring.
There are a number of factors that are present when determining the level of risk to an organization and the variety of threats that a security team is responsible for monitoring and managing can be vast.
To effectively manage enterprise risks, businesses need a methodology to organize and quantify the likelihood and impact of a credible threat event occurring.
One way to conceptualize these often complicated problems is through standardizing how you identify, assess and mitigate these risks.
The first step in the risk management lifecycle is to identify the direct or indirect threats posed to the organization.
To do this, security leaders need to have documentation about the scope of threats that the business is mitigating against.
This can be anything from violence in the workplace against employees, to threats of natural disasters or even industry-specific threats, such as the theft of expensive industrial equipment that has the potential to shut down operations.
Once these risks have been identified and documented, they can be categorized to fit into the broader enterprise risk reporting process – giving senior leaders visibility into key security risks posed to the organization.
Security teams cannot protect the business from risks they are not aware of, so clearly documenting and aligning on a security risk register at the enterprise level is of utmost importance.
Once security leaders have aligned on the scope of security risks posed to an organization, the next step in the risk management process is to determine the likelihood of those threat events occurring and the impact if they do.
This part of the process is called assessment, which involves security professionals leveraging a variety of qualitative and quantitative data to understand different indicators of likelihood (intent, capability, frequency, vulnerability) and impact (severity and consequence).
To properly assess risk, security professionals should be equipped with the tools to analyze the intent and capability of a threat actor, determine the effectiveness of the controls in place to mitigate and reduce the impact of those threats, the consequence of a threat event occurring and the recoverability mechanisms in place to respond to an incident should it occur.
When conducting an assessment of risk, security leaders should be able to answer the following questions:
Following identification and assessment, a security team must be able to plan for mitigation of the threats to an organization.
Traditional risk management entails one of the four Ts: tolerate, transfer, treat or terminate.
Security professionals should have the know-how, support and resources to deploy a risk mitigation strategy quickly and efficiently so as to decrease residual risk to a palatable level.
It is important to remember that there are many ways to prepare for and mitigate risks.
The arsenal of tools a security team deploys might include accessible employee hotlines, proactive threat monitoring via intelligence platforms, keyword and social media monitoring, tailored threat identification training for human resources representatives and well-established relationships with local law enforcement and intelligence agencies.
A mature security organization will also consider crisis management and business continuity planning as a way to mitigate the impact or severity of a threat event if it does occur.
Those in security will know that the process of planning and routinely exercising incident response plans is one that all security departments should have front and center in their mitigation strategy, to help prepare an organization against a range of eventualities.
Recently, the World Security Report, commissioned by Allied Universal, reported that large, global companies lost a combined $1 trillion in revenue in 2022 due to physical security incidents.
Citing social unrest, climate change, fraud and theft, respondents from the survey said that they anticipate these risks and the threats they pose on their ability to do business.
In that sense, physical security is directly tied to business resilience efforts.
Business resilience is the organization’s ability to respond and adapt quickly to disruptions or significant, unplanned events that could threaten its operations, people, assets, brand or reputation.
Investments in risk management efforts and subsequent technology that can directly impact response to threats will increase as a result, leading many security leaders to identify comprehensive platforms to enhance intelligence and streamline incident response.
Rebecca Sherouse is the Head of Customer Success and Account Management at HiveWatch, where she is focused on providing end-to-end lifecycle account management support to customers.
Previously, Rebecca was a Director of Security Risk Consulting at Control Risks, a leading global security consulting firm.
As a consultant, she supported organizations with the implementation of holistic security risk management strategies and the development of tailored security programs and mitigation efforts that fit their risk profile, corporate culture and operational needs.
This article was originally published in the October edition of Security Journal Americas. To read your FREE digital edition, click here.