Whilst simple (security) risks are comparatively easy to identify, quantify and understand, there are three areas in particular that I’d suggest organizations should devote more attention to, namely:
(1) high-impact, low-likelihood events or ‘black swans’,
(2) interconnections between risks and
(3) culture, compensation and fraud.
The latter continue to be major drivers of value loss in firms. I try to show companies that competence in enterprise risk management is paramount to business survival and success and that it offers true strategic advantage.
It should be a critical part of any business continuity plan. In this regard I always like to refer to organizational resilience management, which is not a single discipline, but rather a blended consideration of the risks facing an organisation.
It is both a forward-looking and backward-looking approach to managing risk to achieve an organization’s objectives. It is about maximizing opportunities and minimizing likelihood and consequences by removing the silos and finding the appropriate balance of adaptive, proactive, and reactive strategies.
I also often emphasize the use of proven asset protection methodologies, concepts and theories and how they can help to mitigate specific security risks. This approach, in combination with key metrics (what cannot be measured cannot be managed), demonstrates the relationship between effective security and company profitability. Security executives must understand how to bring these elements together to meet company objectives and succeed in the current global business environment.