A Strategic approach to Resilience, Risk and Security
The globalised world of today, with its range and complexity of risk, requires a sophisticated approach to developing a strategic security management system, to give enterprise leaders the confidence that their business is as resilient as it can be to these risks.
Resilience is a much abused and maligned term. It is most coherent when used in a biological sense, but it has come to mean anything from an enterprise’s rapid adaptability to change, through to having business continuity and emergency management plans in place. For the purposes of this article, the ISO definition of Resilience provides the parameters for the discussion of the role of security in building resilience:
The adaptive capacity of an organisation in a complex and changing environment. Simply put, resilience is the ability of an organisation to manage disruptive related risk (ISO/WD 22323 Societal security – Organisational resilience management systems).
Cockram and Heuval provide an expansion of this definition, in the business continuity context, “the capacity of an organisation to plan for and adapt to change or disruption, through anticipation, protection, responsive capacity and recoverability” (Cockram and Heuval, 2012).
It is in this context, of protection and response, that security makes its contribution.
The definition and nature of security
ISO defines security in a broad sense: security – the condition of being protected against hazards, threats, risks, or loss. In the general sense, security is a concept similar to safety. The distinction between the two is an added emphasis on being protected from dangers that originate from outside. The term “security” means that something not only is secure but that it has been secured.
However, for the purposes of this article, the focus is on security as an activity conducted to ensure protection exists. It begins with an appreciation of Risk Management at the strategic level.
Security activities are represented by those measures that reduce the risk to an enterprise’s objectives arising from risks associated with Physical, Personnel, Information Management and Technology domains. Mitigating the security risks in these domains is necessary for the conduct of the business of the Enterprise, be it nation, community or institution. The Australian Commonwealth Protective Security Policy Framework effectively defines the definitions and actions required to manage security risk arising in these domains and is adopted as the model underpinning this article.
The role of policy and risk
Risk is the potential that something will occur that will impede the achievement of objectives. Strategic Risk Policy refers to the framework in which organisations consider their goals and objectives and consequently develop and implement their policies to reduce the extent and kinds of risks that an organisation faces in achieving its objectives.
What is strategic risk policy?
Strategic risk policy is an integral part of good governance and provides clarity and certainty in policy formulation and implementation and supporting organisational resilience. Organisations should consider developing and implementing a comprehensive risk management framework, in which they develop their policies and procedures.
The governance element consists of two components. The first is the development and implementation of a risk policy framework that ensures that strategic risks are considered both in the policy development phase and then again in implementation so that emergent and unanticipated risks are mitigated.
Risk Policy Framework
The second is a high-level policy commitment – the Organisational Risk Policy (Directive) that mandates the application or e-risk management and effective and accountable risk management practices at all levels of decision making.
The risk equation needs to be considered at each of the two stages of risk policy and can be summarised by the following equation:
Risk is a consequence of the conjunction of Vulnerability and Threat/Hazard. Because risk is only the chance of something happening, identifying vulnerabilities enables potential risks to be identified earlier and to be evaluated in a clear purpose-driven manner. Decisions can be made about how the risk can be addressed, e.g. by deflecting it, by hedging against it, or by mitigating its effects. Reducing or negating the impact of the conjunction of a threat/hazard with a vulnerability.
Vulnerability is the intrinsic properties of something resulting in susceptibility to a risk source that can lead to an event with a consequence. (ISO/IEC Guide. 73:200).
Many organisations do not have a whole-of-enterprise risk policy that sets out the manner in which the organisation will identify and evaluate risk at the strategic and operational levels; who will make the decisions on how and when risk will be addressed, and what processes will apply in implementing those decisions in an efficient and effective manner, including a follow-up process to assess implementation outcomes.
A strategic risk policy framework would enable the organisation’s leadership with knowledge through enhanced foresight. Leaders would receive earlier warning of short and long-term risks within a timeframe that supports good decision making. Top-level policy framers would identify and rank risks through a disciplined process to enable decisions to be made about how the risk is to be addressed. In particular, policy framers could develop alternative strategies for addressing a known risk – or a risk that is very likely to materialise – so the opportunities relating to that risk can be exploited.
Applying a risk policy requires an organisation to reassess some of its primary assumptions. Risk can exist anywhere, any time and in any form. But extant business assumptions often involve spatial and temporal limitations. Firstly that the globalised world of today requires a different approach to chaos, unpredictability and uncertainty – one that delivers immediacy in time and scope. Secondly, that organisations need to capture and adapt to the emerging realities of global interconnected/interdependent systems and networks and reflect them in their policy settings. On this basis, a risk policy would apply to an organisation’s corporate plan and cascade through the specific discrete policies designed to achieve the corporate outcomes in the plan.
What is an organisation’s Strategic Risk Policy?
The Risk Policy is a statement of the extent and kinds of risks that an organisation is willing to take to achieve its objectives and the processes to be addressed in managing them. It includes:
- A definition of risk and the relevance of vulnerabilities to the matter under consideration.
- A rating mechanism to determine likelihood and consequence.
- A framework or boundary or parameter within which risk is to be assessed and evaluated (e.g. the external economic environment and/or the internal organisational environment).
- Categories of risk reflecting the organisation’s purpose and structure.
- A methodology for identifying and evaluating risk exemplars to enable informed judgements to be made about how the risk is to be managed.
- A risk management process (risk governance) that is integrated with the organisation’s budget and planning cycles, mandated by the organisation’s leadership, and implemented across the organisation.
The Risk Policy and security context
To effectively protect the company’s people, assets, operations and reputation within this demanding operating landscape, the philosophy of security has evolved from one of ‘asset protection’ to one that seeks to underpin ‘organisational resilience’ but being integrated directly with strategic risk policy. Key to success in this endeavour is the seamless integration of security and business processes, which by extension, aims to transfer accountability for security performance to business managers.
Linked initiatives include integration with the Enterprise Risk Management (ERM) program, improvements in individual security performance measures and active participation in the Operations-owned Business Continuity Management (BCM) Program.
Missions of the security function
The mission of the Enterprise Security Department consists of the overall protection of the Enterprise assets whether they are human, tangible or intangible.
These may include all the Enterprise employees in the world or nation, sometimes their families, some sub-contractors, the sites and equipment as well as the Enterprise sensitive information and information that may affect its image. Thales, as an example of Global Enterprise, defines the Enterprise Security Policy and its application procedures, taking the national legislation into account, in particular in terms of Defence, and closely monitors its implementation and the attainment of the associated objectives. It must also serve the operational units to give them as much assistance as possible in collecting information and in analysing and preventing the risks inherent in the contracts. Finally, the Security Department deals with all incidents likely to be detrimental to the Enterprise and to its interests.
Security management relies upon the integration and coordination of a variety of inputs, components and processes to achieve desired outcomes; this ‘system’ forms the basis for the implementation, operation and continuing effectiveness of all security arrangements across the organisation. The system comprises:
- Processes: A sequence of events that utilises inputs to delivers outputs.
- Enablers: System inputs that underpin the SMS.
- Activities: The active utilisation of other system inputs and processes.
- Assets: Internal and external ‘things’ of value to the organisation.
- Practice Areas: Information and activity domains.
Principles of security management
Enterprise Security is underpinned by a set of core principles:
- An effective security environment is essential for the organisation to achieve its business objectives.
- Security mitigations are implemented in response to effective risk analysis.
- Business management is accountable for security performance, based upon regulation and policy requirements.
- When outsourcing a function, the subject business personnel are accountable for the secure performance of that function.
- The conduct of security investigations must be performed quickly and with appropriate sensitivity. Investigations should attempt to identify causes, minimise adverse consequences and recommend actions repeated.
- Where work is conducted away from official places of employment, personnel must ensure their own security and that of the information and equipment in their trust.
- Personnel are both individually and collectively responsible for contributing to organisational resilience through adherence to and application of security requirements.
The core principles that underpin security help build organisational resilience. When security threats are effectively mitigated and related incident management systems are in place, an enterprise has much of the capacity required to cope with unexpected disruptive events arising from malevolent human actors. It is possible to develop a comprehensive policy and process framework that turns these principles into actual behaviours and activities and a further article will explore this development.
Jason Brown, FSyI CSyP RSecP
National Security Director
Thales Australia & New Zealand