Faculty Advisor: Aligning Risk Management Goals with Business Priorities

Return to Demonstrating Value
Q. How can I make sure my risk management goals align with senior management’s priorities?

The Security Executive Council (SEC) believes that security leaders can enhance their ability to both communicate security effec­tively and align with board strategies by learning to view risks the way the business is likely to perceive them. The SEC has identified common enter­prise risks that can be organized into eight descriptive board-level risk cat­egories: Financial, Business Continuity & Resiliency, Reputation & Ethics, Human Capital, Information, Legal, Regulatory Compliance & Liability, New & Emerging Markets, and Physical/Premises & Product.

We encourage security departments to present a business-based view of their programs by grouping identified security risks, as well as security mitigation strategies, into the list of common risk categories (of course, all organizations are unique, and more or fewer categories may be used depending on industry and size - or even a category specific to their industry or sector). This grouping can also be compared to the critical organizational risks the Board has identified. This way, the secu­rity function can present a direct link between each business category and the potential use of a security program or service to mitigate the risks identified. We have found this can lead to a number of positive results:

Improved communication. Because the flow of information is critical to effective risk management and effective risk oversight, it behooves the security leader to communicate risks and solu­tions in a framework that is already familiar to the Board. Grouping risks into board-level categories creates this framework, ensuring the information presented can be easily understood.

A business-first perspective. Any business unit can easily become so mired in its own operations, require­ments and challenges that the broad­er goals and needs of the enterprise become obscured. This exercise enables security leaders who fall victim to such a mindset to break out of their narrowed view and see their function through the eyes of the business.

Value identification. When secu­rity initiatives are presented in the con­text that resonates with the Board, they may have a clearer view of how and where security adds value to the organization. In addition, the analysis may uncover untapped opportunities for security to help reduce redundan­cies, assist other functions or expand programs to create new value. In this regard, well-documented metrics pro­vide enormous value to all parties.

Strengthened support. The SEC helps conduct board-level risk analyses based on its research of corporate enterprise risk assessment plans and strategies. Security leaders who have undergone this analysis report that displaying the risks in line with the values of the Board helps them gain sup­port and move initiatives through the organization.

If you want to learn more about the Board-Level Risk Model, please see Managing Enterprise-Wide Board Risk.

Answer provided by Kathleen Kotwica, EVP, Security Executive Council, and Principal Analyst, Security Leadership Research Institute and Greg Kane, Director of I.T. and Product Technology, Security Executive Council.

Return to Demonstrating Value