This page contains a Flash digital edition of a book.
Many organisations do not have a whole-of- enterprise risk policy that sets out the manner in which the organisation will identify and evaluate risk at the strategic and operational levels; who will make the decisions on how and when risk will be addressed, and what processes will apply in implementing those decisions in an efficient and effective manner, including a follow-up process to assess implementation outcomes.


A strategic risk policy framework would enable the organisation’s leadership with knowledge through enhanced foresight. Leaders would receive earlier warning of short and long-term risks within a timeframe that supports good decision making. Top-level policy framers would identify and rank risks through a disciplined process to enable decisions to be made about how the risk is to be addressed. In particular, policy framers could develop alternative strategies for addressing a known risk – or a risk that is very likely to materialise – so the opportunities relating to that risk can be exploited.


Applying a risk policy requires an organisation to reassess some of its primary assumptions. Risk can exist anywhere, any time and in any form. But extant business assumptions often involve spatial and temporal limitations. Firstly that the globalised world of today requires a different approach to chaos, unpredictability and uncertainty – one that delivers immediacy in time and scope. Secondly, that organisations need to capture and adapt to the emerging realities of global interconnected/interdependent systems and networks and reflect them in their policy settings.


On this basis, a risk policy would apply to an organisation’s corporate plan and cascade through the specific discrete policies designed to achieve the corporate outcomes in the plan.


What is an organisation’s Strategic Risk Policy?


The Risk Policy is a statement of the extent and kinds of risks that an organisation is willing to take to achieve its objectives and the processes to be addressed in managing them. It includes:


• A definition of risk and the relevance of vulnerabilities to the matter under consideration.


• A rating mechanism to determine likelihood and consequence.


• A framework or boundary or parameter within which risk is to be assessed and evaluated (e.g. the external economic environment and/or the internal organisational environment).


• Categories of risk reflecting the organisation’s purpose and structure.


• A methodology for identifying and © CI TY S ECURI TY MAGAZ INE – AUTUMN 2014


evaluating risk exemplars to enable informed judgements to be made about how the risk is to be managed.


• A risk management process (risk governance) that is integrated with the organisation’s budget and planning cycles, mandated by the organisation’s leadership, and implemented across the organisation.


The Risk Policy and security context


To effectively protect the company’s people, assets, operations and reputation within this demanding operating landscape, the philosophy of security has evolved from one of ‘asset protection’ to one that seeks to underpin ‘organisational resilience’ but being integrated directly with strategic risk policy. Key to success in this endeavour is the seamless integration of security and business processes, which by extension, aims to transfer accountability for security performance to business managers. Linked initiatives include integration with the Enterprise Risk Management (ERM) program, improvements in individual security performance measures and active participation in the Operations-owned Business Continuity Management (BCM) Program.


Missions of the security function


The mission of the Enterprise Security Department consists of the overall protection of the Enterprise assets whether they are human, tangible or intangible.


These may include all the Enterprise employees in the world or nation, sometimes their families, some sub-contractors, the sites and equipment as well as the Enterprise sensitive information and information that may affect its image. Thales, as an example of Global Enterprise, defines the Enterprise Security Policy and its application procedures, taking the national legislation into account, in particular in terms of Defence, and closely monitors its implementation and the attainment of the associated objectives. It must also serve the operational units to give them as much assistance as possible in collecting information and in analysing and preventing the risks inherent in the contracts. Finally, the Security Department deals with all incidents likely to be detrimental to the Enterprise and to its interests.


Security management


Security management relies upon the integration and coordination of a variety of inputs, components and processes to achieve desired outcomes; this ‘system’ forms the basis for the implementation, operation and continuing effectiveness of all security arrangements across the organisation. The system comprises:


• Processes: A sequence of events that utilises inputs to delivers outputs.


www. c i t y s e cur i t ymaga z ine . com


• Enablers: System inputs that underpin the SMS.


• Activities: The active utilisation of other system inputs and processes.


• Assets: Internal and external ‘things’ of value to the organisation.


• Practice Areas: Information and activity domains.


Principles of security management


Enterprise Security is underpinned by a set of core principles:


• An effective security environment is essential for the organisation to achieve its business objectives.


• Security mitigations are implemented in response to effective risk analysis.


• Business management is accountable for security performance, based upon Regulation and policy requirements.


• When outsourcing a function, the subject business personnel are accountable for the secure performance of that function.


• The conduct of security investigations must be performed quickly and with appropriate sensitivity. Investigations should attempt to identify causes, minimise adverse consequences and recommend actions repeated.


• Where work is conducted away from official places of employment, personnel must ensure their own security and that of the information and equipment in their trust.


• Personnel are both individually and collectively responsible for contributing to organisational resilience through adherence to and application of security requirements.


Conclusion


The core principles that underpin security help build organisational resilience. When security threats are effectively mitigated and related incident management systems are in place, an enterprise has much of the capacity required to cope with unexpected disruptive events arising from malevolent human actors. It is possible to develop a comprehensive policy and process framework that turns these principles into actual behaviours and activities and a further article will explore this development.


Jason Brown, FSyI CSyP RSecP National Security Director Thales Australia & New Zealand


> 25


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36