Security Risk Management in the UK - Essay Example

? Module Security Risk Management Module 09BS555/2 Stanley Thomas I. Introduction The extra focus in corporate governance over the last decade has lead to the development of several management systems that used to exist in the “good to have, but not now” domain. In the United Kingdom, companies are continuing to strengthen sound corporate governance systems, focusing on shareholder and stakeholder relations and accountability, improvements in the performance of the board of directors, auditors and the accounting function, and paying attention to the ways in which their companies are controlled and run (Solomon, 2007). Governance not only focuses on the operational aspect of the company but also consider contingencies, or plans that will ensure the continuity of the companies operation even under adverse conditions. Risk is thus what all companies must respond to in the face of the escalating interest in corporate governance. Risk Management has become an important component in all corporate affairs, operations and projects. Risk is presently of key interest to the business community who intends to limit potential corporate laibility (Borodzicz, 2005). Security Risk in whatever form and in whatever industry poses as a real problem that threatens the very survival of the company. Thus, it is not only imperative to be managed well but the operating and maintenance component of any security events should be the taken as a step to improve the Security Risk System. Although no organization can prevent all crises from happening, everyone can lower the odds of their occurrence while also mitigating the negative effects a particular crisis might have on brand confidence, business and operational productivity, market reputation, employee morale and corporate liability (Blyth, 2008). This paper shall focus on the development of a framework that can be used to effectively manage security risks. This paper shall also provide a definitive framework in crisis management. And lastly, build up of a crisis management infrastructure and how to justify its existence shall also be discussed. The Companies of Act 2006 indicated that it is the responsibilty of the organization to protect the interest of its stakeholders by ensuring that Risks are Mitigated and Crises faced by an organization is Managed (United Kingdom Parliament, 2006). II. Security Risk Management Since September 11, 2001, decisions for security risk managers have become even more difficult. The terrorist threat potential, that is, the likelihood of an attack, motivations, and capabilities, has dramatically increased (Biringer, Matalucci, & O'Connor, 2007). The event was a realisation that an actual or real threat indeed exists which was previously relegated in the confines of a fictional world. Breaking all the barriers between what is possible and what is theoretical, a detailed look into Risk Assessment as a channel to manage risk is gaining grounds. Reminiscent of the Y2K, the buzz words then were Business Continuity Planning, Contingency Planning, Emergency Planning and Disaster Recovery Planning. During the Y2K, the impending doom was a known quantity and precise the time it will take come was similarly known nonetheless its possible impact may not be dimensioned properly although it can be properly determined in detail given the time. In this age and time, with natural disasters occuring left and right due to climate change. However, real threats emanate from terrorist groups engendering the lives and limbs of people. Equal threats are created by a volatile financial industry can affect any organization that failed to plan jeopardising the right to decent life and property of its corporate people, including pecuniary losses with respect to its stakeholders. There is an old saying “when you dont plan for failure, you are planning to fail”. Nevertheless, no organization has the resources to plan and deploy an infrastructure to cover all possible permutations of threats. The best that can be done is to assess the threats as accurately as possible and implement the recommendations borne out of the risk assessment process. a. Risk Assessment First, managers must define what is essential to the mission of the facility: What are the undesired security events that would interrupt the mission, the consequences associated with the events, the targets that must be protected to prevent the security events, and the liabilities incurred? Concurrent with determining what is important to the mission is identifying what to protect against, that is, defining the adversarial threat spectrum to understand where the potential threats are coming from (Biringer, Matalucci, & O'Connor, 2007). The first step in assessing risk is to identify all assets of the organization that is vulnerable. Intricate details such as its acquisition value, running value and revenue value over a period of minutes or hour should be determined. The second step is to assess the vulnerability of each of the assets that would render it useless when a disaster happens. The third step is to assess the threats that would make the each of the assets vulnerable or be put at a weakened state that will compromise the assets’ effectiveness. The fourth step is to determine the possibility of occurrence of each of the threats that would expose the vulnerability of the asset. This should include valuating the impact of the asset’s unavailability to the company’s revenue or operation over time. If the length of time an asset’s unavailability can be determined, it should be multiplied to the revenue that could have been generated if the asset is online. Armed with the actual and tangible value in Euros of the potential losses to the company, the fifth or next step is to determine the possibility of the threats happening. This portion of the risk assessment is dependent on the location and the kind of industry involve as the business’ success is defined and dependent upon the political stability, the environmental stability and financial stability of the location or the industry. The frequency or the possibility of the threats from happening is contingent on the volatility of the situation related to the identified threats. This portion of the risk assessment will either magnify or reduce the cost of the risk reduction strategy of the organization. The sixth step is to determine how to manage or mitigate each of the risks to the asset. The strategy shall fall into the following categories—Risk Avoidance, Risk Acceptance, Risk Reduction and Transferring the Risk. This part of the risk assessment includes the build-up of infrastructure that could reduce the risk and its impact. This is also the part where the organization can make an informed decision on whether to invest on the risk mitigation infrastructure or assume and absorb the risk and its impact through prioritization of what is important to the organization in terms of operational imperatives. The best way to conduct risk assessment of this nature is through the creation of a risk matrix. The risk matrix will help determine the priority of the organization and direction as far as risk management is concerned. b. Incident Management The objective of Incident Management is to restore normal operations as quickly as possible with the least possible impact on either the business or the user, at a cost-effective price (IT Service Management Forum, 2007). Collecting and collating data is an activity most often neglected in risk management. Incidents often provide a pattern that could project a potential crisis that may transpire in the future. There should be a team which would analyse and look for these patterns to prepare the organisation in resolving or mitigating the possible threats. The infrastructure that will detect the first sign of an emergency is the incident management system. This will activate the crisis management team through an escalation procedure trigger. c. Problem Management Problem Management is another module of ITIL that deals with resolving persistent incident reports. Or a problem traced through the automatic reports generator of mission critical system. The basic function of Problem Management is its ability to investigate the root cause of problems that would lead to the determination of solution to prevent the problems from persisting and the reported incident stopped. III. Four Pillars of Risk Management Assessment (Moody's Investor Services: Global Credit Search, 2006) In 1909, Moody’s analysis of railroad investments described for readers the analytic principles that Moody used to assess a railroad’s operations, management, and finance (Moody's Investor Services, 2011). John Moody was able to accurately predict the viability of companies to withstand risks and crises that threatens it through a sound risk management assessment framework on companies. The accuracy was further highlighted when the companies Moody was able to predict that can with stand the 1920 financial meltdown in the US actually survived the crash. a. Risk Governance A company that has a strong Risk Governance system in place is a company that has the following in place among others. The organization should have an incident management in position that would accept, record, open an incident ticket and then be closed until such time that the issue has been resolved or mitigated. The recording is an essential tool to ensure that the organization has a continuing improvement system readily accessible in times of crisis. Together with the incident management system, an escalation procedure should also be formulated and implemented. An escalation procedure would prompt employee at the incident management center to escalate issues that is beyond his purview to resolve. The escalation procedure should reflect the triggers and the contact information of the people in the escalation matrix. The Organization should also have a Security Policy in place that will homogenize the efforts of the organization to mitigate risks. The Security Policy will set the tone on how important security is and the seriousness of management to address this issue. The security policy should also define means and ways of testing the crisis management capability of the organization. Not only are test going to be conducted, metrics should also be gathered to determine the response time, efficiency and efficacy of the crisis management infrastructure. The testing should happen regularly and its outcome should be presented to the leadership of the organization. The security policy should also define the parameters of change management that should include involvement of the crisis and risk management infrastructure. b. Risk Management Another Moody criteria, is the presence of a Risk Management System in the organization. Risk Avoidance is when the company does not expose themselves in high risk projects that would entail risking its financial health, operation and management. Risk Acceptance is normally done by organization when the level of risk far outweighs the benefits that can be derived from a project or a business strategy. Risk reduction is the existence of business continuity plans and crisis management process and a working infrastructure that supports the operation of both, in an emergency or outside of an emergency. Transferring the risk includes the hiring of several outsourcing company to provision its back-office operation. Often times risk transfer is when a company insures the project or its outcome to underwriters. c. Risk Measurement Risk Measurement or Assessment has been discussed in detail in Section II sub category “a”. Organizations that are aware of the risk involved in the operation of its business are organizations that can mitigate and respond well to any kind of crisis. Moody has put a premium on organization that took the pains of documenting for the purpose of prioritizing its risk metrics. Risk Measurement, however do not stop and end with the risk assessment process. It should continue to the regular testing of the risk management infrastructure, change management and risk assessment matrix upgrade when incidents or events are reported. d. Risk Infrastructure Risk Infrastructure include but are not limited to the following: Generator Set, Uninterruptible Power Supply, Secondary and back-up site and the presence of contingency or alternate procedures that would be activated in cases where events threaten the opeartion of the company. Business Continuity Plan Infrastructure generally contain the Contingency plans and the Disaster Recovery Plans infrastrucures. Business continuity plans consist of contigency plans that will be activated in case the contingency plans and the disaster recovery plans. Contingency plan infrastructure incorporate the procedures on the deployment of alternative tools, activation of remote sites in order for the organisation to operate either partially or fully separate from the production environment.Disaster Recover Plan Infrastructure includes the back-up and restoration system that is used to back-up data on a regular basis. It als include the generator set, that would restore power after a power outage. The emergency response plan infrastructure include the Uninterruptible Power Supply that will be the temporary solution after a power outage. Other emergency response plan is the first aid kits and the fire fighting equipments. IV. Crisis Management The term ‘crisis’ is often used to describe events and situations that are difficult to deal with, but not necessarily potentially damaging or destructive. There is also considerable overlap, at least in common usage, between the related terms of ‘disaster’, ‘business continuity’ and, to an extent, ‘risk’ (Smith & Elliott, 2006). The importance of crisis management is to accomplish the necessary goals, before a crisis grows and relationships are damaged in the long term, short term or both (Gottschalk, 2002). Crisis management is not limted to the resolution of the source of the crisis itself. It also include the management of the public’s response to the emergency and the management of the exposure of the company resulting from the crisis. a. Crisis Management Organization reacts differently to crisis, like people some organization panics and are gripped with paralyzing fear preventing them to effectively respond to a crisis. Crisis Management Centers in large organizations are normally an ad hoc committee organized during an emergency. It is a cross functional and cross department collage of people organized solely to respond and manage a crisis. Normally activated by the organization in charge of incident management, the crisis management team shall be the one to coordinate emergency response plans, contingency plans and the disaster recovery plans in support of the business continuity plans of the company. The Crisis management center is also in-charge or the lead group that will inform stakeholder and government agencies of efforts. They will also conduct the way the organization shall cooperate with other entity until the emergency has been resolved. All information and update should be given to the crisis management center to ensure that there is only one information hub. This will ensure immediate authentication of any information coming from the field or emanating from the crisis management center itself. Order and deployment of resources should also originate from the crisis management center to ensure that a triage of all the requests for assistance is conducted. The Crisis Management Center shall also be the repository of the escalation call tree. The escalation call tree enables the crisis management center to call the right party to resolve the crisis at its midst. b. Emergency Response Planning Emergency response plan are the set of plans or procedure designed to mitigate the effect of a disaster. It is the first response of the Crisis Management Team in managing a crisis. Emergency Response Plan is intended to prevent and reduce harm to society from hazards produced by both man and the environment (Dillon, 2009). To illustrate: Emergency response plan are the set of process or procedure that is designed to put out a fire, lead people to safety and respond to injuries. c. Business Continuity Planning In order to evaluate the effectiveness and viability of an organizations Business Continuity Plan Structure, an understanding has to be put in place to mitigate risks (Barnes, 2001). Business Continuity Plan is a set of procedure that are in place to enable an organization to continue operating or conducting its business despite ensuing disaster or crisis. It involves procedures and processes that are designed to respond to the business need of the organization with its primary tools used in the normal operation. d. Contingency Planning Contingency Planning is just part and parcel of a Business Continuity Plan it is a set of plan that is resorted to when normal operation has stopped but the business has to continue in order for it to survive the emergency. It is the set of plan that will enable the company to restore a portion if not all its opearion. It is an exercise in long-range strategic planning and, as such, should be conducted by a “neutral” facilitator, and not someone in a line organization or information systems staff (Myers, 1999). Contingency planning should be a set of plan that e. Disaster Recovery Planning Disaster recovery plan on the other hand is a set of plans that will restore what has been damaged by a disaster. While the contingency plan allow partial or full business operation during an emergency, disaster recovery restores what has been damaged to ensure full operation of the business when the disaster has passed. Disaster recovery planning is another part of a Business Continuity Plan. Disaster Recovery involves stopping the effects of the disaster as quickly as possible and addressing the immediate aftermath (Snedaker, 2007). V. Conclusion As articulated, no organization can predict everything. In the same breath, no organization has the resources to prepare itself for all and any risk. This paper through the risk assessment process has indicated how an organization can decide their investment priorities. By determining the possibility and the frequency of the threat multiplied by the revenue value plus the cost acquisition, the organization can now safely balance the impact of a threat against the investment requirement to mitigate the threat. This paper has also shown how financial institutions and how government assess the capability of an organization to reduce, mitigate and manage crisis as a result of the realization of a threat. Moody’s four pillars of risk management assessment are evaluated by Moody’s to determine an organization’s survivability when confronted with a crisis. The theory is that, no organization is immune from threats, no organization is likewise indestructible or impervious or in simple terms all organizations have vulnerabilities. The key to an organization’s survival from any crisis is their Risk Governance, Risk Management, Risk Measurement and Risk Infrastructure. In a nutshell, this paper has also made it plain that organizations are not only faced with their own demise in case of their indifference to risk but more importantly, organizations also have legal obligations to its stakeholders to ensure that the interests of the shareholders are protected by the organization’s leadership through proper implementation of good corporate governance practices. It is not enough that Business Continuity Plans are operational the organization also has the responsibility to make sure that the Business Continuity infrastructure is tested and working. The organization is also mandated to have an ad hoc crisis management system in place. An organization in order to survive any risk or crises should put in place policies that will mandate each member of the organization to be conscious about security and risk. The policy should include a reporting mechanism to report security incidents that can be reviewed on a regular basis to either reduce the incident or resolve the root cause of the problem. The policy should also call for a procedure that will test the Risk Management Infrastructure to determine its efficacy, relevance and efficiency in responding to crisis. The policy should also mandate that any change in the organization shall take into consideration corresponding changes in the risk management system. VI. Practical Policy that will Reduce or Eliminate Risk The policy objective should include the recognition of the risk assessment process as a means to identify, classify and assess assets their vulnerabilities, threats and risks. The object shall likewise indicate the means by which security incidents are identified, classified, escalated and resolved. The policy should identify a group that will oversee the maintenance, operation and implementation of security policies and procedures. The same groups shall likewise ensure that the Business Continuity plans, including its component Contingency Plans, Disaster Recovery Plans are tested regularly and updated whenever there is change that will impact its operation. The policy should also indentify the composition of the Crisis Management center, when and under what circumstances shall it be activated or called. This will include the power the operating parameters and its mandate. The crisis management center shall likewise be empowered to speak for and on behalf of the company. The policy should also define the sanctions that will be meted out to employees who will violate the essence of the policy. Proper compliance monitoring that will be automated and manual in nature shall be the basis of the sanctions that will be imposed after due process has been satisfied. The sanctions should be in accordance with the tenets of the law under which the organization is being administered by the government. The policy shall also define the duties and responsibilities of each of the members of the organization with respect to security management. The commitment of the organization shall also be declared within the security policy. The operation of the policy which would include the parameters and conditions that should be met first before any amendment to it shall be affected. References Barnes, J. (2001). A guide to Business Continuity Planning. West Sussex: John Wiley & Sons Ltd. Biringer, B. E., Matalucci, R. V., & O'Connor, S. L. (2007). Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures. Haboken, New Jersey: John Wiley and Sons. Blyth, M. (2008). Risk and Security Management: Protecting People and Sites Worldwide. Hoboken, New Jersey: John Wiley and Sons, Inc. Borodzicz, E. (2005). Risk, Crisis and Security Management. West Susssez: Wiley and Sons Inc. Dillon, B. (2009). Emergency Planning: Officers Handbook. New York: Oxford University Press. Gottschalk, J. (2002). Crisis Management. Oxford: Capstone Publishing. IT Service Management Forum. (2007). IT Service Management Based on Version III: A Pocket Guide. Van Harren Publishing. Moody's Investor Services. (2011). Moody's History: A Century of Market Leadership. Retrieved January 28, 2011, from Moody's Corporation: http://www.moodys.com/Pages/atc001.aspx Moody's Investor Services: Global Credit Search. (2006). Bank Financial Strength Ratings: Update to Revised Global Methodology. New York: Moody's Investor Services. Myers, K. (1999). Manager's Guide to Contingency Planning for Disasters: Protecting Vital Facilities and Critical Operations. New York: John Wiley and Sons. Smith, D., & Elliott, D. (2006). Key Readings in Crisis Management: Systems and Structures for prevention and Recovery. Abingdon, Oxon: Routledge. Snedaker, S. (2007). Business Continuity Planning and Disaster Recovery Planning. Burlington: Elsevier Inc. Solomon, J. (2007). Corporate Governance and Accountability. West Sussex: Wiley and Sons Ltd. United Kingdom Parliament. (2006). Companies Act of 2006. London: United Kingdom Parliament. Read More