Michael D. Moberly and Dr. Jongpil Cheon December 17, 2010
Since security, risk management, and corporate defense (types of) programs began to achieve a semblance of professional standing beginning in the mid-to-late 1950’s, they have been variously characterized as being isolated, siloed, stand alone, and/or mere support functions operating at the fringes of a company. Collectively, their responsibilities were overwhelmingly directed toward protecting tangible (physical) assets with little or no attention being directed to intangible (non-physical) assets. And, while there have been consistent initiatives to connect – create relationships between the role and function of security and risk management to a company’s revenue, profitability, and/or sustainability they have largely been anecdotal and company specific.
Today however, as most security-risk management practitioners know, but specifically addressed here by Sean Lyon and Robert Liscouski, members of the Intangible Asset Finance Society, the role, function, and responsibilities of security, risk management, and overall corporate defense have changed and continue to change, for the better, at a fairly rapid pace.
For the most part, those changes are a reflection of the global economic reality that 65+% of most company’s value, sources of revenue, sustainability, and foundations (building blocks) for future growth and wealth creation now lie in – are directly related to intangible assets rather than tangible (physical) assets. This economic fact contributes to pushing security, risk management, and overall corporate defense, from operating primarily at the aforementioned fringes of a company, directly into board rooms, where both Liscouski and Lyon strongly agree it should be!
The following represents an account of the Intangible Asset Finance Society’s monthly meeting (September, 2010) titled ’Enterprise Security’ in which the very experienced thought leader’s Sean Lyon of R.I.S.C. International and Robert Lisouski of Implant Sciences served as speakers to discuss a variety of issues related to intangible assets in the context of enterprise security.
There’s little doubt that management teams and boards that make the prudent decision to act, and act now, on the sage counsel, herein offered by Lyon and Liscouski, will increase their company’s chances of achieving the desired level of success, profitability, and sustainability which shareholders and stakeholders, up and down their respective value and supply chain, are both expecting, and demanding.
On the other hand, management teams and boards that remain dismissive about or elect to ignore the very real and asymmetric risks and threats that exist, or, worse, wait until a risk materializes, many of which are more challenging to contain, yet carry the potential for immediate impact to a company’s most valuable (intangible) assets and the economic and competitive advantages those assets produce are, all the more likely to succumb to failure in one form or another.
Certain government sectors and agencies clearly play a role with respect to providing guidance and opportunities to directly aid the private sector in identifying, assessing, and managing certain business risks, and executing ‘corporate defense management’ types of programs. It’s certainly advisable for companies to examine and leverage all of the ‘guidance’ that’s freely evolving from an ever growing number of government agencies about security and risk management.
Thus, there is literally no need today for companies (CSO’s, CIO’s, risk managers, etc.) to wholly reinvent the security and risk management wheel because there’s an abundance of guidance that’s readily available. It is important to be able to know where and how to tweak such guidance however, to accommodate and reflect each company’s operational nuances and sometimes, industry sector.
While its highly unlikely that a government agency will ever (literally) show up at your company’s doorstep for the sole purpose of extending an offer of direct assistance, the private sector should not wait. Rather, there is an implicit responsibility for companies to (a.) take affirmative steps and actions now to identify, manage, and mitigate their risks to keep their company reasonably secure, and (b.) deploy some manner of corporate defense management (umbrella) program.
A Corporate Defense Management Approach Is…
Corporate defense management, according to it chief architect, Sean Lyon, of R.I.S.C. International, represents a company’s collective program (efforts) for ‘self defending’ against different hazards and risks for the primary purpose to accommodate its business objective. Examples of hazards-risks, Lyon suggests, include fraud, litigation, natural disasters, unacceptable risk taking, and reputation risks, among others.
He says this because he (Lyon) believes that today, (1.) boards are under steadily rising pressure to ensure their company can adequately defend itself against a growing array of increasingly sophisticated and asymmetric risks and threats, and (2.) that, companies take all reasonable steps, from a fiduciary responsibility perspective, to put appropriate security, risk management and ‘corporate defense management’ programs in place.
But, quite unfortunately, Lyon points out, in many companies, the corporate defense programs are ‘siloed’, that is, they are not aligned with one another, and often function independently and in isolation. In other words, there is little or no interaction, collaboration, or sharing of information (intelligence) amongst the business units variously charged with a particular aspect of corporate defense, i.e., security, risk
The ‘corporate defense management’ model factors different components with the objective being to meld those components together so they work/function in a coordinated fashion with each component interacting with other components so as to (1.) reduce duplications, (2.) create efficiencies, (3.) identify (security, risk, defense) gaps within a company, and (4.) identify actual responsibilities Absent this (corporate defense) management model, each component, would likely continue to function independently with little or no sense of inter-connectedness between the components.
Mr. Lyon characterizes the establishment of a ‘corporate defense program’ in an umbrella fashion that encompasses the following multi-dimensional components, (1.) corporate governance, (2.) risk management, (3.) compliance management, (4.) security management, (5.) resilience management, (6.) controls management, (7.) assurance management, and (8.) intelligence management. The key, Mr. Lyon says, is that each of these components becomes strategically aligned and tactically integrated.
So, by developing a corporate defense management model, as described by Lyon, companies can more readily minimize and mitigate risks without the almost assured inevitability today of experiencing a cascade of consequences, should certain risks-threats materialize.
The desired outcome of a ‘corporate defense program’ (approach) is that it collectively and adequately defends a company while uniting and aligning the heretofore, siloed components, thus rendering a company more resilient, while minimizing the potential for any security – risk management redundancies. This is achieved, Lyon points out by, integrating performance management techniques designed to converge what previously appeared to be cross-functional components, into becoming more inter-dependant, inter-linked, and inter-connected.
Adopting A Stakeholder’s View Is Necessary
Lyon also asserts that a successful and effective ‘corporate defense’ program, requires not solely coordination and integration, but perhaps, most importantly, a clear understanding of what’s necessary to safeguard the interests of (a company’s) stakeholders.
In today’s increasingly competitive, predatorial, and often times winner-take-all global business (transaction) environment, this point cannot be emphasized enough, i.e., that management teams and boards literally adopt a stakeholder view with respect to their security – risk management (corporate defense) programs and strategies. In other words, they absolutely must take into account all parties who carry a vested interest in their company, i.e., clients, shareholders, stakeholders, regulators, employees, etc.
The Corporate Defense Model and Conventional Risk Management: Is There Really A Difference?
Mary Adams, of I-Capital Advisors, posed a worthy question for Lyon and Liscouski; is the corporate defense management model and conventional risk management interchangeable, in other words, is there a substantial difference between the two? In response, Lyon suggests conceptually, the corporate defense management approach takes a more strategic view in which security and risk management activities are (ideally) coordinated under a single (enterprise wide) umbrella.
A fairly consistent challenge to incorporating this approach though, is that ‘risk management’ remains largely ill-defined as pointed out by Robert Liscouski of Implant Sciences. In other words, how risk management and its associated responsibilities are operationalized are often company and/or circumstance specific. This makes it somewhat difficult, Liscouski suggests, to talk about or address risk management with consistency and specificity.
Of course, a significant downside to this absence of across-the-board definitional and operational clarity (about risk management) Liskouski goes on to say, is that it often affects how a company, not only approaches risk, but assess its risks, and ultimately tries to manage its risks.
Knowing Your Company Is A Simple, But Very Essential Underlier To Success
Robert Liscouski, an experienced and well grounded expert in the risk management arena states, quite correctly, when it comes to a company assessing its risks the initial responsibility of management teams and boards is to clearly understand what type of business their company is actually in.
While Liscouski’s view may sound simplistic and even somewhat irreverent toward management teams, boards, and others charged with a company’s overall security and risk management, there’s a great deal of truth underlying his premise, inasmuch as it represents a far too often overlooked element of the larger picture. That is, its quite routine to see companies endeavoring to apply a generalist, one-size-fits-all risk management approach (template) to their company without fully taking into account or understanding their company’s special circumstances, the nuanced ways in which their company functions, the types of transactions it routinely engages, the company’s stakeholders and shareholders, and equally important, the company’s intangible assets.
Ultimately, Liscouski points out, it’s absolutely essential for all parties – business units that are part of a company’s security, risk management, and defense ’umbrella’ to really understand three key things; (1.) what contributes to the execution of the business, (2.) what are the company’s responsibilities to their shareholders, and (3.) how the company, as a whole, is executing on that (their) responsibility?
And here, Liscouski suggests, lie many opportunities to engage in education and awareness directed to company management teams and boards. That is, time and effort should be devoted to elevating their understanding and appreciation for (a.) what their fiduciary responsibilities are relative to risk management, security, and overall corporate defense management, and (b.) how company’s can effectively use those (corporate defense management) components to make consistent and substantive contributions to shareholder value.
Interestingly, Liscouski offers the view that he finds management teams and boards often hold discussions about shareholder value and security’s contribution, but, frequently, it’s just that, a discussion, with little substance, and seldom do such discussions include the necessary context for linking or aligning security, risk management, and corporate defense to ensure their respective contributions actually occur.
Ultimately, Lisouski suggests, when company’s look’s internally, at the various business processes that actually contribute to their market value, shareholder value, and market cap, management teams and boards also need to take a very hard look at those business processes, as a starting point of sorts, to really understand what (assets) warrant protection as requisites to business continuation and resiliency.
Differences In How Company’s Look At – Assess Their Risks
Both Liscouski and Lyon agree that the proverbial paradigm has definitely shifted in terms of how companies look at and assess their risks, which, by the way, both agree, has been for the better. That’s because many company’s now consider (identify, assess) risk, through a shareholders lens. By considering risk through the eyes of shareholders and stakeholders, different perspectives and probably more appreciation (for risk) will be the outcome, compared to the way most risk assessments have been conducted in the past. Previously, risk assessments were largely conducted absent any consideration relative to impacting, one way or another, shareholder value. In other words, security, risk management, and corporate defense practitioners in the past, have taken a fairly siloed – isolated approach themselves.
But, as more companies adopt a holistic (shareholder-based) view of security, corporate defense, and risk management, the benefits of doing so become obvious, such as being better positioned to foresee (anticipate, recognize) potential ‘cascade of consequences’ that will occur, with increasing frequency when certain risks remain unchecked and/or un-managed. Such revelations, of course, prompt an elevated interest in potential cascading affects of consequences, particularly those that can readily ripple through a company’s assets. Of course today, the speed which, in a growing number of circumstances, a single consequence can, quite literally, cascade (ripple) throughout an enterprise, producing along its path, both secondary and indirect (adverse) consequences and impacts is truly amazing.
Adverse cascading consequences, of course, can manifest themselves in various ways within a company, Lyon and Liscouski point out, among them being loss of competitive advantage, erosion/undermining of asset value, create compliance breaches, cause reduced company capabilities through downtime, influence customer/client dissatisfaction, reduced sales and market share, and ultimately, experience a reduction in a company’s overall market value.
Let it suffice to say, that in many instances, today’s asymmetric risks, left unrecognized or unchecked can literally ’creep’ into a company and embed themselves within a company’s culture, not unlike a computer virus or worm, to create, in many instances, a much higher level issue, which in turn, will likely carry more adverse and strategic impacts.
It’s About Processes: Re-Framing How Company’s Think About Security and Risk
To help mitigate, what many of us would refer to as risk inevitabilities, is the need to re-frame how we think about security and risks, particularly in the context of the potential for cascading (rippling) affects and consequences. Again, Mary Adams points out that risk management and corporate defense management need to have a strong focus on business processes. That’s because ’business processes’ are ultimately what twenty-first century knowledge-based, intangible asset intensive companies do, that is, they create and optimize their business processes.
Today, there must be, literally speaking, well coordinated processes that company’s put in place, to not merely engage (risk, security, corporate defense) but also, to ensure they are identifying and managing the right risks, Liscouski says. The right risks, are of course, those risks which, if they materialize, would (likely) produce the most adverse-negative effects along with bringing about a cascade of consequences that would ripple throughout an enterprise internally as well as externally.
So, a critical question Liscouski rhetorically asks is, what kind of business processes do companies need to protect? The answer, he says, lies in identifying (distinguishing) those business processes that (1.) may literally be missing, or (2.) could/should be enhanced. But first, he says, its important to understand the linkages – relationships between particular business processes and a company’s intangible assets.
To achieve this, a company needs well defined (business) processes whereby intangibles can be readily identified and distinguished and their performance (value, materiality, etc.) monitored, not solely for improvement, but to provide a better risk management environment overall.
Human And Relationship Capital, They’re Part Of The Security-Risk Management Focus
Is human and relationship capital part of the security-risk management focus, asks Adams? To be sure, the knowledge emanating from human and relationship capital represent increasingly important and valuable intangibles, where (security, risk management, and corporate defense) attention must not only be directed, but literally factored into the security – risk management equation, Liscouski and Lyon say.
So, as companies engage in more of a shareholder-stakeholder view of their security, risk management, and corporate defense responsibilities and needs, especially in the context of (avoiding, mitigating) the potential for cascading consequences, it’s likely their attention will also be drawn to the reality that when human-relationship capital are overlooked or dismissed, the adverse impacts that will surely result can take the form of reductions in morale and productivity which manifest themselves broadly throughout a comapny as reduced customer loyalty and sales, for example.
Security, risk management, and corporate defense programs really do then, in the twenty-first century, have to be holistically driven which, for the most part, is a significant departure from the past, but nevertheless, is a very significant key to making them work (more) effectively now. Back to the initial point however, company’s that elect to ignore or be dismissive about (their) human, intellectual, and relationship capital insofar as security and risk management are concerned, should not expect those programs to either function or produce the desired-intended results, that is, outcomes that have a bearing on shareholder value.
The Role Of A Strong And Focused Company Culture
A positively embedded (company) culture can set the overall tone, Liscouski suggests, with respect to (1.) how a company will actually manage its risks, and (2.) whether it will succeed by consistently avoiding and/or mitigating certain risks altogether.
So, the necessity (fiduciary responsibility) for management teams and boards to be fully engaged in not just knowing the risks their company faces, but also, the strength of those risks, i.e., the vulnerability, probability, and criticality, while simultaneously being alert to and knowing how best to mitigate certain risks lies, in a growing number of instances, in developing a strong company culture.
If a company is slow to respond to an impending risk, or their eventual response appears weak in the eyes of their constituencies, i.e., stakeholders, shareholders, etc., it will often become a determining factor in – have a bearing on how those constituencies ultimately interpret and respond to the company, internally, externally, publicly, or from within its supply chain, including market impacts.
Reasonable Expectations For Risk Management and Mitigation
An important and certainly timely, and again, mostly rhetorical question posed by Liscouski was, how do companies assess-calculate reasonable expectations about risk mitigation and management and also measure the value of the assets they’re protecting?
Measuring what’s being protected, can take the form of dollars, rankings, ratings, quality, or ranges, etc. Lyon adds though, it’s up to each company to identify their (a.) key performance indicators (KPI’s), and (b.) key risk indicators (KRI‘s). Based on a company’s KPI’s and KRI’s, both speakers agree its advisable to devise a course of action that both ‘fits best’ and compliments what a company may already have in place, i.e., dashboards, balanced scorecards, etc.
Liscouski noted though, there is no single means of measurement (metric) because measurement can be dependant on the nature of a company’s business, and he added, it’s not too difficult to identify, with some precision, the costs associated with an asset (value) loss or compromise, or the investment and/or resources required to protect a company from loss or risk. What’s difficult, he says, is putting an index around security and risk management programs in terms of what they actually contribute to sustaining control, use, ownership, and value of a company’s intangibles. At some point, Liscouski noted, it will be essential to describe a company’s investment profile, i.e., what’s required to actually achieve the desired, if not prescribed, level of security and risk management.
Liscouski advocated the use of financially oriented metrics to ’measure’ the contributions of security and risk management. Again, he suggests, this would more likely compliment any existing (business, performance) metrics a company may already have in use.
Further, financially oriented metrics are often designed to predict forward movement and/or progress, therefore, they would serve to provide greater validity for establishing a business case for security, risk management, and overall corporate defense program contributions. In other words, security, risk management, and corporate defense are not so much dependant on countering and/or mitigating a single (risk, threat) event as they are on producing a desired end result, because that’s what really counts to the profitability and sustainability of a company.
There’s considerable work currently being done in this arena Liscouski says, on three fronts; (1.) the probability (certainty) that particular risk/threats will actually materialize, (2.) strategies to mitigate any consequences, and (3.) the type/amount of investment that is necessary to manage-mitigate those threats/risks.
Still, both Lyons and Liscouski point out that it all evolves around a company’s ability to objectively analyze and assess the risks that are relevant to their key business processes, with company reputation being what ultimately warrants the most protection. A good source to examine this perspective further are Steel City Re’s ‘reputation indexes’.
Again, Lyon and Liscouski agree, we’re really very early yet, globally speaking, in the maturity (level) of companies insofar as being able to recognize and execute on the necessity to adopt a holistic (umbrella) approach to risk management, security, and corporate defense. The likelihood that companies will place (appoint) a single individual in a position to oversee this entire ‘umbrella’ is currently quite rare. Two key factors, Liscouski says affect whether or if companies will begin moving toward more holistic (security, risk management, corporate defense) approaches are (1.) company size, and (2.) the reality that such positions are often (highly) ‘personality driven’.
Both Lyon and Liscouski also agree that today, it remains more art than science with respect to being able to effectively articulate what (1.) a company really needs to protect, and (2.) what level of protection is sufficient relative to managing-mitigating particular risks-threats. One of the challenges is that a company’s investment profile, necessary to achieve a full compliment of security, risk management, corporate defenses, would likely be so exorbitant, that companies could not afford to execute it, let alone, give it the serious, reasoned, and objective consideration it was due.
So, that leaves practitioners with essentially the same, time honored and increasingly risky conundrum, what constitutes enough security for a company? If, for example, a company adopted a five point scale (i.e., 5 = high security, 1 = low security) for describing level’s of security. Under what circumstances could we conceive a company management team and/or board reaching consensus that a 3.5 security level is sufficient relative to a company’s vulnerability and the probability and criticality (consequence cascade) should a particular risk or threat materialize?
A Paradox? When Can Doing Nothing Become A Greater Risk Than Doing Something?
While Liscouski and Lyon are proponents, like many of us, of metrics, they recognize the paradox of ‘doing nothing is sometimes a greater risk than doing something’. They make special note of a position not infrequently conveyed by corporate general counsel’s, e.g., that the company should not do anything because there is too much risk and potential for liability.
For starters, both Liscouski and Lyon urge practitioners to not engage company legal counsel only when problems or challenges arise, rather remain engaged with counsel as consistently and robustly as possible to the point that the relationship evolves as part of – integral to a company’s overall solution tract, particularly when significant problems and/or challenges do arise. As many management teams, boards and security/risk management practitioners know however, on occasion, legal counsel can become an impediment or obstacle to certain initiatives, which is often, in part driven, pure and simple, by a risk averse orientation (predisposition). When this occurs, Lisouski suggests a ‘cultural change’ may be in order, in which an effort is made for counsel to become not merely a legal advisor, rather a genuine business partner (i.e. facilitator, enabler) to company initiatives.
Risk Management and Due Diligence In The Investment Community
Interestingly, both Lyon and Liscouski voiced very candid perspectives about the investment community with respect to security, risk management and corporate defense in due diligence contexts. One perspective offered was that, rarely, if ever does the investment community inquire about a company’s (business) processes either when conducting their due diligence or evaluating a company for possible lending structures.
It’s no particular secret that a significant percentage of prospective lenders and investors simply don’t know about, nor do they receive a sufficient – complete picture about a prospective investment, in terms of whether aspects – components of the investment under consideration are, at risk, Liscouski points out. In other words, they have little or incomplete information about the (intangible) assets that will be in play, i.e., their status, stability, or sustainability. That’s largely because the investment community still tends to apply a classic P&E and/or very conventional due diligence approach to their invest – don’t invest decision making process, in which intangibles are generally overlooked altogether, seldom addressed separately, or in some instances, the words ’intangible assets’ appear no where on any lending form.
Today’s Business Transaction Environment Is Highly Competitive, Predatorial, And Winner-Take-All
In today’s extraordinarily competitive, predatorial, and often times winner-take-all global business (transaction) environment, the opportunity to raise and ability to clearly and succinctly articulate these important (asset security and risk management) issues to management teams and boards is an increasingly essential element to a company’s success, profitability, and sustainability.
Management teams and boards who possess the foresight and receptivity to fully assume the fiduciary responsibilities addressed here, e.g., the stewardship, oversight, and management of their company’s intangible assets, represent coveted starting points for executing and achieving effective enterprise-wide security, risk management, and corporate defense programs.
There remains however, a propensity for many management teams and boards to frame the need for security or risk management only in contexts of large, Fortune 500, multi-national types of corporations, thereby, being dismissive about either the need or relevance of such services for small or mid-size companies. Of course, the reality is, the materialization of risks-threats, Liscouski says, to small and mid-size firms can certainly be more acute and carry far greater and more immediate consequences and criticality compared to their Fortune 500 brethren who are presumably, more able to absorb asset losses, erosion of sales, market share, brand, customer loyalty, etc.