Many companies spend millions of dollars implementing risk mitigation controls but are kept from getting their money’s worth by a disconnected, piecemeal approach. Successful risk mitigation requires that a central authority supervise controls following a coherent strategy.
Related on MHA Consulting: Global Turmoil Making You Ill? Try a Dose of Risk Management
As a business continuity professional, I tip my hat to any organization that makes a serious effort to reduce its risks.
This is so whether the company is applying some combination of the four main risk mitigation strategies (risk acceptance, risk avoidance, risk reduction, and risk transfer) or implementing such specific measures as installing a backup power generator or requiring the use of secure VPNs.
Unfortunately, many companies do not get their money’s worth when it comes to implementing risk mitigation controls. Their spending is out of proportion to the benefits obtained. They invest large sums but gain only small reductions in exposure.
The culprit in these cases is almost always the same: the lack of a central coordinating authority applying a coherent strategy. Simply put, successful risk management requires centralized risk mitigation leadership.
The typical result is that there are large holes in and between the measures they implement to reduce risk, and the organization’s security pours out through these holes like water through a sieve.
Let’s look at how this might work over the three key areas of facilities, technology, and people.
Most companies today are mindful of the need to reduce risk at their buildings and facilities. Among the measures they commonly implement are arranging for a backup power source, installing surveillance cameras, putting in physical access control systems such as key cards, and setting up safety programs.
These measures sound impressive. Surely, the company that has implemented all of them has reduced the risk at its facilities to the bare minimum. I wish it were true. Too often, even a surface investigation can uncover deep gaps.
Here are some examples of vulnerabilities that can exist at facilities even after risk mitigation controls have been implemented:
- The backup power source can provide only a fraction of the power needed to keep critical operations running in the event of an outage.
- Cameras are not pointed at all key areas and hence are unable to provide visual confirmation of the activities in the area.
- Cameras are not monitored real time and no regular reviews are done to ensure optimal viewing and recording..
- Key cards are not scanned at exit so you don’t know who is in and who is out or access control reporting is never run.
- The fire and life safety program is not integrated with other facility safety systems.
Technology is an area where companies have been putting in serious levels of security recently. These include such measures as requiring the use of a password manager, implementing two-factor authentication, and requiring that employees use secure VPNs when connecting over wifi.
This is all to the good. But just like with facilities, simply heaping up layers of protection can provide a false sense of security. A haphazard approach to bolstering tech security can leave a host of vulnerabilities. These include:
- People not having sufficient systems access to do their job or people gaining too much access.
- Employees being unable to log in to their systems due to complexity of the security environment.
- People writing down the password for their password manager (because it’s too long and complicated); this happens more than you think
- Staff not bothering to use logout of their system when they walk away.
- Security being so tight it prevents people from doing their jobs.
Last are the measures companies take to reduce the risks they incur from their employees. These typically include conducting background checks, checking references, and training employees on company safety procedures.
We see employees coming on-board before background checks being completed and then only to be let go when the background checks comes through exposing the organization needlessly.
One of the most common gaps we see in this area is when companies neglect to provide adequate training on company safety procedures other than the 5 minutes in the employee onboarding session. This omission can allow significant risk to remain even after the previously mentioned mitigation controls have been applied.
Handing the Job Over to Enterprise Risk
What the mitigation controls described above have in common is that they are all reasonable and well-meaning. What the vulnerabilities have in common is that they all result from the lack of a central coordinating authority.
If organizations want to truly reduce their risk, they need to establish an overall coordinating entity and strategy.
The proper group for doing this is the Enterprise Risk Management department. These folks should be given the responsibility and authority for making sure that the various risk controls are properly integrated and implemented so that they function properly and truly bring down risk in a manner and need that is aligned with organizational demands
The Enterprise Risk Management department can help the company’s approach to implementing risk mitigation tools go from haphazard to harmonious, from incoherent to integrated, from special project to everyday, ongoing effort.
They can help the company go from signaling how virtuous it is about risk mitigation to truly bringing down its level of risk.
Successfully Mitigating Risk
While many companies invest significant resources in risk mitigation controls, they often fail to achieve their desired results due to a disconnected and piecemeal approach. This is typically caused by the lack of a centralized authority to supervise and coordinate these controls according to a coherent strategy.
The key to successfully mitigating risk—whether in facilities, technology, or people—is to establish an Enterprise Risk department that can take responsibility for integrating and implementing risk controls and ensuring they function effectively to reduce risk on an ongoing basis.
For more information on risk mitigation leadership and other hot topics in BCM and IT/disaster recovery, check out these recent posts from MHA Consulting:
- How to Offload Your Risk to a Third Party
- Don’t Just Hope: Choosing Strategies to Mitigate Risk
- Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
- Risk Mitigation: The Four Types
- The Risk Management Process: Manage Uncertainty, Then Repeat
- Global Turmoil Making You Ill? Try a Dose of Risk Management