The role and responsibility of business leadership towards effective implementation of security risk management (SRM)

It is the responsibility of business leadership to protect their organizations and critical assets by identifying threats, understanding the impact of these threats, and taking appropriate action to protect their business interests against these threats.

Therefore their leadership at the top greatly shapes the direction which the security risk management (SRM) program forms and develops. Simply put they can influence the SRM program’s efficiency or inefficiency.

The role and responsibility of business leadership towards effective implementation of security risk management (SRM) should encompass the following:

1. Integrating security risk Management into decision making

Effective security risk management cannot be practiced in isolation, but needs to be built into existing decision-making structures and processes. As risk management is an essential component of good management, integrating the security risk management function into existing strategic management and operational processes will ensure that risk management is an integral part of day-to-day activities. While each organization will find its own way to integrate security risk management into existing decision-making structures, the following are factors that should be considered:

• Aligning security risk management with objectives at all levels of the organization.
• Introducing security risk management components into existing strategic planning and operational processes.
• Communicating corporate directions on acceptable level of security risk
• Improving control and accountability systems and processes to take into account security risk management and results.

2. Building Organizational Capacity

Business organization leadership need to allocate the appropriate resources and develop their own capacity strategies based on their specific situation and security risk exposure.

To build capacity for security risk management, there needs to be a focus on three key areas - human resources, tools and processes?and budgetary resources at both the corporate and local levels as follows:-

2.a) Human Resources?

• Through building awareness of security risk management initiatives and culture.
• By broadening skills base through formal training including appropriate applications and tools.
• By increasing knowledge base through shared best practices and experiences.
• By building capacity, capabilities and skills to work in teams.

2.b) Tools and Processes

• By developing and adopting innovative security risk management tools, techniques, practices and processes.
• Through provision of guidance on the application of tools and techniques.
• By allowing for development and/or the use of alternative tools and techniques that may be better suited to managing security risk in specialized applications.
• By adopting processes to ensure integration of security risk management across the organization.

2.c) Budgetary resources

• By providing financial support through sufficient allocation of security risk management budgetary resources.
• By ensuring that appropriate financial support is provided for outsourcing credible expertise.
• By constantly reviewing budget allocation to match the organization’s level of risk exposure aligned to it's target threat spectrum.
• By adopting technique’s that monitor the financial ROI value of security risk management mitigating strategies.

3. Fulfilling duty of care

While some business organizations leadership recognize that they have a responsibility to protect their staff, many still fail to appreciate the full extent of their duty of care obligations and the implications that these have for security risk management. Although duty of care is a legal term for the responsibilities organizations have towards their staff, there is also a moral obligation of duty of care that organizations should consider. To meet the basic duty of care, business leadership must:

• Know the risks – They must be able to demonstrate that they have identified and considered all foreseeable security risks related to a particular location or activity. Risk assessments must be regularly updated and documented.
• Establish mitigation measures – They must take all reasonable measures to manage security risks. Comprehensive, up-to-date plans, procedures and mechanisms must be in place and adhered to in order to address the risks that exist in a particular location or associated with a specific activity
• Develop emergency plans – They should ensure that detailed plans, measures and assistance are in place to respond to emergency situations involving staff, regardless of the location.
• Ensure informed consent – They should ensure that staff understand and accept the security risks they face and the measures in place to manage them. There must be a process in place to document their understanding of the risks and their role in managing them.
• Raise awareness – They should ensure that staff receive detailed, up-to-date information and guidance, and in many cases training, related to the security risks that they are exposed to.
• Provide appropriate support – They must have appropriate support and recovery contingencies in place to assist staff affected by an incident.

4. Leadership engagement and communication

Business organization leadership engagement and buy-in towards the SRM program is critical for support. Non-acceptance of methodologies and a lack of commitment negatively impacts the efforts towards security risk awareness, presentations and related trainings.

All staff within the organization need to understand and demonstrate the organization’s values in how they go about their activities on a day-to-day basis. For this to be effectively achieved the business leadership should:-

• Develop a framework – Outlining the organization’s approach to security, including the policies, procedures and mechanisms which have been put in place to ensure effective security risk management.
• Draft a policy – Outlining the organization’s risk attitude and key security principles, and define roles and responsibilities. Include security responsibilities and obligations in the job descriptions of all staff members and senior managers.
• Raise awareness – Engage all staff to ensure everyone is aware of and in agreement with the priorities for improving security risk management from the board down. Ensure senior management issue clear statements on the importance of staff security. Measures should be owned by staff and not perceived as having been imposed from the top of the organization without staff consultation or agreement.
• Lead from the front through practical role modelling – Ensure that any security practices, such as personal security training or trip planning forms, are mandatory for all from the senior executive down.
• Look for quick wins – Identify measures or requirements which can be established quickly, with limited time and resources, but which can have a positive effect on staff security.
• Enhance effective reporting mechanisms – Stress to staff the importance of reporting incidents and near misses, and of sharing their security concerns. Ensure that there are easy and effective mechanisms in place to report and capture incidents.
• Establish security forums – Ensure that various meetings or mechanisms exist within the organisation where security issues and challenges can be raised and discussed. Ensure security is a standing agenda item at key meetings.
• Monitor and review – Undertake periodic reviews of the organization’s security approach and management framework, and their implementation, to ensure the framework remains effective.
• Enforce accountability – Establish a mechanism to hold people accountable for security, and ensure security risk management responsibilities are included in staff performance reviews.
• Celebrate success – Identify positive approaches and find champions to help motivate others on the positive impacts of improved security.#securityriskmanagement #businessleadership #leadershipengagement #leadershipsupport