Issue 26 – April 2011
Security, or rather the lack of security, results in a variety of effects that lead to uncertainty about the achievement of societal and organisational objectives. The use of the term 'security' implies that there exists the threat of risk – whether from terrorism, cybersecurity or identity threat – and that dire measures need to be taken to secure society from these threats.
Following the publication of ISO 31000:2009, Risk management – Principles and guidelines, the management of risk has moved from a focus on financial, operational, market, employment, insurance, and reputational risks to a broader approach based on the effect of uncertainty on the achievement of organisational objectives.
A consequence of focusing on the effect of uncertainty on objectives is that the management of security risk has moved from the shadows into mainstream management. A risk-based approach to security draws the attention of the organisation's board and top management. It also results in transparent decision-making on risks that threaten the ongoing sustainability and resilience of an organisation. It also requires that appropriate accountabilities and responsibilities are assigned at each and every step of the management process, and that all security risks have an owner.
The involvement in, and management of security risk by top management ensures that the control and treatment of events, often outside the experience of an organisation, are properly addressed. The end goal is to provide the best outcomes for the achievement of the organisation's objectives. Security risks are identified, assessed, and treated as part of the overall management of organisational risk, resulting in greater understanding of the need for the organisation's investment in security-related treatment.
The formal inclusion of security risk is a vitally important part of an effective organisational approach to the management of risk that should fit seamlessly into an organisation's management system. It introduces a new element, the concept of someone deliberately introducing an exposure to potential harm and seeking actively to bypass existing controls. The potential consequences of security risk also need to be addressed in the organisation's plans for managing disruption related risk to ensure that the required capability, resources, and knowledge are available and accessible to support the achievement of these key objectives.
An effective enterprise risk management system (ERM) will ensure that security-related risk is interlinked with all other risk management activities being addressed (for example, safety, environmental, marketing, reputation, regulatory, financial, and so on). It must be clearly understood that the only differences in approach relate to the application of discipline-specific knowledge and skills that relate to each risk area – the overall principles, framework, and process remain the same.
While many security-risk activities may be conducted by specialist areas, many will also be conducted as part of the way other organisational units routinely address their risk exposures (for example, managing employment-related security risks should be a fundamental human resources accountability while information technology (IT)-related security risk should be an accountability of the IT management).
The management of risk is critical to effective decision-making that ensures strategy and controls are more appropriately applied. It provides an interface between such decision-making and the implementation of key functions, processes, and infrastructure, which are required to achieve organisational objectives.
The management of security risk requires those accountable to have a thorough understanding of the risk management principles, framework, and process first and foremost. This must be complimented by a thorough understanding of the specific security disciplines. In the current environment, security within society or an organisation cannot be left isolated from all of the other management processes and systems.
Security should encompass issues such as strategy, governance, ethical conduct, safety, and organisational performance. For the management of security risk to be successfully integrated into the fabric of society and organisations, it must become an integral part of how they operate by becoming as fundamental as financial and human-relations management, communication and decision-making skills.
ISO 31000 is a must-have solution for all organisations and the whole of society. It provides best practice guidelines to effectively manage security-related risk, and in so doing, maximises opportunities and minimises threats for the benefit of all.
This article first appeared in ISO Focus+ February 2011 and is summarised with permission from ISO Focus+. It was written by Kevin W Knight, Chair of the ISO working group that developed ISO 31000:2009 and member of the General Division of the Order of Australia.
Note that ISO 31000 has been adopted by Standards Australia and Standards New Zealand. The identical adopted publication is available on our website as AS/NZS ISO 31000:2009.
- AS/NZS ISO 31000:2009 Risk management – Principles and guidelines
- ISO/IEC 31010:2009 Risk management – Risk assessment techniques
- ISO Guide 73:2009 Risk management – Vocabulary
- HB 327:2010 Communicating and consulting about risk