Enterprise Risk Management—Creating an Empowered,

Effective, Converged Team Through Organizational

Restructure

Presented By Daniel McGarvey & James Shamess

Who we are

• Air Force Brig Gen (ret) Jim Shamess, CPP, President 5D Pro Solutions, LLC; Member, The Spectrum Group

• Defense Intelligence Senior Executive (ret) Mr. Daniel McGarvey, Director Security Programs, Global Skills Exchange Corp. (GSX)

Objectives

• Transform the convergence dream to reality—transition form skepticism and mistrust to a collaborative, cooperative culture teaming for enterprise-wide success

• Win executive support—converge the myriad of operations and processes and show the boss how you can reduce vulnerabilities and risk to critical government and industry operations

• Show how lean management business tools can convince and compel management along with the entire workforce to action

3

How We Will Do It

• Introduce topic and situation

• Describe implementation

• Describe automated decision support approach

• Q&A

4

What Is ESRM?

Enterprise security risk management (ESRM) is a holistic, integrated approach that works to identify and mitigate all the risk no matter what department is involved—that an organization faces.

What Others Have Said

• ESRM’s value to the business: “It will allow us to be proactive, reduce risk, and provide a marketable “business differentiator” to our customers.”

• ESRM’s value to the business: “it provides management with a consolidated, ranked view of risk to the organization and enables business cases to be made for projects, budgets, and staffing.”

• ESRM’s value to the security professional: “The outcome is that you become much more intelligent about your business and your vulnerabilities—and you’re not relying on FUD to get funding.”

• ESRM’s value to the security professional: “It was a wonderful opportunity to see how things get done in another part of the company on a routine basis.”

• ESRM’s value to the security professional: “I learned more about the way the business was run and how the thought leaders in various business units operated…I could take that experience and apply it to my career.”

So why is ESRM not a standardized expectation of management?

Situational Example • Fragmented management security disciplines/interests

• Fragmented security policy ownership, issuance, implementation and oversight—rice bowls, stovepipes, competition, bonus, profit, reward…

• Difficult-to-measure—difficult-to-present risks and solutions meaningful to leadership

– Rely on anecdotal evidence; little industry-wide incident/impact information

– Little budgetary support in absence of crisis event

• Lack compelling historical and predictive intelligence, measurable risks and countermeasures across disciplines

• Lack intelligence-led, risk-based analytical process and tool, Lack tool to make efficient analysis of complex situations and track decisions

• Lack education, training & experience in risk management

• Lack champion in at the senior level; Seniors doesn’t understand

Oversight—Who, What and How

Oversight: the authority to monitor, review, inspect, investigate, analyze and evaluate management, operation, performance and processes

Organizational structure and leader role

• Corporate position

• Matrix

• Series of responsibilities spread among directorates

• Unknown

How to Show the Boss

Who’s on First, What’s on Second, I Don’t Knows on Third

10

Current Risk Management Gaps

Executable Enterprise Security Risk Management (ESRM) process Lack consistent framework Ineffective oversight and evaluation processes Lack of meaningful performance measurements

Situational awareness—lack detailed threat and vulnerabilities analysis Flow of information business units-staff inconsistent and incomplete No standardized, comprehensive process for information collection,

analysis, and dissemination Collection and dissemination of information relies on human attention and

intervention—not automated Narrow focus—dwell on administrative compliance vice operational risk

Analysis posture Baseline threat characterization not available No comprehensive system for collection, analysis, and communication of

threat and vulnerabilities—not holistic Education and training

Inadequate advanced education and training for analysis

An Integrated Solution

Management

Metrics/

Risk Management Convergence

Infrastructure

Implementation

Promote Department Understanding of RM

– It’s an essential element of critical infrastructure, not overhead cost

– RM Contributes to ROI Determinations

– Essential to Department Hierarchy of Needs: • Short/Midterm Term Success vs. Survival (Achievement of

Vision/Goals)

• Value of RM to Department Health

• Need to integrate RM into all elements of Department activities

Implementation

S

Implementation

Staff View of Organizational Change and RM

Promote Staff’s Understanding of the Value of RM

• Department and Directorate Strategic Planning – Align Vision and Goals – Understand the complexity - Convergence Vs. Integration

– Understand what is required to provide a comprehensive RM approach - Assets, Vulnerabilities, Threats, Metrics

– Convey the need and proposed plan to Seniors

• Understand the role of personnel in all facets of RM

Implementation

“There is no internal or external, it’s all threat.”

Leading Change/Transformation John P. Kotter

Harvard Business Review

1. Establish a Sense of Urgency

2. Form a Powerful Guiding Coalition

3. Create a vision

4. Communicate the Vision

5. Empower other to act on the Vision

6. Plan/Create Short-Term Wins

7. Consolidate Improvements/More Change

8. Institutionalize New Approaches

Implementation

Level I – Transactional (upgrading)

Series of small steps.

Level II – Transitional (revision)

A restructuring, organization fundamentals the same

Level III – Transformational (turnaround)

Profound effect on the values, assumptions, beliefs, mindset and attitudes of an individual or groups of individual

Degrees of Change

Implementation

Department Governance

Strategic

Alignment

Human

Capital

Risk

Management

Process/Performance

Measurement

Risk Management

Professionals

Department Success

Infrastructure

Implementation

Performance Learning

Culture

Ta

cti

ca

l

Op

era

tio

na

l

Str

ate

gic

Fo

cu

s

Level I: Day-to-Day Planning Strategy is only implicit

Budget is primary planning tool

Level II: Forecast-Based Planning Looking Over the Horizon

* Use of forecasting models

* Assumes high predictability

Level III: Strategic Thinking Focus on strategic issues

* Apply Effects Based Planning

* Explores multiple futures

Level IV: Strategic Management Wide-spread strategic thinking capability

* Alignment of visions across units and functions

* Integration of strategy and reward system

Level V: Managing Uncertainty Consider multiple futures * Create flexible/innovative strategies * Monitor the Environment

Strategic Alignment

18 Source: Navy Executive Learning Office

Implementation

Human Capital Talent Management

“Companies that invest in human capital, work to develop

and retain valued employees, and measure and hold

people accountable for that investment have a powerful

competitive advantage.”

--J. Randall McDonald, IBM

Implementation

Career Management - assignment

- path planning

Sourcing - recruitment

- selection

Assimilation -on boarding

-orientation

-culture mentoring

Development - training

- coaching

Perf. Mgmt. - appraisal

- goal setting

- feedback

Rewards - pay

- recognition

Engagement - attitudes

- behavior

Retention - turnover

- value prop

BUILDING FUNCTIONALITY

(Desired)

Implementation

Sourcing - recruitment

- selection

Assimilation -on boarding

-orientation

- culture mentoring

Development - training

- coaching

Career Management - assignment

- path planning

Perf. Mgmt. - assessment

- goal setting

- feedback

Rewards - pay

- recognition

Engagement - attitudes

- behavior

Retention - turnover

- value prop

BUILDING FUNCTIONALITY

(Reality)

Source: Ready & Conger (2007)

1 2 3 4 5

Implementation

Security Enterprise PC

Example Career

Path: Security

Branch or Equivalent security

Support GS 9-13 or equivalent

Division or Equivalent Security Support

GS 12-14 or equivalent

Directorate or Equivalent

Support GS 15 or equivalent

Direct/New Hire; Military Accession/0083/0085/0086

Security Program Integration Professional Certification

SES

Security Asset Protection Professional Certification

Security Fundamentals Professional Certification

Security Intern Program

Implementation

Enterprise Security Risk Management (ESRM)

Metrics

Types of metrics in the risk assessment process Steps 1 – 3: Environmental data metrics

– Objective: Commands aboard installation, critical asset inventory, operating environment, activities, missions, etc.

– Qualitative: Criticality of assets, severity of threats (projection)

Step 4: Performance metrics – Control implementation levels

• Presence of controls and degree of implementation • Measureable observations, not subjective, no algorithms

23

Implementation

Step 5: Performance scoring metrics (risk) • Uses algorithms that relate performance and environmental metrics

in a way that generates a risk understanding • Provides scores within risk-based framework & compares score to

performance targets.

Sample ESRM Startup Charter Case for Action:

Risk management is directed by law, executive order, agency and by function. The directions are extensive, overlapping in some areas and leave gaps in others. Together, the variety of functional requirements, methods and approaches for risk management can overwhelm the boss and staff’s abilities to adequately assess, report and mitigate the threat and vulnerabilities. Additionally, it current processes make it too difficult to determine the relative importance of the issues and priority for mitigation. In the absence of an enterprise effort to converge risk management, the situation will continue; management action will be less effective; and risk will increase without a reasonable means to determine and implement effective countermeasures.

Process Owner: Mr. or Ms. Authority (someone with authority to make or influence policy and resourcing decisions

Process Owner’s POC: Business proponent—who has most to gain or lose

Process Stakeholders: Board, CEO, Business Units 1, 2, 3.. Staff entity 1, 2, 3; client 1, 2, 3

Project Description & Scope:

Map risk management processes. Recommend improved process multi-functional, converged process. Review existing government and industry processes, including automated risk management support tools and recommend the best approach. Consider industry and government organizations that have developed computer-assisted methods to support more effective and efficient processes for risk management for an enterprise.

Brief Description of Current Process: The following describes examples of the major process shortfalls:

- 8+ risk management processes; each is accomplished separately without regard to the others.

- Risk management assessments, and self-inspections are presented separately for management consideration and action. Threat and mitigation actions are reviewed separately.

- Little automation of the process, causing excessive time for administration, leaving little time for effective risk assessment.

Expected Outcomes: - Meaningful cross-functional map of the current and desired future states for risk management. Improved process for management to assess the situation & decide best value mitigation actions. Core Team Members: Business unit managers 1, 2, 3; Engineering, Security, HR, Finance, Information Technology

Implementation

25

Implementation Example: Charter Objectives

Purpose is to assess administrative (information, personnel,

industrial) security policy within the Department from policy

level management to installation level execution. The strategic

objectives are:

1) An effective and efficient security infrastructure for the Dept. including

development and implementation of policy, training and oversight

2) Streamlined administrative security policy functions consistent with

Performance initiatives

3) Viable recommendations that, if approved, can be incorporated into

Department Management Level Headquarters Program Action Document

Phases:

I - Focus on policy-setting process for all, including Sr. Staff/service/org

II - Focus on improved Sr. Staff structure, process to develop,

manage/implement

III - If desired, review and recommend improvement at lower echelons

Implementation

9/28/2012 3:34 PM 26

Implementation Example: Guiding Principles

• Consolidation of all security entities in a single organization is neither the goal nor desirable – look for ways to leverage strengths of various security disciplines & maintain legal authorities and responsibilities

• Stay focused--seek to improve effectiveness (less risk) for protection of information as well as to increase efficiency

• Strive to gain corporate view and consensus on current situation and

desired end-state

• Get the processes right first -- defining organization is secondary • Supervisors need a well coordinated, effective and efficient security

environment and readily available, expert advice on security equities

Implementation

9/28/2012 3:34 PM 27

Implementation Example: Guiding Principles (cont.)

• No expectation for gaining additional resources

• Cross-cutting issues/functions, enterprise-wide, offer greatest opportunity for improvement: – Oversight – Training – Resources (primarily manpower) – Implementation/execution

• Gain Department level support to institutionalize across the enterprise

Implementation

28

Implementation Example: Conclusions • Responsibilities of the Senior Security Official must be strengthened

and codified in a policy directive. Furthermore, commanders need to establish a senior security advisor at the Department and installation levels.

• Varying models and structures exist to execute security responsibilities; need to follow a model that makes sense for the Department

• A senior level policy board at the Director’s level, that represents all security equities, offers a tremendous opportunity to provide a single voice to the Top 4 on all security related matters

• An enterprise-wide approach to security policy development, oversight, and implementation will eliminate confusion and offer the best opportunity to mitigate current & future risks

• Short term decisions and commitment to pursue process improvements and any attendant organization changes are critical for putting the security “house” in order

Bottom line: We must do better to support our Leaders

Implementation

Transformation

Decision

SECURITY

Directorate

Created

CONOPS

Signed

CORE

Policy

Directives

Dept. Instructions

CONSOLIDATION

Dept. Instructions

CONSOLIDATION

DIVISION

DIRECTORATE

DIVISION

OFFICES

BRANCH

STAFFING

FY11 POM

STAFFING

REORGANIZATION of

Career Field management

IP DIR Career Field

Focal Point

CERTIFICATION

DEVELOPMENT

CERTIFICAITON

SOFT LAUNCH

CERTIFICATION

OPERATIONALIZED

2006

2007

2008

2009

2010

2011

Policy Structure Career Field

Professional

Development

Design

Career Path

Structure

Approved

STANDARDIZED

AF Position

Descriptions

CAREER FIELD

SUSTAINMENT

REALIZED

Mission Impact

Example: Security Chronology

FY12 POM

STAFFING

29

Implementation

Converged State

Implementation

Information Supply

Chain

Physical

Info

Systems

Personnel

Automation-Supported Approach

Current State of Risk Automation Current Benefits:

• Provides a standardized, repeatable method for assessing the risks

and impacts of the numerous threats facing an organization’s assets.

• Allows the organization to track and task risk mitigation

countermeasures, providing an architecture for ensuring security of

physical and digital assets.

Current Risk Mitigation Automation focuses on compliance with applicable

standards and best practices, protection of assets, and the use of

countermeasures against relevant threats.

Current technological capabilities support:

Work Assignment/Tasking Cost Benefit Analysis

Comparative Analysis Roll-up Analysis

Locational Sorting/Tracking Incident Tracking

Flexible Characterization Conditional Access

Risk/Vulnerability/Threat Analysis

Common Operations in current industry state

Compliance Culture: The current risk automation field remains driven by

the ongoing need of organizations to meet compliance standards and

industry best practices for certification, insurance purposes, or compliance

with government or international mandates.

• NIST 800-53

• ISO 27002

• HIPAA

• ADA

• FEMA 426/428

DoD Origins: Industry development has mirrored requirements of first

adopters, leading to a focus on compliance with government standards

and use for regional level analysis instead of enterprise level analysis.

Subjectivity: Generally valuation of assets and characterization of threat

levels has been subjective. While this does allow for calculation of risk

levels without historical data, it does allow for personal biases and a lack

of technical knowledge to decrease the effective of risk assessment

results.

Industry Direction

The complexities and needs innate with large enterprises are putting

increasing demands on risk managers. These large Enterprises require

management of risks across facilities/sites/regions/nations .

• Nodes as a System

• Reactive Systems incorporating live data

• Valuation breakdown subjectively, cost, throughput, public outlook

• Visual Analysis incorporating facility and regional views, and indications

of risk reported visually

• Integration with active security measures (CCTV, Fences, Threat Levels)

• Integration of all security disciplines within one automation system

Data Volume

Security Complexity / Importance

Number of Assessment sites

Complexity Driven Need for Automation

Info to prepare for automation

1. Lists

– Facilities with addresses, POCs, etc,

– Assets

2. Guidelines

– Policies

– Compliance/risk frameworks

– Standards

3. Records of threats/incidents/losses

4. Corporate ‘goals’ for the program

Benefits to Security Manager

• Ability to view risks with desired level of granularity • Comparative analysis of countermeasures (CBA) • Work tasking management • Transitioning from security department being

compliance/safety focused to a value adding aspect of organization

• ability to assess security at one site or a conglomeration of sites

• Supports presentation of complex relationships to non technical personnel or management

• Reduced time required for inspections and risk assessments • Analyze risks based on the causal threat, system

vulnerabilities, or value of the asset as a loss or obstruction to normal operation in a process.

Step 4:

Assess

Vulnerabilities

Step 6:

Identify & Implement

Countermeasures

Step 5:

Assess

Risk Step 7:

Evaluate Effectiveness

& Reassess

Example—ESRM Flow Chart

Step 1:

Define

Scope

Step 2:

Assess

Assets

Step 3:

Assess Threats

What you can give the boss

• Projection of what assets are most at risk

– By whom/what

• Prioritization of remediation actions

– By benefit, cost, or cost-to-benefit

• List of existing measures that may not be the best use of resources

• One-stop-shop for all security-related information, on demand

Concluding Comments Objective: Create a collaborative and cooperative culture for enterprise wide success with executive involvement & the use of lean management business tools • Current Situation (fragmented, reactive) • Enterprise Security as a Solution • Benefits of Metrics (Environmental, Performance) • Integrated Solution

• Governance • Holistic Integrated Approach • Risk Management • Frameworks and Standards

• Risk Automation • Current State • Industry Direction • Benefits

ASIS International Guideline available: “General Security Risk Assessment”

Strategy is essential

“However beautiful the strategy, you

should occasionally look at the results”

Winston Churchill

“Everyone has a strategy, until they

punch you in the mouth”

Iron Mike Tyson

Back ups

Oversight of Protection Equities

• Functional or interest area ________________ (e.g., information, physical, cyber)____________ • Assessment Title________________________ • Assessment Level ____________________ (e.g., corporate, division, business unit) • OPR: ____________________________ (organizational title) Individual: _________ • Shared responsibility with other functional or interest area: yes/no If yes, identify ___________ • Assessment conducted by ___________________ (organization, office) • Requirement established by: _________________________ (organization by name) • Requirement established in publication: ____________ ___________(title & date) • Methodology of assessment ______________________ (survey conducted remotely via Q&A;

survey on site; evaluation with administrative orientation; evaluation with performance orientation; evaluation with compliance orientation; mix, specify characteristics)

• Formal reports delivered to: _________________________ (e.g., Board, CEO, President, VP) • Results aggregated: yes/no If yes, at what echelon? ________________ • Metrics or measurement system instituted: yes/no If yes, describe: _______________________ • Share or crossfeed results to others: yes/no • Integration of results into lessons learned: yes/no If yes, describe/name system: _____________ • Influences policy and process changes: yes/no If yes, plan for changes • Potential for scheduling and conducting evaluation/assessment as part of a collaborative team or

for a team to expand its responsibilities and orientation

C-Suite view of security/RM Implementation