How do you handle understanding the enterprise risks in a corporation where all of the risk management functions are dispersed in differential line management — General Counsel, Finance, Technology, Facilities? How do you define the participating functions? Yes, the ideal situation is having these groups housed under a Chief Risk Officer or Head of Operational Risk, but in the absence of organization structural shifts, here are some tips for you.
Be a Leader in bilateral conversations of risk partners
The most successful global security teams that I have been a part of were always leaders in collaboration and outreach to risk partners to pave the way for information sharing. Yes, there was the risk of the information flow being one way, and this is usually the case at the beginning, but as the interaction continues over time, the information flow gradually becomes two ways. For example, you may start with a monthly global meeting with Facilities, Business Continuity and quarterly meeting with Information Security and Compliance.
Conduct joint awareness programs
As part of your "doing-more-with-less" strategy, look for opportunities to work together on joint-awareness programs. For example, most employees at a company don't separate physical security from information security; security is security. Therefore, jointly working on a security awareness program often times leads to greater points of collaboration. Start with the new hire orientation. Also, participating in a wider program for annual compliance training is an easy win.
Capitalize on the success of low-hanging fruit
Reach out to the heads of risk management functions to ascertain interest in participating in an informal working group to share information and priorities on a quarterly basis. Gain buy-in from one other risk partner and approach the other heads of the risk management organization as one voice. Establish ground rules of participation around confidentiality. Survey the heads of the functions on the gaps or threats they are most concerned with. Taking a lead in this space will solidify you a leader and influencer in the group. Over time, the group will be persuaded of the benefits of formalizing it around an enterprise risk management program.
Establish a joint threat heat map
Start with your head of information security team to discuss the creation of a joint threat heat map and its benefits for submission to the board of directors. The threat environment is only getting more complex — data loss, workplace violence, APT, natural disasters, data breach, civil unrest, supply chain, terrorism, facility impact etc. Plotting them on a likelihood and impact matrix enables you to show the prioritization of threats. Once it exists, it is an easy way to bring in other risk partners to add their view of integrated threats because the interaction is focused on a work product.
Benchmark with peer companies to collect best practices
Understanding what your counterparts are doing is an influencer and can be a compelling piece of information to garner support for cross functional collaboration in an enterprise risk program not only from participants but also senior sponsors.
Once support for the cross-functional group is built, then gather the participants to create a purpose, charter, scope and rules of engagement and objectives. That way, it is completely transparent why the group exists and what it is set out to do. These foundation documents should be available in an electronic format to every participant.
Greater collaboration has been an uphill battle in an industry with a historical reputation of being the group of "no." More global security leaders initiating increased partnerships will help erode this old belief while serving our internal customers more effectively.
Natalie Runyon is the Director of Security of the Americas at Thomson Reuters, a security leadership expert and a women's leadership strategist based in New York City.