Q&A

Frank Bernhard: The Art of Uncertainty

To hear Frank Bernhard tell it, economics is anything but the dismal science—and risk management is the key to a CSO's success.

By Elaine M. Cummings

Page 3

Guesstimation is not an exact science, but it's a good start. Pay attention to that visceral feeling about where you think your risk is most obvious. Then boil it down to the top three areas driving security: access, information assets and mobility. That makes up about 85 percent of your concerns.And the other 15 percent?Is around the physical buildings, facilities and perimeter securitylargely those elements of risk being waged against in the efforts of homeland security. If you think about security in general, the safety of a democratic and civil society imposes enough moral restraint to diminish rampant chaos. But security does extend to physical infrastructure of organizations and the challenge to maintain order amidst the outbreak of terrorism and overt violation of public law.Spending on insurance is just one way to mitigate risk. How much is enough there?It's a tale right out of Goldilocks. Typically, people sign up for either too much or too little insurance. They don't ever have just the right amount of insurance. You have to start by asking, What's the valuation of the assets I'm protecting? What's the probability of risk assignment? And then what's the cost to protect those assets?

To spend the appropriate amount on insurance, you want the cost of insuring an asset to be less than or equal to the cost of the asset itself. The premium must justify the means of loss protection. Pooled risk dictates that some loss is inevitable but the premium schedule for such assurance should be commensurate with the risk basis. So if an insurance policy protects your million-dollar asset and the policy costs $900,000and the risk of destruction or complete loss is, say, 15 percentthen the risk of loss is grossly disproportionate to the premium paid for asset assurance.

The numbers may be high as an example, but they speak to a point. Insurers want the least of risk for the maximum amount of premium. The enterprise wants the maximum amount of protection for the least amount of investment. Therein lies the economic argument for investment and risk mitigation: The equation must balance at a level of security adequacy and fiscal prudence.

Think about buying an extended warranty on a television, for example, where the asset life is relatively short but the policy is almost 30 percent of the item's original cost. If you divide the useful life by its original cost and compare the premium for replacement, the math seldom favors the consumer. Much in the same way, companies spend on protecting their assets, but they can actually get to a point of diminishing returns.How do you optimize that spending on security?First, it comes down to common sense. You want to be risk cautious, but you don't want to be risk absurd. The practical question you have to ask is, Does the behavior or the policy in the governance of my enterprise match the level of risk that it's willing to accept?