• United States



sarah d_scalet
Senior Editor

Every Kind of Risk

Apr 15, 20053 mins
CSO and CISOData and Information Security

As chief risk officer of Constellation Energy Group, John Collins has what you might call a diverse risk portfolio. Collins, whose background is in finance, started with a focus on financial and credit risks. These days, however, he spends about one-third of his time on operational risks, including physical security, information security and business continuity. We talked to Collins about what it’s like to bring together all those risks.

CSO: As someone with a finance background, how do you approach operational risk management?

John Collins: The key is to understand your operational risk but put it in financial terms. We look at each of our critical assets

whether it be a physical asset or an information technology assetand say, “OK, what happens if we lose that asset?” If the financial implications are large, then we’re going to make sure that we have all proper measures in place [to protect it]. We’re also going to make sure we have a business continuity plan in place, so that if we lose the assetno matter how much protection was in placewe can continue to do business.What has the transition into managing security been like?It’s been an educational process. The teams have spent a lot of time educating me on what is physical security, what is IT securityprobably more on IT security. You can see and touch physical security; IT security is a little bit tougher. It’s understanding what the regulations are that drive our business, what our vulnerabilities are, how do we address our vulnerabilities, and basically, just getting a handle on it.Is managing security different somehow from managing, say, credit risk?The types of employees who are attracted to the different fields are different. You have to manage to your different employee populations. You understand what they’re good at, what they’re not good at, what their likes and dislikes are, and you then change your management style appropriate to those people.

You use the same discipline in understanding corporate security or information security that you do in understanding credit risk or financial risk. The math is different; the dollars could be different, but you want to use the same approach. What we’ve done is standardize how we look at risk across the enterprise. I think that gives us better ability to go back and ask, “Was this a good decision?” We don’t always make perfect decisions, but [the approach] gives us a pretty solid platform to evaluate our decisions.