As chief risk officer of Constellation Energy Group, John Collins has what you might call a diverse risk portfolio. Collins, whose background is in finance, started with a focus on financial and credit risks. These days, however, he spends about one-third of his time on operational risks, including physical security, information security and business continuity. We talked to Collins about what it’s like to bring together all those risks.CSO: As someone with a finance background, how do you approach operational risk management?John Collins: The key is to understand your operational risk but put it in financial terms. We look at each of our critical assetswhether it be a physical asset or an information technology assetand say, “OK, what happens if we lose that asset?” If the financial implications are large, then we’re going to make sure that we have all proper measures in place [to protect it]. We’re also going to make sure we have a business continuity plan in place, so that if we lose the assetno matter how much protection was in placewe can continue to do business.What has the transition into managing security been like?It’s been an educational process. The teams have spent a lot of time educating me on what is physical security, what is IT securityprobably more on IT security. You can see and touch physical security; IT security is a little bit tougher. It’s understanding what the regulations are that drive our business, what our vulnerabilities are, how do we address our vulnerabilities, and basically, just getting a handle on it.Is managing security different somehow from managing, say, credit risk?The types of employees who are attracted to the different fields are different. You have to manage to your different employee populations. You understand what they’re good at, what they’re not good at, what their likes and dislikes are, and you then change your management style appropriate to those people.You use the same discipline in understanding corporate security or information security that you do in understanding credit risk or financial risk. The math is different; the dollars could be different, but you want to use the same approach. What we’ve done is standardize how we look at risk across the enterprise. I think that gives us better ability to go back and ask, “Was this a good decision?” We don’t always make perfect decisions, but [the approach] gives us a pretty solid platform to evaluate our decisions. Related content news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Network Security Security news New Trojan ZenRAT masquerades as Bitwarden password manager A report by Proofpoint identifies the new Trojan as undocumented and possessing information-stealing capabilities. By Lucian Constantin Sep 28, 2023 4 mins Cyberattacks Hacking Data and Information Security news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Data and Information Security Security Practices news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe