Assessing an Age-Old Adage
A popular tenet of risk management that persists today states:
“One should never spend more on security than the value of the asset(s) being protected.”
This tenet was supported throughout the 1990s and early 2000s by many security scholars analysing newfound vulnerabilities in the budding computer networks of governments, businesses, and other ‘modernising’ organisations. Throughout the 2000s, discussion of the economics of security risk management evolved but primarily in the direction of security as a ‘public vs. private good’ and the (debated) benefits of inter-organisational information sharing. From the mid-to late 2000s until now, discussions of risk management expenditures have remained largely limited to comparisons with the financial values of the assets facing the risks.
As a basic principle, particularly within commercial environments, it makes sense that there should be a correlation between ‘asset value’ and the value of the resources allocated to protecting those assets (i.e. the risk management budget). However, this simplistic perspective fails to acknowledge the fundamental purpose of having and protecting assets at all. To make rational decisions, risk managers must acknowledge from the outset that organisations seek to control assets only so that they can achieve stated objectives. Risk managers are allocated risk management budgets for the sole purpose of ensuring that their organisation’s assets are available for achieving those strategic objectives, as and when required. Objectives, assets, and risk management budgets are thus mutually-dependent; one has no reason to exist without the other two. While popular tenets espousing the importance of financial considerations may not be wrong, they do paint an incomplete picture from a risk management perspective.
The Value of Strategic Alignment
The purpose of this article is to encourage executive leadership teams to ensure that their risk management budgets and valuable assets are optimally balanced so that they support their organisations’ efforts to achieve strategic objectives.
While most leaders appear to be relatively adept at determining which assets they need to achieve their objectives, calculating the value of those assets is not necessarily a straightforward exercise. Asset value may, in some cases, be subjective and an asset’s ‘criticality’ vis-à-vis a strategic objective may be debatable. Accurately determining how much time and money should be allocated to the protection of an asset also becomes difficult without a clear understanding of how each asset contributes to its organisation’s objectives. To complicate matters further, some risk management professionals may be prone to forgetting that their organisation’s assets do not require protection for their own sake. When the criticality and purposes of assets are unknown, unclear, or forgotten, then risk managers become susceptable to mis-prioritising the resources at their disposal and setting up their companies and/or executive leaders for failure. Accurately determining the risk management budget is a difficult but essential part of strategic alignment.
To illustrate the danger of misaligned objectives, risk management budgets and assets, one needs to look no further than the high-profile case of the US government in Libya. In Benghazi, the US Embassy requested between three and twelve additional security staff members to support their diplomatic mission prior to the death of Ambassador Christopher Stevens in a September 2012 rebel assault. Reviewers of this incident argued that the recent sequestering of the US Dept. of State’s security budget (which was denied $330M) negated the possibility of properly securing many embassies worldwide, including the one in Benghazi. The destruction of the US Embassy, the loss of a particularly influential key leader, and the weakening of the US’s image dramatically decreased the US’s influence in the region for years to come.
Encouraging business leaders to value assets in terms of the strategic objectives they support, improves leaders’ abilities to allocate appropriate amounts of resources to protecting those assets. When properly aligned, risk management budgets can smooth out Annual Loss Expectancies (ALEs), reduce the chances of organisations exceeding their risk capacities and reduce the resources that organisations must hold in reserve to cover incidents.
Informing Your Risk Management Budgeting Decisions
Aligning your organisation’s risk management budget with its assets and strategic objectives should begin with an information-gathering exercise. The following five steps constitute a simple process for ensuring that you have all the information required to ensure that there are direct links between these four points:
Identify your organisation’s strategic objectives:
Naturally, the first step in the strategic alignment process is to identify your organisation’s strategic objectives. Strategic objectives are fundamental statements of what your organisation intends to achieve. In commercial organisations, strategic objectives are normally related to financial goals. In other organisations, strategic objectives may relate to social or political goals. In any case, strategic objectives should be stated in clear, quantifiable terms that include specific targets such as: the maintenance or gain of market share, the stability or growth of financial earnings, compliance or leadership regarding regulatory issues, and the maintenance or development of your organisation’s reputation. The strategic objectives declared by your organisation become drivers for all of your resource planning.
Identify the operations, business functions, and/or projects necessary to achieving your strategic objectives:
The second step in the strategic alignment process is to identify exactly how your organisation will achieve its strategic objectives. Typically, an organisation’s day-to-day operations and business functions are sufficient to keep the organisation viable in the short term. To make substantial gains, strategic projects are often commissioned to evolve the organisation beyond its current capacities and performance. Any combination of operations, functions, and projects, however, could be considered essential to achieving the organisation’s strategic objectives.
Identify the minimum resources required to carry out strategically-relevant operations, business functions, and projects:
The third step in the strategic alignment process is to determine the minimum quantity and value of assets required for conducting operations, delivering business functions, and executing projects. Assets may include human resources, equipment, supplies, buildings, workspaces, information, and even reputational factors that might be necessary for achieving success. Assets’ values should be calculated in terms of both the time and money that it would cost to replace them. In most cases, calculations should also be made to understand the opportunity costs (in terms of time and money) that would be incurred if these assets ceased to be available.
Identify your organisation’s risk capacity:
In the fourth step, it becomes possible to calculate your organisation’s risk capacity. This calculation is a purely mathematical exercise to determine the total amount of loss that can be sustained before the unavoidable failure of a strategically-important operation, business function, or project. Risk capacity is determined as a function of the total amount of resources available to the organisation (including available credit, savings, and even the sale value of non-critical assets) minus the minimum amount of resources required to carry out operations, functions, and projects (as identified in Step Three). Because organisations may have different requirements for, and access to, different assets, risk capacity must be calculated for each asset individually.
Determine your organisation’s risk tolerance:
Finally, with a clear understanding of the criticality and availability of strategic assets, executive leaders can decide how much risk they are willing to expose themselves to. Because security risk mitigation measures normally come at a financial cost, it is probable that your organisation will not be able to mitigate all risks equally. In these cases, both assets and risks will need to be prioritised. Executive leaders will need to issue statements of risk tolerance to help guide the organisation’s operational-level leaders charged with identifying and implementing risk controls. Statements of risk tolerance must be quantifiable (i.e. “Our organisation-wide employee turnover is not to be more than x% in any given 180-day period”) and the degree to which an executive decision is ‘risk averse’ can be determined by comparing risk tolerance statements to the organisation’s risk capacities. It is noteworthy that risk tolerances do not have to be defined within the boundaries of an organisation’s risk capacity. There may be circumstances that compel leaders to accept the possibility of losing more assets than their organisation can functionally afford to lose. In these situations, executive leaders are essentially “betting everything” on the belief that catastrophic risks will not come to fruition.
The amount of risk that a business is willing to tolerate will always be, to some extent, subject to an organisations culture and trading experience.
But, as shown in the process above, a significant amount of information must be gathered before a leadership team can be sure that their risk management budget accurately reflects their risk tolerance level. A comprehensive understanding of your organisation’s strategic goals and the resources required to achieve those goals is fundamental to making informed decisions about how big your risk management budget should be. Only after determining your organisation’s risk capacity and risk tolerance, does it become possible to set a risk management budget that comfortably protects the assets necessary for achieving your strategic objectives. Only when risk management budgets and valuable assets are optimally balanced, can leaders be confident that they have maximised their chances of achieving their organisation’s strategic objectives.
For more information on Security Budgeting as well as a range of other Security Consultancy services please contact us via telephone or our website.
CornerStone GRG Ltd
8 City Road
London, EC1Y 2AA
tel: 020 3405 4956
The contents of this document are provided on an “as is” basis. No representation or warranty (either express or implied) is made as to the completeness, accuracy or reliability of the contents of this document. Advice given and recommendations made do not constitute an assurance against risk or a warranty of future results by CornerStone GRG Ltd.
Intellectual Property and Copyright
This document includes registered and unregistered trademarks. Any trademarks displayed are the trademarks of their respective owners. Your use of this document does not constitute or create a license or any other right to use the name and/or trademark and/or label. This document is subject to copyright owned by CornerStone GRG Ltd. You agree not to copy, communicate to the public, adapt, distribute, transfer, sell, modify or publish any contents of this document without the express prior written consent of CornerStone GRG Ltd.