Proactive vs. Reactive. The argument goes on in many organizational departments when it comes to budgeting for preparedness vs. response. How do you detect the next employee "Gone Rogue" as they say?
What is the early warning indicator that tells you that you need to train employees on the detection of "abnormal behavior" or out of context business transactions?
If we are to continue the path of handling disruptions in business and emergencies with personnel with the idea of mitigating the risk post incident, then increase the number in the budget for the line items under outside counsel, litigation and insurance.
However, the idea that a corresponding increase in the line items in the budget under the heading compliance, security and training will decrease risks prior to an incident, is prudent thinking.
In the battle for finite dollars to be spent across the enterprise in all categories that have significant risks, there will always be an argument on where the investment of resources will have the biggest payoff or return on investment.
The point is, you will never know, for certain...
This is why an investment in enterprise risk management dialogue requires that every department and each process, factor in additional costs for mitigating risks.
Each person who is closest to the work being done knows where the greatest potential is for a loss event. The place that is most vulnerable.
Just ask the HR specialist what employee they have hired over the past year or two that represents the most lethal threat to the company. Just ask the IT Security Engineer what system or application is on the verge of a melt down and they can tell you.
Or just ask the executive who they think the middle manager is, that is getting ready to move to the competition, with all the latest Intellectual Property (IP) secrets. Most likely, they can tell you.
Being proactive in managing operational risks sometimes means that you have to ask your employees risk related questions on a continuous basis. You have to document and collect the answers and feedback so that you can detect trends in behavior or potential eruptions in behavior.
Finally, you need to figure out how to do all of this using new tools and processes, to protect privacy and anonymity. Get started!
What is the early warning indicator that tells you that you need to train employees on the detection of "abnormal behavior" or out of context business transactions?
If we are to continue the path of handling disruptions in business and emergencies with personnel with the idea of mitigating the risk post incident, then increase the number in the budget for the line items under outside counsel, litigation and insurance.
However, the idea that a corresponding increase in the line items in the budget under the heading compliance, security and training will decrease risks prior to an incident, is prudent thinking.
In the battle for finite dollars to be spent across the enterprise in all categories that have significant risks, there will always be an argument on where the investment of resources will have the biggest payoff or return on investment.
"Yet, how will you ever know whether this is the year of the earthquake, the cyclone or the employee who becomes hostile or potentially lethal?"
The point is, you will never know, for certain...
This is why an investment in enterprise risk management dialogue requires that every department and each process, factor in additional costs for mitigating risks.
Each person who is closest to the work being done knows where the greatest potential is for a loss event. The place that is most vulnerable.
Just ask the HR specialist what employee they have hired over the past year or two that represents the most lethal threat to the company. Just ask the IT Security Engineer what system or application is on the verge of a melt down and they can tell you.
Or just ask the executive who they think the middle manager is, that is getting ready to move to the competition, with all the latest Intellectual Property (IP) secrets. Most likely, they can tell you.
Being proactive in managing operational risks sometimes means that you have to ask your employees risk related questions on a continuous basis. You have to document and collect the answers and feedback so that you can detect trends in behavior or potential eruptions in behavior.
Finally, you need to figure out how to do all of this using new tools and processes, to protect privacy and anonymity. Get started!
No comments:
Post a Comment