Measures mapping: a way to identify risk mitigation strategies and evaluate their effectiveness is a key component for any initiative on How to Use Metrics and George Campbell has some very relevant places to begin:
We are all familiar with the highway sign "Dangerous Curve, Reduce Speed Ahead." Many of the measures discussed in this story may be applied to provide the CSO and key constituents with similar caution signals. They become the earliest prompts for more in-depth analysis of trend dynamics that allow you to look at the root causes of problems, not just the symptoms.
Examples of incident trends that help diagnose risks to address include:
1. Increased frequency or severity of accident, crime or policy infraction rates
2. Reduced mean times between failures on critical equipment with increased downtime
3. Increased number or severity of negative background investigation rates in specific hiring populations
4. Excessive passwords for access to different "secure" applications, which results in shared passwords and visible posting of passwords
5. Abnormal response times to calls for service
6. Outsourcing sensitive business processes without requisite due diligence
7. Elimination or reduced testing of building evacuation plans, which leads to employee confusion and injury during real incidents
8. Degradation of timely software patch application or increased virus activity in specific client groups
As a former CSO at Fidelity Investments Mr. Campbell has hit most of the critical silos of risk accross the enterprise. Whether it be people, processes, systems or external events, one thing is certain. Without a metrics program in place, how do you measure change? Not so much if we are winning or losing the battle against internal fraud, information security breaches or stolen corporate assets. But the nature of the changes and the potential root cause of those changes.
Competitive and regulatory drivers including BSA, Patriot Act, Basel II and Sarbanes-Oxley have increased pressure on executives to understand and manage risks more effectively. Top level executive mandates include:
* Protect corporate reputation and brand integrity
* Meet current and future regulatory requirements
* Provide visibility into possible risks and limit actual losses
* Achieve a fast response and recovery from actual negative events
* Maintain / improve customer satisfaction
* Increase quality and productivity of risk management processes
But, satisfying these mandates presents three core challenges to risk and compliance officers:
* Detecting risks is not sufficient; how will you manage and respond to them?
* In the face of changing regulations and cross-departmental systems, how will you govern the process?
* With so many point solutions, how will you justify the redundant investment and effort to deliver each one?