Sean Lyons asks to what extent the corporate world is preparing itself for defending the interests of all its stakeholders

Continued from Part 1...

CONTROLS AND ASSURANCE

The COSO framework for integrated internal controls has been in existence since the early 1990’s (COSO 1992). This represents the generally acknowledged criterion for an effective internal control structure as being the installation of an integrated framework of internal controls. The implementation of such an integrated framework is designed to enable line management to assess, evaluate and report to the board on the quality, integrity and adequacy of the organisations’ internal control system. More recently the concept of continuous auditing and continuous monitoring has been an attempt to develop a more real time approach in this area.

An Integrated assurance framework

Lately the term “Integrated Assurance Framework” has emerged in the controls and assurance environment. An increasing number of “Audit” conferences and seminars are now setting time aside for both sessions and workshops addressing this topic. An integrated assurance framework is fundamentally concerned with the practicalities of bringing together risk, compliance, governance and audit. This framework represents an attempt to reengineer the assurance operating model so that values and synergies can be unlocked. By linking these areas it is hoped that organisations can create a more dynamic and sustainable assurance model.

SECURITY

Historically most organisations have addressed security concerns through a number of different functions within the organisation, typically operating in a non-integrated fashion. As new technologies emerge the need to unify security functions throughout the entire enterprise is now being recognised. The following represent cross-functional developments which are seen as being security driven.

Unified security

There is now a move towards a convergence of both physical and logical security which has been made possible by advances in technology. This security convergence involves the integration of IT and physical security systems and related technologies. The emergence of security convergence is pushing companies to focus beyond functional dimensions to include all parts of security, creating a need for a unified security management framework. An effective converged approach should ideally reach across people, processes and technology, and enable organisations to prevent, detect, and respond to any type of security related incident.

Enterprise security risk management

The term “Enterprise Security Risk Management” is a term which is currently being used by many professionals involved in security roles (AESRM 2006). This represents an attempt to align the unified security and the ERM processes in order to ensure that security’s role in the ERM process is appropriately appreciated and prioritised (Deloitte 2007). Not only that, but compliance, risk management and resilience are now also being accepted as representing integral parts of the security management process.

RESILIENCE

Over the years many organisations have moved away from the reactive “seat of the pants” approach so often associated with emergency operations and crisis management, towards a more positive approach requiring a certain degree of planning in advance. Initially disaster recovery planning simply addressed low probability, high impact, physical events, which more often than not required relocation to a hot-site. This later developed into more detailed contingency planning, which began to address higher probability, lower impact events, which could also be addressed in-house. The introduction of a more proactive approach with a business performance focus came in the form of business continuity management whereby the potential added value of this activity began to be recognised. The following represent somewhat similar cross-functional developments which have been occurring in the resilience arena.

Operational resilience

The term operational resilience is considered to be the ability of an organisation to adapt to changing risk environments, and to manage the hazard risk that is inherent in day-to-day operations. In business terms, operational resilience represents the organisation's ability to withstand, rebound or recover from a shock, disturbance or disruption. The scope of operational resilience is seen to include operational risk, security, business continuity, disaster recovery, and IT service management as it is considered that in practice there is a great deal of commonality across these disciplines. Operational resilience (not risk management or security) is the ultimate goal (CERT 2007) and perhaps represents an engineering viewpoint of resilience.

Business resilience

The term business resilience is generally being promoted by technology vendors. Business resilience is therefore viewed from an information technology perspective, whereby business resilience is seen in terms of a number of imperatives which are considered fundamental to the success of any business resilience strategy. These imperatives include activities such as risk management, business continuity, regulatory compliance, security and intelligence (IBM 2004).

Enterprise resilience

The term enterprise resilience is viewed as the ability and capacity to withstand systemic discontinuities and adapt to new risk environments (Starr et al 2003). Resilient organisations (Sheffi 2005) are required to be sensing, agile, networked, and prepared. They need to have the ability to appreciate the organisations interdependencies and to anticipate and address the contingencies which can result. They need to understand that localised issues can quickly have a ripple effect across an extended organisation. By aligning its strategy, operations, management systems, governance structure and decision-support capabilities, an organisation can uncover and adjust to continually changing risks, endure disruptions and create advantages over less adaptive competitors.

The above examples of cross-functional evolutionary developments should not necessarily be viewed in a linear context, as many of these developments have been occurring concurrently. It does however indicate the quest for a more holistic solution in this area. Obviously supporters of individual disciplines may quite naturally favor one particular approach over another depending on their own skill-set, while in some cases a number of these approaches may be separately developing within the organisation.

Collective requirements

The developments described above represent significant progress in the area of corporate defence. If one takes a more strategic view it becomes possible to see that these cross-functional developments have in fact identified a number of collective requirements, and organisations need to recognise that these collective requirements will form the basis for future progress in this area. In order to remain competitive organisations need to ensure that their organisation is currently addressing these requirements if simply to keep pace with their competition. There are requirements for the following:

- A strategic plan

- A comprehensive strategy

- A unified management structure

- A convergence of complimentary disciplines

- A continuous improvement process

- An enterprise-wide vision

- An alignment of objectives

- An adaptable approach

- An integration of systems and processes

- An implementation of flexible solutions

Corporate defence management (CDM) as the next logical step

“Corporate Defence Management” (CDM) (Lyons 2006) now appears to be the next logical evolutionary step in this corporate defence journey. More detailed examples of defence related activities which are required to be strategically managed include the following:

Corporate defence related activities (see Figure 1)

As a strategic discipline CDM takes a more inclusive view of corporate defence and focuses on the cross-functional consolidation and alignment of these defence related activities. In order to help ensure that there is a coherent strategic approach in place in relation to corporate defence CDM focuses on ensuring that all defence related activities are directed in an integrated strategic manner, and that they are operating in unison towards common objectives. As a single cross-functional discipline it is concerned with helping to ensure that there is the adoption of similar performance expectations in all these areas, that they are managed in a coordinated and systematic manner and that all defence related activities are working together as a team, in order to collectively defend the interests of the stakeholders.

By recognising that the defence related activities identified above can in each case be further subcategorised into various specialist areas, there is an appreciation that each of these sub-categories also has an important role to play in defending an organisation. It should also be appreciated that in the modern era, each of these sub-categories increasingly requires specialist skills and expertise which are essential to their ongoing effectiveness.

Applying the CDM paradigm (see Figure 2)

Taking all of the above issues into account it now seems imperative that we arrive at a change in paradigm in this area. In order to integrate all of these necessary elements a 3 dimensional diagram has been conceived which represents this paradigm change, and can help us to conceptualise this integration. Each of these individual activities requires that all of the other elements are also operating effectively and when integrated effectively represent a framework of checks and balances through their continuous cross-referencing of one another.

All of the activities within this paradigm intersect and are intersected by each other. Deliberately no precise boundaries exist in this diagram in order to help avoid the traditional silo type mindset. In the modern era, each of these defence related disciplines needs to be continually cross-referenced against each of the other disciplines.

This paradigm is based on continuing to build on existing structures and frameworks where possible, rather than reinventing yet another new framework for an organisation to implement.

Strategic management activities

These represent core strategic management areas which correspond with fundamental frameworks and best practices. These activities are based on the 4 pillars of governance, risk management, controls and assurance, and consist of structural frameworks which need to be in place. These frameworks represent the backbone of corporate defence activities, around which ongoing functional activities operate. Examples of existing frameworks and best practices in these areas include the OECD principles of corporate governance (OECD 2004), the COSO frameworks for ERM (COSO 2004) and integrated internal controls, and perhaps the IIA’s standards of professional practice (IIA 2007).

Ongoing functional activities

These represent essential ongoing operational activities which are required to be continuously operating on an ongoing basis throughout the organisation. They intersect and are intersected by strategic management activities. The core activities include compliance, security, resilience and intelligence. There are also a variety of possible frameworks available in these areas, including SOX, COBIT, ISO and ITIL etc. Other related models such as Six Sigma and PRINCE2 etc could perhaps also be applied here.

Unifying defence objectives

The unifying defence objectives represent the cornerstones of corporate defence, and address the key drivers which need to be present in all defence related activities. Anticipation represents the timely identification and assessment of existing threats and vulnerabilities, and the prediction of future threats and vulnerabilities. Prevention represents taking sufficient measures to shield the organisation against anticipated threats and vulnerabilities. Detection represents the identification of activity types (exceptions, deviations & anomalies etc) which indicate a breach of corporate defence protocol. And finally reaction represents the timely response to a particular event or series of events, in order to both mitigate the current situation, and to take further corrective action in relation to deficiencies identified, and to prevent these events re-occurring in the future.

This CDM paradigm considers each of these activities as representing an organisation’s toolkit, whereby each element is seen as a valuable component in defending an organisation. Individually each of these defence related activities actually have requirements in relation each of the other elements. In any one of these areas governance, risk management, control and assurance structures are required to be in place in order to actively manage strategy and policy. Systems and processes in any of these areas need to address requirements in relation to ongoing compliance, security, resilience and the communication of intelligence. Line management and staff involved in each of these activities need to be constantly focused on anticipating, preventing, detecting and reacting to issues which could have an impact on the organisation’s performance, and also to help promote continuous improvement in their area. In truth each one of these individual elements is already required to be an integral part of each one of the other elements in order to operate effectively. What is now becoming quite clear is that there is now a growing recognition of the requirement for cross-functional expertise throughout the enterprise, and it is for this reason that it appears that we are only now beginning to see the forest from the trees in the area of corporate defence.

Conclusion

This paper presented a brief summary of the changing nature of corporate defence in the 21st century. By focusing on the emerging trends and developments in the various defence related areas it reflected the increasing recognition of the requirement for a far more strategic approach to corporate defence, where corporate defence is used as an umbrella term to describe an organisation’s defence related activities. There now appears to be an increasing acknowledgement that contemporary corporate defence means adopting a more comprehensive, progressive and proactive stance in terms of addressing strategic, tactical and operational risks, threats and vulnerabilities. In its broadest sense corporate defence is now seen to represent an organisation’s program for self-defence as it refers to defence related activities as being the measures, mechanisms and processes in operation within an organisation, with the objective of defending the organisation and helping to safeguard the interests of all of its stakeholders. This view coincides with the expanding view of stakeholders, being all those parties with a vested interest in the organisation, and also with the higher corporate social responsibility expectations demanded by these stakeholders of their organisations.

This cross-functional evolutionary process is now clearly in motion, the speed at which it will continue to progress however remains somewhat uncertain.

References

Apgar, D (2006) Risk Intelligence: Learning to Manage What We Don’t Know, HBS Press 2006

Carelli, R (2007) Adapting to Changing Risk Environments: Operational Resiliency, Podcast, [Online], Available: http://www.cert.org [1 May 2007]

Deloitte (2007) The Convergence of Physical and Information Security in the Context of Enterprise Risk Management, AESRM 2007, [Online], Available: http://www.aesrm.org

Eckerson, W & Howson,C (2005) Enterprise Business Intelligence: Strategies and Technologies for Deploying BI on an Enterprise scale (Aug 2005), The Date Warehousing Institute (TDWI), [Online], Available: http://www.tdwi.org

Humphrey, W (1989) Managing the Software Process, Addison Wesley 1989

IBM (2004), Business Resilience: Proactive measures for forward looking enterprises, [Online], Available: http://www.ibm.com

Lyons, S (2006) An Introduction to Corporate Defence Management, The DM Review (DM Direct), December 2006

Lyons, S (2008) Corporate Defence: Risk Management, Business Resilience and Beyond, The Business Continuity Journal, Vol. Two, Issue Four, January 2008

Sheffi, Y (2005) The Resilient Enterprise: Overcoming Vulnerability For Competitive Advantage, MIT Press 2005

Starr, R, Newfrock, J & Delurey, M (2003) Enterprise Resilience: Managing Risk in a Networked Economy, Strategy + Business, Spring 2003

Taleb, N (2007) The Black Swan, Penguin Books Ltd 2007

The Alliance of Enterprise Security Risk Management (AESRM) (2006), [Online], Available: http://www.aesrm.org

The Committee of Sponsoring Organisations of the Treadway Commission (2004) Enterprise Risk Management – Integrated Framework, (Sept 2004), [Online], Available: http://www.coso.org

The Committee of Sponsoring Organisations of the Treadway Commission (1992) Internal Control – Integrated Framework, (1992), [Online], Available: http://www.coso.org

The Institute of Internal Audit (2007) International Standards for the Professional Practice of Internal Auditing (Jan 2007), [Online], Available: http://www.theiia.org

The Open Compliance and Ethics Group (OCEG), (2007), The GRC Illustrated Series [Online], Available: http://www.oceg.org

The Organisation for Economic Co-operation and Development OECD (2004) The OECD Principles of Corporate Governance, (2004), [Online], Available: http://www.oecd.org