Add Enterprise Risk Management to Your Specific Company Risk Checklist
Is a classic automobile housed in a secure brick building more valuable than one parked on the street in South Bronx? In a technology company, is intellectual property covered by a comprehensive, centrally governed security plan more valuable than the same property without such a plan?
We know that loss of reputation affects value adversely. There are recent studies, however, that show catastrophes dealt with effectively as a result of an in-place response plan have a temporary effect on value (55 days, on the average) before value rejoins the “normal” curve as if nothing happened.
How, then would an analyst evaluate specific company risk with respect protection plans that impact an organization’s IP? I participated in an international conference call yesterday, hosted by Mike Moberly (Knowledge Protection Strategies), with Sean Lyons from Risk-Intelligence-Security-Control (R.I.S.C.) International in Ireland as guest presenter. The thrust of Mr. Lyons’ engaging presentation was that corporate defense programs evolve, from silos to enterprise security risk management systems and beyond , and the further along the evolutionary continuum, the higher a grade the program should get. One moves along the continuum by consolidating and coordinating the responsibilities found in many times conflicted and overlapping silos: Governance, Risk, Compliance, Intelligence, Security, Resilience, Controls and Assurance. Using reputation as an example, again, it’s not difficult to imagine how these silos would respond to a reputation hit, but it is difficult to see how they would coordinate a response.
Let’s add to the mix: key employees, spyware, outsourcing, exporting and “deemed” exports, trade secrets and other confidential data, intellectual property bundles, industrial espionage, etc. The presentation looked at the intangible assets (and tangibles) through a “Corporate Defense” umbrella lens. I’m a believer. My specific company risk checklist would include a thorough review of any asset protection plans in place, with an eye toward their state of evolution, which I would equate to their ability to prevent or respond quickly and adequately to threats. The more evolved the “defense” plan, the less is the risk, and the higher is the value of the asset defended.