Security risk management: Prevention, continuity, resilience

International Security Journal hears from Tácito Augusto Silva Leite, Founder & CEO, t-Risk.

How do you perceive the evolution of security risk management and what are the current challenges faced by organisations?

Security risk management has evolved over time, reflecting changes in societies and economies. Initially, with an agricultural economy and gatherer/producer society, the focus of security was primarily familial and aimed at preserving territory.

Property security and protection of the means of production became prominent with industrial revolution.

Today, comprehensive security has become imperative.

This means a holistic approach that encompasses physical, cyber, intellectual and reputational security.

Risk management now demands a perspective that transcends the operational and aligns with corporate objectives, addressing risks in an integrated manner.

The main challenges faced by organisations today include technological evolution, globalisation and the increasing expectations of stakeholders regarding risk governance.

Moreover, the pandemic highlighted the need for resilience and adaptability in risk management strategies.

With this complexity, it becomes vital to develop an understanding of risks and create robust strategies.

How have software solutions transformed the field of corporate security risk management?

Software solutions have revolutionised the field of corporate security risk management, offering a range of benefits.

These tools have provided gains in efficiency, allowing risk consultants and analysts to perform risk assessments more quickly, reducing the completion time by up to 80%.

The standardisation of the risk management process and final reports has become possible, enhancing quality and reliability of the analysed data and, consequently, the decisions made based on this data.

Risk management software, especially those following international standards like ISO 31000 and ISO 31050, assist organisations in harmonising property security with business development, minimising vulnerabilities that impact success factors and objectives.

The ability to demonstrate ROI in security controls is crucial to ensuring the continuity of security projects, justifying them to stakeholders. Furthermore, the availability of tools in multiple languages facilitates global adoption.

However, software solutions have limitations, particularly related to the maturity of the professionals using them.

Advanced tools do not compensate for a lack of risk management maturity in an organisation.

Therefore, it is often necessary to accompany software implementation with mentoring and training programs for professionals. Resistance to change is another barrier, as adopting new technologies requires adaptation and may face opposition.

What does the organisational risk management landscape look like in Brazil?

From a more realistic and comprehensive viewpoint, considering the diversity of the Brazilian business fabric, it is estimated that the average level of maturity of Brazilian organisations in risk management lies between ‘Initial’ and ‘Managed’.

This suggests that while some companies are starting to recognise and implement risk management practices, many are still in the initial stages, developing informal and undocumented risk policies and establishing risk management structures.

The challenges for these organisations include: Overcoming cultural and educational barriers; the need for greater commitment from leadership and the adoption of a more integrated and procedural approach to risk management.

Companies at the ‘Initial’ level are beginning to establish risk strategies and designate responsibilities, while those at the ‘Managed’ level already have formalised and documented risk management practices, reflecting a more active involvement of leadership and a commitment to integrated risk management.

It is true that there are areas of excellence within companies where risk management practices are conducted at high levels, revealing well-structured processes aligned with global best practices.

However, these levels of excellence are often confined to specific sectors and do not reflect a culture of risk management spread throughout the organisation.

It is crucial for organisations to recognise that risk management maturity is not homogeneous and that it is common to find varying levels of maturity in different dimensions of risk management within the same organisation.

Therefore, a balanced and realistic approach is essential, prioritising areas that offer the greatest benefit for the specific objectives and challenges of the company.

Which emerging technologies are most promising for security risk management?

In the current landscape of security risk management, emerging technologies are vital tools.

AI and machine learning are at the forefront of this transformation, providing advanced analyses capable of predicting and identifying potential risks based on historical patterns and trends.

Blockchain technology is gaining attention for its ability to provide transparency and security in transactions.

In the context of risk management, it can be applied to create an immutable record of transactions and activities, reinforcing data integrity and asset traceability.

Additionally, IoT is revolutionising operational environment monitoring, thanks to the vast amount of data generated by IoT devices which, once analysed, can reveal valuable insights into potential risks.

Predictive analysis, using statistical models and data mining, is aiding organisations in anticipating future events, enabling them to prepare proactive mitigation measures and responses to potential risk scenarios. To effectively implement these emerging technologies, organisations must focus on data integration.

Data quality is another crucial point, requiring investment in systems that ensure accurate and high quality data, fundamental for precise analyses.

Developing internal competencies is also essential, as the team needs to be capable of efficiently managing and operating the new technologies.

Establishing strategic partnerships with technology providers is equally important, as they can offer specialised support and continuous updates.

Finally, organisations should look to implement a continuous feedback cycle.

What challenges may organisations face when implementing software for risk management?

Implementing security risk management software in organisations involves multiple challenges, encompassing technical, cultural and organisational aspects.

The integration of software with existing systems is a significant challenge, requiring adaptations in both the software and business practices.

In this context, SaaS solutions tend to have better acceptance and immediate adherence, as they eliminate the need for complex installations on client infrastructure, facilitating integration and use.

Resistance to change is a common barrier, particularly in environments where reactive approaches to risk management prevail.

In Latin American countries, for example, a more reactive risk culture hinders the adoption of proactive and anticipatory practices.

Changing this historical culture represents a significant challenge for the effective implementation of risk management software.

An additional challenge is the level of risk management maturity of the professionals involved.

If employees do not have an adequate understanding of risk management, full utilisation of the software can be compromised.

The organisation’s risk culture is also crucial, as a culture that undervalues strategic planning and risk management can limit the positive impact of the software.

How can the ISO 31000 and ISO 31050 standards be applied to improve risk management?

ISO 31000 assists organisations in establishing a systematic and structured approach to risk management.

It guides the identification, analysis, evaluation and treatment of risks and emphasises the importance of continuous communication and consultation with stakeholders.

ISO 31050 focuses on emerging risks, including those related to security, which may not be fully known or understood.

This standard guides organisations in identifying and managing emerging risks, promoting a culture that values proactivity in responding to unknown or rapidly evolving risks.

How can companies develop and maintain a strong culture of security risk management?

Developing and maintaining a culture of security risk management is crucial for the effectiveness and sustainability of security practices in an organisation.

This process begins with the commitment of leadership, which must act as the principal advocate for risk management, establishing a clear vision and guidelines on the importance and approach to security risk management.

A crucial step is integrating risk management into the strategies and daily operations of the company.

This means that risk management should not be seen as an isolated function but as an integral part of all organisational decisions and processes.

Leadership must ensure that risks are considered at all stages of the planning and execution of the company’s activities.

To develop a culture of security risk management, it is essential to invest in training and awareness. All employees, regardless of hierarchical level, must understand the basic concepts of risk management and how their actions can influence the overall security of the organisation.

This includes ongoing training and skills development in risk management.

Another important aspect is communication and transparency.

Leadership should promote an environment where communication about risks is clear, open and encouraged.

This includes not only downward communication of risks identified by leadership but also upward communication, where employees feel safe to report concerns and observations about potential risks.

Finally, it is crucial to establish mechanisms for feedback and continuous improvement.

This involves regularly evaluating the effectiveness of risk management practices and making adjustments as necessary.

Leadership must be open to learning from mistakes and willing to adapt risk management strategies based on lessons learned.

How do you see the integration of security and risk management in organisations?

The integration of security and risk management in organisations is a critical aspect to ensure a comprehensive and effective approach to mitigating risks.

I see this integration as an ongoing process, where security is not treated in isolation, but as an integral part of the organisation’s risk management.

This approach allows for a holistic view of risks, ensuring that all aspects, including physical, cyber, information and operational security, are considered in risk analysis and treatment.

To improve integration, organisations should adopt several strategies: Strategic alignment – it is crucial that security and risk management are aligned with objectives; communication and collaboration – this involves information sharing and collaboration; training and awareness – this helps create a risk mindset throughout the organisation; integrated risk analysis – this can be achieved through the implementation of tools and methodologies that allow an assessment of risks; technology and tools – investing in technology and tools that facilitate integration.

How do you see the future of security risk management in corporate environments?

The future of security risk management in corporate environments is moving towards a more integrated and technologically advanced approach.

As organisations become interconnected, risks evolve, demanding an agile response. 20 years ago, I was writing and announcing the integration between security areas.

I foresee that the integration between cyber and physical will become more prominent, with an emphasis on holistically protecting digital and physical assets.

The adoption of emerging technologies will be crucial for identifying, assessing and mitigating risks.

These technologies will enable more accurate predictive analyses and the identification of complex patterns, empowering organisations to anticipate and rapidly respond to security threats.

I also expect that awareness of the importance of security risk management will continue to grow, leading to greater investment in training and skills development in this area.