Security Risk Management: Business Analysis Tools
Although not free of criticisms, the framework and processes commonly endorsed for managing risk are provided by the ISO 31000, Risk Management – Principles and Guidelines (International Organisation for Standardisation, 2009). The standard provides a means to manage risk, which can be used by organisations, varying in size and sector. ISO 31000 is a procedural construct, which follows the principals of plan, organise, direct and control. This approach may empower businesses to clearly identify and categorise risks and to adopt appropriate management practices. The model has been adopted as a framework for Security Risk Management professionals because of its consideration of the context within which a business operates, alongside the potential threats, risks and responses.
The effective implementation of ISO 31000 requires an organisation to actively integrate risk management across its operational and planning processes. However many organisations do not successfully incorporate each of the stages of the model fully and therefore it may be necessary to adjust elements of the risk management model to suit business processes and cultures. Although organisations differ in their approach to risk management, ISO 31000 is widely endorsed as a framework to be followed.
In addition to the use of the ISO 31000 framework by security professionals acting in an advisory capacity, business analysis tools can be also used to assess the security strategies and procedures. The use of SWOT analysis in particular could be used to assess the vulnerabilities and resilience of an organisations security and business continuity plans. Following the identification of strengths, weaknesses, opportunities and threats, business leadership can develop strategies, which may build on the strengths, eliminate the weaknesses, exploit the opportunities or counter the threats.
SWOT analysis is a respected tool, used in a variety of circumstances for strategic planning. Recent research has however suggested further considerations that may improve the use of SWOT analysis. Valentin (2001) and Dyson (2004) argue the value of SWOT analysis for strategic developments can be improved if used in unison with a resource based view (RBV) of an organisation. A security professional would consider such a tool to be valuable, as the identification of resources that provide a business with its competitive advantage will benefit business continuity planning.
In line with the view that commercial enterprises should consider security as an enabler for business rather than a cost, Security Risk professionals may benefit from the adoption of business models more commonly associated with the analysis of business performance rather than threats. The resource-based view is one such method; the analysis could be used in the initial context phase of a security risk management assessment. The resources possessed and effectively utilised by a business influence business performance; in this case it is the resources, including security, which enable companies to gain and sustain a competitive advantage. Security provision therefore plays a crucial role in acting as both a resource itself, and the means by which to protect others.
By determining the key drivers of a business and in particular the business elements providing a competitive advantage, security professionals can focus their efforts upon these areas accordingly. This will increase business resilience to threats and enable it to potentially recover quickly from damage. The ability to maintain or to recover revenue will determine the longevity of a commercial enterprise.
Dyson, R. G. (2004) ‘Strategic development and SWOT analysis at the University of Warwick’ European Journal of Operational Research, 152(3), pp.631-640.
Valentin, E. K. (2001) ‘SWOT analysis from a resource-based view’ Journal of Marketing theory and Practice, 9(2), pp.54-69.