Home » Magazine Archives » June 2008
Security Technology and Design
Most Read
Most Emailed
E-mail Article
Print Article
Metrics for Success
Measure Influence by Tracking RecommendationsThe Latest from SIW
Security primer: Outsourcing employee background checks The security week that was: 10/03/08 Research shows how schools adopt access control Loss prevention firm releases results of annual retail theft survey ComNet's George Lichtblau talks fiber optics iPhone application makes phone a biometric checkpoint
All non-revenue-producing organizations like Corporate Security are in the influence business. Influence is a measure of effectiveness, and we need to apply various processes to evaluate security’s effectiveness. There are a variety of ways Security can do this, but the method described here may yield the most informative results.
Objective: To track the recommendations Security makes to other business units and determine what percentage are accepted.
Results Sought: To better assess our ability to influence change and effectuate risk management improvements in our clients’ security practices.
Risk Management Strategy: The chart to the right displays the status of security risk assessment recommendations to four different business units in a year. The percent of recommendations accepted or implemented, compared with the percent not accepted, should indicate the degree of influence Security holds over the recipient business executive. Recommendations awaiting action are merely in a queue for eventual analysis. The real ringer here is the percent of the total recommendations that are deemed Audit Committee Notable (ACN), a status typically warranting very high levels of resolution priority.
Let’s take a look at Business Unit A, which received 37 security improvement recommendations during the year. Fourteen of those were deemed ACN and 22 were satisfactorily resolved. Looking behind these numbers, we would find that none of the four unaccepted recommendations were in the Notable category. This is significant because it may mean that the influence of the Audit Committee is stronger than that of Corporate Security. But it is very important to note that this escalation option open to security indicates a high degree of confidence by Audit and the Board of Directors in the integrity of the process employed by security in performing its risk assessments and analyses and framing a resolution strategy with the business units. Other points of interest might be the aging of unresolved recommendations, especially if they fall within the ACN category.
The remaining business unit examples follow the same pattern, with the exception of Unit B, which has rejected 60 percent of security’s recommendations, claiming that only internal or external audit has the competence to evaluate their business controls. Security’s recommendations in this unit are under external review for final findings.
