Risk and Corporate Security

Corporate security is a growing area of concern for businesses of all types. The main perceived risks in relation to corporate security is the physical risk of disruption such as that seen with the increased level of terrorism particularly for industries such as airlines or those relying heavily on infrastructure. However, corporate entities are becoming increasingly aware that corporate security has a much wider potential scope that spans across the whole organisation including the financial management of the company. The complexity of doing business on a global scale has become much greater, particularly given the geopolitical instability that is seen in parts of the world. As such, companies are becoming more aware of the need to plan for security risks and the need to invest on solid infrastructure, both to prevent and to deal with potential security breaches.

Having an in depth understanding of the way in which the financial and accounting management of the company will enable those in charge of corporate security to plan and manage wider corporate risks[1]. Approaches to risk management have also shifted considerably in recent years. Historically, risk management was a preventive task dealing with crisis management when a problem has already occurred. In other words, corporate security functions were nothing than another cost that had to be endured. This has changed and most organisations now see good corporate security as way of adding value to their business and being a valuable function in terms of gaining and maintaining customer confidence. What is Risk and Corporate Security? Before considering how financial and accounting management can help to deal with corporate risk, it is important to get the principles of what exactly corporate security functions aim to achieve and to consider exactly what risks they are guarding against. Corporate security in particular in terms of financial risk is exceptionally prevalent in the banking and investment industry although all corporate entities will have an element of concern over protecting their financial position. The need to control financial risks has been readily recognised in the banking industry, with the Basel Committee[2] taking a leading and influential role in creating a security framework.

Crucially, the work of the Basel Committee showed that one of the best ways to manage corporate risk is to look at asset management liability[3]. The Committee required a shift of emphasis from the banking industry to look at risk in terms of how it manifests itself in the financial bottom line of the company. As part of this work, the Basel committee defined risk as something that has a negative impact on the financial health of the organisation in question. For example, risk is considered as the possibility that the financial accounts such as return on assets, income or profits are negatively affected by an external event.

The need for this framework was mainly due to the high number of off balance sheet accounting practices and complex securitisation products that were being used which made it very difficult for companies to control individual behaviours and to spot risk areas, before the damage was done. By setting a standard that all banking institutions had to follow, which involved considering only market values and not taking metrics of value into consideration, corporate security from a financial point of view became much more manageable. This was particularly useful to international companies operating in a range of different climates. Although the Basel Committee dealt exclusively with the banking industry, the principle of using financial data and management as a way of controlling corporate risk has been clearly developed. By allowing companies to maintain secrecy in relation to their financial accounts, there is a danger that corporate security issues simply go unnoticed. Even if they are noticed, the extent or location of the problem is often unascertainable and therefore difficult to manage. Insisting on a level financial accounting playing field in terms of how events are reported makes it easier to manage the risks that are often industry wide.

This was the first step towards using financial management as a primary tool for corporate security risk handling. Risks that Corporate Security aim to Mitigate In any corporate security management scheme, one of the most important factors to consider is exactly what risks the organisation is aiming to manage and mitigate. Fundamentally, it needs to be recognised that security is a two fold issue and covers both operational activities and strategic activities. For example, operationally the risks that corporate security and in particular financial management aim to mitigate involve losses such as loss of profits due to inaccurate stock management or wrong pricing. Financial management is of course vital in this area as even small monetary leakages can represent a large overall loss to the company. Identifying these losses can be an important factor in ensuring ongoing financial security for a company, particularly in the difficult economic climate that is currently facing almost all industries[4]. Strategic corporate risk management is a much longer process and involves considering where the company aims to be in the medium and long term, not just dealing with immediate losses. Strategic management looks at the path which the company is considering taking in terms of marketing, production or even new geographical areas to operate in. Risk management in this context is not necessarily about avoiding all risk but instead is about identifying risks and the corresponding rewards, deciding what level of risk is acceptable and doing all that is reasonable to prevent the risks from becoming real issues in the future. At first glance it may seem that financial accounting has little to do with this long term strategic approach, but failure to consider the financial accounts would be a substantial error for any organisation.

Any strategic plan must contain the ultimate aim of increasing revenues and profits for the company. In looking at the current financial accounts, it is possible for the management team to identify potential weak spots and to ensure that these do not become magnified in the long term. Considering the financial performance is key to developing not only the day to day operational methods of the company but also in developing the longer term strategy objectives. Different Approaches to Corporate Security and Managing Risk With such a widespread impact that corporate security can have on the management of risk, it is unsurprising that companies have taken a different approach to how they choose to manage the risks that they individually face. Some companies, such as those in the banking industry place a huge emphasis on financial security. On the other hand companies such as airlines have a much greater emphasis on physical security and brand name when managing risk. One of the most important developments that have been seen in companies across all industries is the increasing use of internal audits. These are audits of all processes as well as financial reporting done internally by the company itself. The main aim is not simply to prepare for the necessary external audit but also to alert management to areas of leakage or potential risk in terms of corporate security.

For example, consistent poor stock management reveals an issue with the way inventory is managed and can be dealt with internally in order to increase the profits of the company. Management, particularly at the higher level, is becoming increasingly involved in the process of risk management. This is partly due to increased regulatory pressure, but also an awareness of the need to be seen to be secure and efficient by clients. The Economist Intelligence Unit conducted research into the area of managing corporate risk by interviewing 435 senior executives across the globe on their attitudes to risk management and what their organisation is doing to deal with the current risk climate. Interestingly, just under 85% of the respondents stated that they would be putting either significantly or slightly more resources behind security management in the next three years. Furthermore, 36% of the executives felt that managing costs and ensuring financial efficiency were the main goals of the increase in security management. When asked how they staff their internal audit process, it was clear that individuals from the finance team were the key players.

Companies reported an average financial personnel involvement of 44 employees, compared to an average number of 16 strategic personnel. In 29% of the organisations the chief financial officer took responsibility for the internal audit. Others included the chief operating officer or legal counsel, but the chief financial officer was the main person responsible in the largest number of organisations. From this survey it is clear to see that there is a direct link between finance functions and the corporate security management, in particular with the use of internal audits.

Financial management is undoubtedly integral to the effective security management of any organisation. Financial Risk Management As well as using financial accounts to manage overall corporate risk, there is also the very important element of financial risk itself. Financial risk management involves the use of financial information to manage a range of risks but predominately credit and market risk that may be presenting itself to the organisation. The wider concept of risk management is the overall way in which an organisation plans to deal with uncertainty, whether that may be from the risk of weather such as flooding or war or from more economic issues such as a global credit crunch. However, financial risk management is more tailored and looks at the types or risks that can be managed through the use of financial instruments. For example, in many banking organisations a ‘value at risk’ approach will be undertaken to ensure that all trading being done within the organisation conforms to certain risk parameters. In doing so, particularly risky approaches are prevented and individuals responsible for making such trade decisions are controlled by management[5]. Regardless of the type of risk, the management process is very similar.

Firstly, the organisation must identify the key areas of risk; of course, this will vary dramatically depending on the industry but will generally involve issues with suppliers, changes to the economic climate and increased regulatory burdens. Once the risks have been identified, and these will commonly be numerous, each needs to be dealt with in turn. It is at this point that the individual risks are often allocated to the relevant department, such as the finance or the personnel department. A detailed risk assessment needs to be conducted to determine not only the magnitude of the risk but also the likelihood of it happening. Simply looking at the size of a risk does not necessarily give an indication of the level or expense that a company should go to in order to attempt to mitigate or reduce such an event[6]. Once each risk has been adequately understood and assessed, the next step is to determine what should be done with the risk. Should it be eliminated, mitigated, transferred to another company or simply accepted? This decision will largely be based on how much can be saved from the various approaches and how much each approach will cost. From this the relevant risk management plan can be established and implemented. Regular review by the relevant board members is of course vital as the area of risk changes rapidly in most industries. There are limitations to any corporate security plan.

Whilst managing risk and uncertainty is important for an organisation, too much emphasis on this area could result in other, equally important operative decisions being badly delayed so as to be detrimental to the running of the organisation as a whole. Risk management is merely one of the elements of management and should not overshadow the ultimate goals of the organisation. Impact of Financial Risk Management The importance of the use of accounting and financial management to deal with corporate security and risk is indisputable. Although almost all organisations will use their financial data to help them to identify risks and to manage them, the efficiency of this process will make a huge difference to the way in which the company performs in the medium and long term. Many organisations have chosen to adopt complex financial and economic models as a way of identifying and managing their business risk. This works well in organisations where most of the assets have an obvious book value.

Therefore, risks can be analysed by looking at how the feared event would impact the cash flow or the asset profile of the company. This basic, yet effective approach is often referred to as earnings risk or cash flow risk. Fundamentally, this approach to the use of financial accounts is similar to the balance sheet and asset at risk approach by considering what element or percentage of the company’s earnings will be impacted by the feared event. A simple example would be an airline that travels to ten different countries. It earns an identical amount in terms of profit and cash flow from all ten routes (i.e. 10% of its income comes from each destination and costs are uniform). Imagine four of these destinations were in the Middle East, and one of the destinations was Australia. If one of the risks faced by the company is the political instability in the Middle East and the possible removal of the right to fly this could be seen as a 40% risk (which would be financially measurable). Another possible risk may be that the Australian regulatory system becomes considerably more expensive to comply with thus reducing profits by half; this would be a 5% risk[7]. In order to place these figures on the possible risks, it is clearly necessary that accurate financial accounts are available. It is little use realising that a segment of the customer base may disappear if no value can be placed on this customer base in the first instance. Similarly, by working out exactly how much the company stands to lose in each scenario, the board and those responsible for managing the risks can determine how much, if any of the company’s financial resources should be used to mitigate or even remove the risk. Conclusions Financial and accounting management is an absolutely crucial part of controlling risk and managing corporate security. Firstly, financial data is vital in the identification of key risk areas as by looking at the exact sources of the company’s income and asset base it is possible to see which areas are most likely to cause particular concern if they become the target of a security breach. Once the areas that are most vulnerable have been identified from the financial accounts, organisations can then quantify the value in managing these risks. This helps in ensuring that the amount of money expended on managing a risk is proportional. By having a solid grasp on the financial status and make up of a company, a much more targeted and efficient corporate security plan can be established. It is for this reason that the role of internal audit and risk management often falls to the finance team. It is here that the greatest understanding of the financial position of an organisation can be found. As such, it is this function that is best placed to develop, implement and run an effective security management process. Bibliography Crockford, N., 1986. An Introduction to Risk Management. 2nd ed. Woodhead-Faulkner. Lam, J., 2003. Enterprise Risk Management: From Incentives to Controls.

New York: John Wiley. Dorfman, M.S., 2007. Introduction to Risk Management and Insurance. 9th ed. Englewood Cliffs, NJ: Prentice Hall. George, J.M. & Jones, G.R., 2006. Contemporary Management. 4th ed. New York: McGraw-Hill Irwin. Roehrig, P., 2006. Bet On Governance To Manage Outsourcing Risk. Business Trends Quarterly. Borodzicz, E., 2005. Risk, Crisis and Security Management.

New York: John Wiley. Alexander, C., & Sheedy, E., 2005. The Professional Risk Managers’ Handbook: A Comprehensive Guide to Current Theory and Best Practices. PRMIA Publications. Layton, T.P., 2007. Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: Auerbach Publications. Horcher, K.A., 2005. Essentials of Financial Risk Management. New York: John Wiley.

---

Footnotes

[1] Crockford, N., 1986. An Introduction to Risk Management. 2nd ed. Woodhead-Faulkner.

[2] 1988 Basel Accord

[3] Roehrig, P., 2006. Bet On Governance To Manage Outsourcing Risk. Business Trends Quarterly.

[4] Dorfman, M.S., 2007. Introduction to Risk Management and Insurance. 9th ed. Englewood Cliffs, NJ: Prentice Hall.

[5] Alexander, C., & Sheedy, E., 2005. The Professional Risk Managers’ Handbook: A Comprehensive Guide to Current Theory and Best Practices. PRMIA Publications.

[6] Layton, T.P., 2007. Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: Auerbach Publications.

[7] George, J.M. & Jones, G.R., 2006. Contemporary Management. 4th ed. New York: McGraw-Hill Irwin.

Cite this page