Last week in a speech to the Wharton School, Secretary Chertoff made the business case for the Department of Homeland Security’s approach to risk management that focuses on helping the private sector help itself. From my perspective, it is the only sustainable approach, and its success depends on the investment community’s appreciation of the value of security. I believe that a central element of the winning business case is the relationship between world-class risk management and enterprise value protection – a relationship that is only appreciated today in the private sector by companies that own some of the world’s most valuable brands.
The Secretary laid the foundation with the fundamental business principles of cost, risk, and return. The Department, the federal and state governments and the private sector cannot afford to invest the money it would take to remediate all the vulnerabilities of our national infrastructure – nor should they. Rather, intelligent decisions must be made about what to protect, at what level to protect it and from what threats. In other words, we must intelligently decide which risks we are willing to take, which we cannot and most importantly – who has the responsibility to reduce the risks. Managing risk in uncertain world in which threats come from weather, crime, terrorist attacks, and economic turmoil, is a daunting task. About the only environmental event we can predict with any certainty is the weather. As the Secretary points out – historical weather patterns should influence real-estate development, and risky building behavior in locations that are prone to destruction from severe weather shouldn’t be rewarded with financial relief from the government any more than poorly managed companies deserve to be rescued for their bad judgment and bad management.
Risk management employs systems that apply best practices to identify and remediate vulnerabilities; metrics to measure compliance and quality of efforts; methods to ensure transparency; and mechanisms to transfer risk from the protected systems. Most importantly, managing risk depends on good information (transparency) about the risks involved; the extent of the vulnerabilities and corresponding remediation requirements; the measurements to ensure that best practices are in use; and details about the particular threat – frequency of occurrence, timing, method and targets. The government and the private sector have domain over the “targets”, which represent its greatest opportunity to identify and transfer risk can be found. Information about frequency, timing, method, etc. is often elusive, incomplete and uncredible, making the job of sustainably and effectively managing risk even more uncertain. The Department is evolving its risk management strategy and as the Secretary states, “The greatest benefit that we can bring to the free market is transparency. If we have confidence that we know who we’re dealing with and what we’re getting, so that we can make a risk-based judgment, then in fact commerce can occur and we can make good decisions about how we spend our resources, but that again requires government to step in and make sure that we have that transparency in much the same way that government makes sure that people don’t violate their contracts.”
This is encouraging – the business case for Homeland Security has yet to be made with the private sector because investment for security is generally viewed as a cost rather than an investment to drive revenue or enterprise value. The key is to associate security investments with bringing value to the company beyond protecting bricks and mortar and networks – all are valuable assets, but not necessarily critical to a company’s financial health. Security, first and foremost, protects reputation.
A company owns its brand, but its stakeholders, including investors, own the company’s reputation. It often takes years and extensive resources to build a reputation that customers trust and investors recognize. It takes one replicated story on the web to destroy it. Lead paint in toys, tainted medications, clothes made by eight -year old children, an attack on a major hotel – all are recent examples of disastrous shocks to corporate reputation, revenue and market share that are also potential national security vulnerabilities. Threats to the reputation of a company can come from bad judgment of a corporate officer, criminal behavior by a global business partner, a terrorist attack on facilities, or extortion involving food products. Reputational threats reduce the value of specific corporate assets that are intangible. Efforts to protect reputation include good security as well as other good management practices. The measurement of those efforts that correlate protecting corporate value will also contribute to national security. If a major financial institution is taking appropriate steps to mitigate threats to its transactions from hacking, network outages, and the like, in order to maintain consumer confidence and to remain in the marketplace during a network attack – then it is contributing to the national security as well.
We need to encourage and reward companies to share information in a way that increases transparency without burdening them with over regulation that encourages compliance with minimum standards rather than standards that will ultimately address a dynamic threat evolving in opaque networks and systems that make managing risk an even more difficult task. The government must equally commit to sharing what it knows about threats and emerging challenges to the security of business to allow companies to know what to invest in. Companies understand risk management and how to invest to maintain the financial health of their businesses. The government needs to continue to find ways to contribute to the business sector’s ability to make the appropriate investments against the threats that the business community should manage. We’ve made a lot of progress since September 11th and we clearly have a lot more to go – recognizing that we can’t protect everything is the first step in bringing reality to a business world facing increasingly challenging economic times.