Tuesday, October 13, 2009

Managing information risk and other areas of operational risk: routes to success

1:48 AM Posted by: Slamun Atlanta 0 comments

In 1999, the Organisation For Economic Co-operation and Development (OECD) – a body where 30 of the most economically advanced nations of the world come together to devise policies to foster economic growth and the expansion of world trade – published its OECD Principles of Corporate Governance. This highly influential report argued that identifying and managing risk are a fundamental part of top management’s job, and that boards of directors should:
■ establish a risk policy;
■ institute a system for risk management;
■ be fully informed about risk (ie be provided with accurate, relevant and timely
information, and training if necessary);
■ deal with risk with due diligence and care;
■ disclose (eg by publishing in their annual report) all material risk factors and how risk is monitored and managed by their organization.
The OECD principles were endorsed by OECD ministers in 1999 and revised in 2004. They are now the international benchmark on corporate governance for policy makers, regulators, investors, corporations and other stakeholders worldwide. The OECD principles and subsequent events show that managing risk well is important because policy makers, regulators and investors require that it is done well. It is indeed a crucial part of good management – with the potential for catastrophic loss if not done well, ie loss at a level that the organization concerned cannot sustain without outside assistance, or at all. As a result, today, annual reports report on risk management practices and highlight key risks with increasing clarity and sophistication. Given the global credit crisis, it doesn’t take a crystal ball to see that the pressure to manage risk well will intensify in the near term.

Integrating security risk management into mainstream business
Historically, security management in hotels could be characterized as fragmented, uncoordinated and reactive. It was certainly not seen as central to the success of the business. Given the largely static security environment of hotels in the past, this approach was, however, probably effective enough in mitigating the security risks that confronted international hotel brands. As hotels themselves shifted from being largely individually owned to the international brands that currently populate business travellers’ lodging options, sets of brand standards emerged that attempted to guarantee a consistently good hotel experience for frequent travelers across the brand. In most cases, however, the move to brand consistency had little impact on security management, which had tended to become somewhat detached from developments elsewhere in the hotel sector and had become something of an organizational anachronism (even if still reasonably effective in responding to routine security issues).
At the same time, the risk environment in which hotels operated was changing. Developments in the political, economic, social, technological and legal spheres were presenting new challenges as well as opportunities for hotel security risk management. The most salient element of this shift was the emergence of international terrorism, and this was made abundantly clear when al Qaeda in Iraq carried out simultaneous suicide attacks against three international hotels in Amman in November 2005. This was not, however, the only element in the security spectrum that had changed. The end of the Cold War had shifted the global security paradigm in other areas that now affected hotel risk management, such as identity theft and money laundering. National catastrophes such as the Asian tsunami and Hurricane Katrina in recent years also challenged the security departments of international hotel brands to prepare and respond to significantly higher-impact events. Similarly, security (and risk) departments became the first port of call for senior hotel management when faced with events such as the conflict in Lebanon in 2006 and 2007 and newly emerging threats such as cyber-crime. It became clear to IHG during this period that the traditional, fragmented and reactive approach to hotel security was not able to provide the desired level of sophisticated protection against a rapidly more complex and ambiguous threat environment; nor was it well placed to meet the increasing expectations placed on hotels to prevent, prepare for, respond to and recover from major risk incidents. IHG therefore carried out a far-reaching analysis of its existing security capacity set primarily against the benchmark of the international terrorist threat and developed a strategy of threat-based security risk management. The consequences of this study were to have a profound effect on the company’s perception of both the security risks and the consequent mitigation strategy.


Post a Comment


2009 Protect your Business. All rights reserved.
Powered by Beta Templates and Blogger.
Template and Icons by DryIcons.com