3. Security and Risk Management
Security and Risk Management is a third core leadership department that seeks to protect the operational integrity and assets of the firm. This includes such functions as intelligence, physical security, health and safety, legal, intellectual property, risk management and insurance.
This department is typically responsible for three of the top twenty foresight specialties, in alpha order as follows:
- Intelligence & Knowledge Management,
- Law & Security,
- Risk Management & Insurance
Intelligence & Knowledge Management. One of the less-recognized strategic foresight activities that belongs to a Security and Risk Management department is intelligence work, which includes competitive intelligence, to anticipate competitor’s offerings and plans, and technical intelligence, to discover which new scientific research, technologies, and product and service development proposals are likely to pay off, and which are premature, hype, or poor bets. Technical intelligence is also ideally done in the Research & Development department, and competitive intelligence is also done in both the Sales and Marketing departments.
Scanning is a well-known strategic foresight practice that is one of the early tasks of Intelligence. In world-class scanning systems, as in the Singapore defense community’s Risk Assessment and Horizon Scanning (RAHS) program, the organization’s entire stakeholder network monitors and learns from environmental information, and can flag and forward items of potential significance to analysts best able to assess them, and leaders best able to use the assessments. RAHS is much more than just a scanning system however. It has become a foresight and futures survey platform for the entire country, as this excellent Foreign Affairs article, “The Social Laboratory” (2014) acknowledges. Top-down scanning systems, exclusive just to Top Management, Metrics & Planning, or Security & Risk Management departments are always less effective than those that maximize inputs from the entire firm, and thus also cognitive diversity and experience diversity. Getting trained as an intelligence analyst can be great preparation for many other forms of foresight work.
Knowledge Management is also one of the lesser-known specialties of the modern firm. It is a close cousin to intelligence. If you don’t have good knowledge management processes and platforms that capture and improve both your external competitive and technical intelligence work, and your internal collective intelligence production, your organization will operate without a memory, destined to repeat past mistakes. You’re also much more vulnerable to the loss of key individuals in your firm. A good KM platform will be integrated with other foresight specialties including strategy creation, learning and development (onboarding and training), and auditing, including exit interviews when any employee leaves the firm.
Law & Security is perhaps the most obvious responsibility of this department. In a world where legal advice and paralegal help is now globally sourced and available online from companies like Upcounsel, all firms, no matter their size, should be getting legal advice from the outset. The in-house lawyer, who uses IP, precedent and case law to create legal security is a great asset to larger firms. Security is of course just as fundamental, and regular training of employees in physical and information security practices is an effective way to prevent catastrophes. Security leaders want to regularly stress test their systems, and employ other proven natural security methods discussed in Chapter 2.
Risk Management & Insurance is the last major responsibility of this department. Risk management involves the mitigation of risk and uncertainty via intelligence, insurance, safety, security, and other activities. Organizational psychologist Karl Weick’s Managing the Unexpected (2007) explores how “high reliability organizations” like emergency rooms, air traffic control, and military and firefighting units manage and organize for reliable performance under conditions of risk and uncertainty, offering lessons for any organization. The insurance actuary is another key risk management professional who builds forecasts in a variety of areas, using conservative, quantitative strategies for dealing with risk and uncertainty.
Like legal advice, both risk management and insurance subspecialties are presently being exponentially changed by InsurTech startups, which are greatly lowering the cost and access to this very old business function. Be sure to have those responsible for this specialty in your or your client’s firm regularly read websites like Insurance Technology News, and consider attending a leading InsurTech conference, like InsureTech Connect.
While Kirton’s Creatives (Chapter 4) are not a typical hire in the security department, they make great advisors and consultants to that department. Creatives can be highly effective here, when leaders recognize their value. The best firms always employ or work with a few innovators and rule-breakers in their security departments, engaging them in continual efforts to try to break the organization’s security capabilities and expose their flaws. For IT departments, white hat hackers are a particularly well known example, but there are many others.
Nassim Taleb’s Antifragile (2012) gives more on the value of this approach to security foresight. Another powerful and underused security foresight method, from the Facilitation & Gaming foresight specialty, is wargaming, a way to test operational security against creative adversaries, in a game-based simulation, run by your strategy or security employees, or external consultants. Herman and Frost’s Wargaming for Leaders (2008), describes Booz Allen Hamilton’s work building competitive strategy games (“wargames”) for corporate and military clients.