Microsoft proposes six steps to enable proper reactive management of security risks which include: protecting safety and life, containing and assessing the damage, determining the cause of and repairing damage, reviewing risk response and updating procedures in the hopes of preventing risk in the future (Microsoft, 2004).
A proactive approach is much more advantageous however as it enables corporations to prevent threats or minimize risks before negative occurrences happen within an organization. A proactive approach requires that organizations first identify what assets they have that need protecting, then determine what damage an attack could have on assets in question, next identify any vulnerabilities that could occur within current securities and finally decide on procedures to minimize the risk of threats and attacks by implementing proper risk management controls and procedures (Microsoft, 2004). In this sense risk management is much like risk "assessment' which allows organization to place value on assets and determine the benefits of protecting such assets (Microsoft, 2004).
Kimball (2000) supports such measures suggesting that failures in risk management result when organizations fail to properly assess their assets and define potential current and future risks. Like the Microsoft model Kimball (2000) suggest that mathematical probability and cost benefit analysis can be used to determine what parameters are necessary to minimize risk and what losses a company may realize if certain risks aren't mitigated. The researcher suggests additional measures be implemented to reduce risk including "purchasing insurance, hedging, screening customers, closely supervising employees and monitoring supervisors and diversification" (Kimball, 3). It is important to note the researcher does not suggest that risk may be completely eliminated, but rather that organizations can drastically reduce the probability that something catastrophic ill occur as a result of threats against the company.
Kimball suggests that many other factors can be utilized to evaluate and manage risk. Aspects of a firms operations including managers ability to diversify portfolios, the proportion of "intangible assets" an organization have and the "convexity of tax schedules" among all influence risk and thus must be evaluated (Kimball, 3).
Leithhead & McNamee (2000) identify multiple approaches to risk management, including the database approach, the algorithm approach and the matrix approach. The database approach concerns itself with developing a database that extracts reports delineating common risks within a group (Leithhead & McNamee, 200). Such an approach might also be referred to as a scenario driven approach to risk management, and may help managers review data for financial risks or risks associated with specific asset groups.
The algorithm approach involves mathematical calculations to asses risk management (Leithhead & McNamee, 2000). This approach is sued by the Microsoft security risk management system. Risk model using this approach include database gathering of information as well as strategic-based planning (Leithhead & McNamee, 2000). Mangers can manipulate data more using this approach than the database approach alone. The matrix approach involves "higher level focus and graphic display of risk" where an organization's business units are compared with high-level risks on two axis. Teams then asses risk and display risk on a matrix (Leithhead & McNamee, 2000).
Risk Management Failure Reduction
Failure occurs when organizations realize catastrophic losses that exceed worse case expectations, when errors occur in risk management or when firms simply fail to plan for risk management as part of operations (Kimball, 2000).
Microsoft (2004) suggests that failure may occur when an organization leaves out vital portions of the risk management process, which may include engaging in qualitative and quantitative analysis of risk measurement. Quantitative risk assessment includes evaluating and assigning monetary significance to define assets, creating a list of medium to high risk threats, calculating the probability these threats will occur and how long they will last, determining the loss potential for an organization over a 12-month period and recommending appropriate cost reasonable safeguards and controls to mitigate risks (Microsoft, 2004).
While most of these calculations would be subjective at best they nonetheless will provide an organization with valuable information related to risk management. Organizations can't exactly define risks or the potential losses that will result from a threat; they can however take steps to reasonable assume the potential risk or threat of a given situation and calculate the cost to benefit ratio of mitigating this risk.
Qualitative assessment is unlike quantitative assessment in that it involves much more subjectivity and experience related information. It does not involve assignment of monetary values to losses and assets, but rather involves risk evaluations through questionnaire and workshops that share knowledge between different people (Microsoft, 2004).
Researchers have also defined this as 'scenario driven' risk management and planning (Acar & Georgantzas, 1995). Strategic management according to Acar & Georgantzas (1996) involves detecting and planning for threats and converting them into opportunities. They call this process scenario driven planning and can help an organization improve the "content and process or what and how of strategy design" (6). Much like Microsoft's approach scenario driven planning involves identifying variables that may act as threats and identifying a firms objectives with respect to its strategic initiatives.
Firms must evaluate "causal relationships" and determine how changes in relationships may or may not result in looses. Variables that should be considered include the organizations external environment, which offers threats including "competition, emergence of new products and processes, government regulation, fluctuations in currency rates and interest" all of which can determine an organization's success and looses over time (Acar & Georgantzas, 386). The researchers further suggest that organization engage in environmental analysis to not only identify trends and threats but also opportunities for success and profits. An organization must at the same time identify its own resources, strengths and any weaknesses that may prevent it from taking action, implementing a risk management program or dealing with organizational resistance to risk management procedures (Acar & Georgantzas, 1996).
The aim of this research is to identify what critical success factors have contributed to Microsoft's security risk management approach but also define whether the principles underlying this approach can be applied to other organizations. As part of the research process the researcher will review other approaches companies have taken to manage security risk and compare these practices with Microsoft corporation. The intent of the researcher is to analyze the merits of the Microsoft security risk management program and ascertain whether the guidelines established by the company are applicable to theirs.
This research adopts use of narrative review as a qualitative approach toward examining risk management. Narrative interpretive method allows the researcher to analyze current documents and case studies to prove or disprove the validity of a particular approach (Jones, 2004). Qualitative research such as this is a much about reporting as it is about collecting evidence to support social research (Jones, 2004). This type of methodology is concerned with finding and verifying the meaning and truth or reality and significance of any given phenomena or occurrence (Hiatt, 1986).
Organizations continually face unique challenges when entering the marketplace. Acar & Georgantzas (1996) point out that historically management within organizations has always made mistakes, yet is continually working to minimize mistakes and subsequently reduce risk. Risk management involves identifying common threats including natural disasters or mechanical failures and less common threats, which may include negligence or terrorist activities (Microsoft, 2004). Regardless of the manner in which organizations define risk, organizations can be sure that risk exists regardless of the business they are engaged in. The less attention organizations pay to risk, the more likely they are to suffer from catastrophic experiences when entering the global marketplace.
Microsoft has proposed a security risk management program that involves a proactive approach to risk management. The process also defines steps for reacting to risks when they occur, but points out as other researchers have the proactive approaches to risk management are far more likely to mitigate risk than reactive approaches.
Key elements of the program include management buy in to risk management programs (particularly senior management), identification or organizational assets, identification or analysis of potential risks, planning to reduce risks and continual maintenance and change of programs as risks are dynamic in nature. The program suggests both quantitative approaches to risk management, which involve mathematical calculations of risk management, as well as qualitative approaches, which include surveys, employee and management knowledge sharing, and opinions regarding risk management.
Proper adoption of risk management principles can benefit organizations in many ways, including improving an organization's bottom line and yielding higher profit ratios. In addition risk management can help mitigate catastrophic losses.
The principles applied by Microsoft's risk management system can be applied to other organizations based on the information gathered from the research study. Multiple researchers support the need for adequate risk management measures. Some suggest the best approach involve scenario-based risk management assessment (Acar & Georgantzas, 1996). Others suggest computer or matrix simulated approaches to risk management that again provide management teams with a visual representation of projected risks and the costs of mitigating such risks (Leithhead & McNamee, 2000). By and large the majority of researchers…