Managing student security on campuses is a highly complex task. In the lead up to the 2014 Campus & Student Security conference, we had the chance to speak to Anatoly Kirievsky, Head of Compliance Australia at Bank of America Merrill Lynch about the role of risk management in organisational culture and lessons learnt from recent security breaches.
What is the importance of risk management?
Coming from a financial services background, the events of the last few years highlighted once again the critical role risk management plays in the long-term success of an organisation. From a short-term perspective, it is possible to achieve a degree of success without an effective risk management framework, but that is not sustainable. If I can draw a parallel – it is a bit like driving a new car. You can drive one without paying for maintenance and it will work for some time, but in the medium term the car will inevitably break down.
Where should responsibility lie in implementing a sustained culture of risk? What are the key elements needed to effectively create cultural change?
We have a saying that risk is everyone’s business. A number of firms have a designated Chief Risk Officer. In fact this is becoming a mandated requirement for banks. However this does not mean the responsibility rests solely with this function – everyone must play their role. To me, this means that everyone must be aware of the broad risk management framework and understand the expectations of them under the framework. They need to know why this is important and how they contribute to the overall result.
Cultural change is a process. It cannot and does not happen overnight. It requires commitment from senior management, both in words and in actions. It also means articulating the decision making process and being ready to say no to something incompatible with the risk management framework.
How do the lessons you have learnt impact on how security can be managed within an organisation?
Unfortunately there has not been a shortage of case studies with security at its heart. These examples apply to physical security (such as September 11) as well as data security (with multiple consumer data losses as an example). You always try to learn from these. The biggest lesson for me personally is that people matter the most. Internally, your people are your priority number 1, 2 and 3. From a consumer perspective, you apply a similar logic. What it is that you do? What information do you possess? What impact can a breach have on your clients?
I am particularly looking at sessions that have direct relevance to all organisations – enhancing safety and well-being, optimising mental health outcomes and disaster management.
Anatoly Kirievsky will deliver a presentation at the 2014 Campus & Student Security Conference, to be held on the 23-24 June in Melbourne. Anatoly will speak about risk management and lessons learnt from a corporate perspective. The talk will include regulatory obligations and frameworks, the costs of not getting it right and the role of changing the organisation’s culture.