You’re a CSO, responsible for the safety and security of your organization. Recently, your company’s general counsel has come to you with a mandate: don’t document any of the company’s risks. If you document risk in any way — even in a plan to address and mitigate those risks — according to general counsel, you could create legal liability for your organization.
When I was approached recently with the above scenario by a former CSO, my response was this: if you don’t document risk, and an incident occurs, how will the company respond? It’s unlikely that the company’s general counsel will admit to a policy of not documenting or planning for foreseeable risk. Chances are, your organization’s name will be in the headlines and you will be dismissed for malfeasance.
If you don’t know about risk, are you liable?
Businesses often ask us if they create liability by documenting risk. The short answer is no; not documenting your risk is not like a tree falling down in the forest and no one hearing it. Since the days before the September 11 attacks, most businesses tend to accept that they’ll be liable for foreseeable risks. We have a detailed post about that here.
You might be liable for risk if all you did was document your organization’s risk, but when you create a plan for mitigation, you’re doing the opposite. You’re recognizing the risk, documenting it, and creating a plan to address it.
To me the danger is not in admitting to vulnerabilities. Instead the danger is having the ability to foresee an incident, but not making a plan to address it.
Mitigation plans are good for your liability
Post incident, if you can show that you have a process of mitigation, and prove that you are moving toward resolution on a risk, that is much more beneficial to the company’s reputation and liability than saying “we didn’t document this foreseeable risk.”
In fact, regulatory bodies are beginning to look for organizations that have plans in place. Rather than using a traditional checklist to measure an organization’s risk, regulatory bodies want to see how a company measures and mitigates risk.
Take CTPAT (The Customs-Trade Partnership Against Terrorism), for example. While they once used a checklist, they now want to see that companies have a system of continuously conducting self assessments, identifying vulnerabilities, creating plans to mitigate those vulnerabilities. They want to see that organizations understand their own risk and know how to keep their sites and assets safe.
When you’re audited for CTPAT by Customs and Border Patrol, they’re auditing for your system of self-assessment, not their list of security measures, per se.
You are responsible for your company’s risk — even if you don’t “know” about it
So what do you do when general counsel tells you not to document risk for the sake of liability?
Push back: sit down with them and show your leadership information about the expectations of standards agencies like CTPAT. Show them information about organizations that have been cited for ignoring foreseeable incidents. Lastly, explain that your organization can apply to have your risk assessments protected under the Protected Critical Infrastructure Information (PCII) Program. The PCII program classifies risk assessments so that you can identify vulnerabilities but not have them be public knowledge.
Lastly, ask the general counsel what their response would be if an incident occured. Do they plan to admit publicly that they’d advised you not to document a foreseeable risk? Chances are, they wouldn’t. Of course, if a CSO or an attorney wants to provide a counterpoint to this position, I’d welcome the discussion.
To learn more about how to document foreseeable risk, contact us for a demo.