Printer Friendly

How can we add to the bottom line?

TODAY'S BUSINESS EXECUTIVES need bottom-line oriented approaches to their work. Profit enhancers are extremely important; profit inhibitors must be eliminated. How can security professionals convince top management to invest in supposedly soft areas, such as information security, contingency planning, and process controls? None appear to contribute to revenue, and most are categorized as overhead items, which when expensed, are a drain on the organization's bottom line.

While this view has been common for years, business innovators are flipping the equation. Professionals are discovering a negative affect on companies when these disciplines do not exist.

Since Henry Ford implemented the first major assembly line to organize and boost automobile production, industry has strived to increase efficiency. This development has resulted in the need for more stringent control procedures.

Implementing controls. In tandem, security, process controls, and contingency planning can ensure that companies are adequately managed. These elements must enhance the organization's long-term production of an end product or service. This is key to survival and profitability.

Some level of discipline and control is necessary for a consistent quality production process. This should translate into increased profitability. The restraints introduced within these processes also enable companies to react swiftly to changes in the economy. Thus, an organization can maintain its income or at least cut extraneous expenses in a deteriorating business climate.

Look at the current recession. Was your company able to change its production patterns before being seriously affected by rising costs and falling sales? If not, adequate control mechanisms probably were not in place.

The danger of invoking controls is that they will be bureaucratic. They must not be. They should do a job and only that job.

Even assembly lines, for example, can be bureaucratic, as American automobile manufacturers have discovered. However, manufacturers are striving to change their techniques. While they have not eliminated assembly lines, they are searching for ways to improve them.

For instance, a team approach can be used whereby a vehicle moves on a conveyor from one team to another. This is still an assembly line, but it is implemented differently. Another production improvement is to permit workers to stop the assembly line to resolve defects immediately. This method has helped eliminate problems at a time when they are simplest to correct--the time of discovery.

Information security and contingency planning processes should be held up to the same scrutiny. They should provide a framework for the organization's functions, much as the assembly line provides the basis for completing a manufacturing process.

Consider a production environment without controls. How would the product's quality be affected? Computing or processing without adequate controls can be just as deadly. Controls can ensure that data upon which plans, projections, and other critical decisions are made is accurate and reliable. What would happen if a terminated or unhappy employee changed data that affected costing or pricing algorithms? What if this change resulted in even a small market share loss? The company's bottom line would be negatively affected.

Information security, contingency planning, and process controls are designed to prevent such situations. These three elements also ensure that manufacturing and future plans can continue, regardless of equipment, weather, fire, or other problems concerning the production environment.

Information security, contingency planning, and process controls are similar to an insurance policy. However, as with all insurance, they cost money. The more a company depends on its computing ability, the easier it is to defend that cost. The old phrase that refers to "paying me now or paying me later" applies here. Personal insurance prevents catastrophic losses for families just as certain controls prevent devastating losses for companies.

Yet top management must be able to justify cost. To help them do this, calculate the damage from a particular scenario. For instance, figure the amount of a potential mishap that could result from a change to important data. Include the loss of a day's processing. Estimate the probability of occurrence. Let top management review the cost of security and contingency planning versus the loss. Then help them choose a solution that best reflects the company's needs.

Keeping controls under control. Information security, process controls, and contingency planning should provide the parameters within which employees work. These parameters enhance the business processes, which ultimately result in profitability.

These planning and control processes should be examined regularly to ensure their continued suitability and value to the organization. The goal of assembly lines is to physically produce merchandise and move goods as demand dictates. Control processes must support the same goal by ensuring the quality of the goods produced.

In much the same way as information security and process controls are used to add discipline, contingency planning should be approached as a means of ensuring that production capability meets demand.

Contingency planners are often perceived as staff persons with few, if any, deadlines. This perception must change. Contingency planners should be thought of as contingency planning engineers since their responsibility is to make sure the business always functions, no matter what emergency occurs. Planners should prepare flexible, manageable, and cost-effective contingency plans that can be updated, and they must be held accountable for the results of periodic tests. Production lines, marketing operations, and financial functions all should be included within the scope of a contingency plan.

Companies must continue their cost-consciousness in staff areas, but they should not eliminate or avoid all security and contingency controls or the staff to administer those controls simply to cut overhead. Instead, a reorientation needs to occur.

Employees ar a direct cost to production and must strive for only that control level that enhances the end product. Management must assist employees in understanding this role. Management also must insist that employees function to drive the business forward, not to do busywork, by making employees accountable to the business process.

A total reorientation of the purpose of control mechanisms in business is needed for the 1990s, Along with this reorientation, a redirection of staff to accomplish desired controls, coupled with measures of accountability designed to properly administer and drive personnel actions, will assist business in using control mechanisms to increase the bottom line. Security professionals need to understand what drives top management, and they must be prepared to address all kinds of security and control functions in terms that are meaningful to executives.

Patricia A. P. Fisher is president of Janus Associates Inc., an information security consulting firm in Stamford, CT.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:information security, contingency planning and process controls as management tools
Author:Fisher, Patricia A.P.
Publication:Security Management
Date:Jun 1, 1992
Previous Article:CCTV watches the world go by.
Next Article:One by land, two by air.

Related Articles
Introduction to Security.
How we built our contingency plan.
Six steps to disaster recovery.
Total Contingency Planning for Disasters: Managing Risk ... Minimizing Loss ... Ensuring Business Continuity.
The Budgeting Nightmare.
NIST releases raft of resources. (Tech Talk).

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters