Sean Lyons is the author of a new book entitled “Corporate Defense and the Value Preservation Imperative: Bulletproof Your Corporate Defense Program.” Lyons is globally recognized as a corporate defense pioneer and thought leader. As the architect of the cross-functional discipline of corporate defense management (CDM) he is widely regarded as the foremost authority in this emerging field. With almost three decades of experience in corporate defense activities he is a firm advocate of the requirement for corporate defense to play a more prominent role in corporate strategy.
Christopher P. Skroupa: Based on your upcoming book’s title, what does the value preservation imperative refer to and how does it relate to corporate defense?
Sean Lyons: In the eyes of many stakeholders, organizations exist in order to deliver value to their stakeholders over the short, medium and long term; and ideally, this mindset should be reflected in the organization’s vision, mission statement and strategy. With the goal to deliver sustainable stakeholder value, very few people consider striving for a balanced focus between value creation and value preservation. In the real world, it’s apparent that a significant imbalance exists—what I like to refer to as a value preservation deficit or disconnect.
Unfortunately, far too many organizations are overly focused on their value creation efforts, while their value preservation efforts are often regarded as “the poor relation,” with a lower level of associated prestige. This disconnect typically begins at the boardroom and tends to cascade right down through the organization.
In simple terms, if value creation is focused on bringing a dollar in through the front door (offense), then value preservation is preventing a dollar from leaving through the back door (defense). The value preservation imperative therefore refers to an organization’s obligation to its stakeholders to safeguard value in the short, medium and long term.
Corporate defense is synonymous with value preservation. This umbrella term is used to describe an organization’s collective program for self-defense. This plan protects the company against hazardous events that could potentially damage or destroy stakeholder value. A holistic approach to corporate defense involves the combination of coordinating and integrating a range of interrelated disciplines; an amalgam that includes the management of an organization’s governance, risk, compliance, intelligence, security, resilience, controls, and assurance activities. These activities represent the critical components of a corporate defense program.
Skroupa: How does this vision of corporate defense fit into an organization’s business strategy?
Lyons: In order to have an effective corporate defense, the plan must align with the business strategy. Therefore, an organization’s corporate defense capability should proactively influence its business strategy.
Unfortunately in many organizations, business strategy is primarily concerned with the short term value creation efforts. Often, the long term value preservation efforts are considered as an afterthought. In order to help address this disconnect, a formal corporate defense strategy must be addressed by the board of directors—in tandem with the approval or ratification of the organization’s business strategy. Such a measure would help to ensure that both value creation and value preservation efforts are considered at a strategic level.
Skroupa: In what way do you see an integrated corporate defense program differing from a risk management program?
Lyons: An integrated corporate defense program represents a strategy which incorporates and aligns the critical corporate defense components. This would include individual programs that relate to the management of governance, risk, compliance, intelligence, security, resilience, controls and assurance. Each of these critical components provide different, but essential, perspectives for dealing with potential hazards (risks, threats and vulnerabilities). For example, viewing a particular issue through a governance-centric lens will produce an alternate perspective compared to that of a security-centric lens. By incorporating these contrasting perspectives, an organization can develop a more comprehensive and holistic view of any particular issue, and thereby improve the ability to avoid any potential blind-spots or address any cognitive bias which may exist.
The management of risk is considered to be one of the critical components of a corporate defense program. Logically, this program tends to view the organization’s activities through a risk-centric lens, an imperative for the ongoing success of the organization. Indeed a risk-centric focus can help to adequately address sectors such as governance risk, compliance risk, intelligence risk, security risk, resilience risk, controls risk and assurance risk. Likewise, the program can be improved by considering it from different perspectives. A risk-centric perspective is a critical element of corporate defense, however it should not be considered in isolation of the other critical component perspectives.
Skroupa: How should an organization typically go about implementing a corporate defense program and what does it involve?
Lyons: From my experience, every organization has some level of a corporate defense program in place, either by accident or design. This can range from a formal structured program to the ad-hoc operation of a more informal unstructured program. It is important that stakeholder groups clearly establish the precise form of the current corporate defense program—from there, they can decide if their organization’s attitude to safeguarding stakeholder value is considered adequate and acceptable.
A robust corporate defense program should begin at the boardroom, with a seat at the table reserved for the corporate defense champion (similar to that of the Secretary of Defense at the Cabinet table). At a strategic level, a formal corporate defense program should be approved by the board of directors, it should include a corporate defense vision, mission statement and strategy. At a tactical level, the strategy should integrate all the critical corporate defense components, as well as a business plan.
Skroupa: The term cyber defense is currently receiving a great deal of boardroom attention. How do you view the relationship between corporate defense and cyber defense?
Lyons: The cyber threat is an emerging and evolving one, which many organizations appear to have inadequately prepared for. Due to the increasing reliance on information technology, the threat of a cyber attack could be critically damaging. In recent times, this potential risk has elevated the cyber issue to direct oversight at the boardroom level, helping to ensure that organizations are prioritizing strategically. Subsequently, the required resources are now available to address this matter. However, the looming risk of cyber hazard should not be addressed on a once-off basis; this risk represents a dynamic threat which will require constant monitoring and continuous improvement.
For various reasons, the cyber defense issue is currently addressed as a standalone project, involving external specialists. This is often primarily due to a lack of technical expertise within the organization’s existing in-house functions. The cyber defense issue should be considered a part of the broader corporate defense program until it can be seamlessly incorporated overtime.
Skroupa: What are the key corporate defense issues that an organization should address in its cyber defense efforts?
Lyons: In order to ensure that a robust cyber defense strategy is in place, I would suggest the cyber defense program to be systematically addressed. Consider the perspective of each of the different critical corporate defense components. For example:
- Governance-centric: From a cyber governance perspective, how is the cyber defense program ensuring that all efforts are appropriately directed and controlled in terms of roles, responsibilities, and accountabilities?
- Risk-centric: From a cyber risk perspective, how is the cyber defense program ensuring that all cyber risks are appropriately identified, measured, and managed on an enterprise-wide basis?
- Compliance-centric: From a cyber compliance perspective, how is the cyber defense program ensuring that its cyber defense efforts are in conformance with evolving cyber defense standards and best practices?
- Intelligence-centric: From a cyber intelligence perspective, how is the cyber defense program ensuring that, as part of its cyber defense efforts, the right information is getting to the right person, in the right place, at the right time?
- Security-centric: From a cyber security perspective, how is the cyber defense program ensuring that it is protecting the critical assets from cyber threats (its people, information, and technology infrastructure)?
- Resilience-centric: From a cyber resilience perspective, how is the cyber defense program ensuring that its efforts have the capacity to withstand, rebound, or recover from both the direct and indirect consequence of cyber hazard events?
- Controls-centric: From a cyber controls perspective, how is the cyber defense program ensuring that appropriate controls are in place to adequately mitigate all identified cyber risks?
- Assurance-centric: From a cyber assurance perspective, how is the cyber defense program ensuring that appropriate assurance mechanisms are in place to provide the necessary comfort that all cyber defense efforts are operating in a satisfactory manner?