Connecting the Dots "I was so busy, I never saw it coming!" This from the line manager who's just fired an employee for misconduct. With downsizing, rightsizing and "doing more with less", the velocity of business dealings often masks control weaknesses.

But given the dynamics of risk in the world today, can anyone reliably claim that their organisation has bullet-proof safeguards around the assets that contribute to shareholder value? I doubt it. Most corporations have a limited knowledge of risk because the risk analyses they do are insufficient to uncover key vulnerabilities.

Yet if a company isn't doing effective risk analysis, it will have to assume it has exploitable vulnerabilities. (I highlight exploitable because risk is increased as vulnerabilities become known to an increasingly large group of knowledgeable, trusted and empowered insiders.)

Security is in a position to see such weaknesses in its investigative findings and should influence managers to pause and understand the risks we are all charged with monitoring. In fact, we have a fiduciary obligation to ensure such vulnerabilities are addressed at a sufficient level to deter opportunity. That dictates one part common sense and three parts due diligence.

Got Supervision? First-line managers are the key to maintaining a climate of integrity and effective risk management. Even when top management makes its commitment to integrity clear, the action is in the trenches. Unless supervisors are risk-aware and work within an accountability model that makes their roles clear, they are not likely to be part of an effective system of controls.

Beyond the internal supervision, outsourcing and offshore relationships are also integral parts of the competitive environment. Yet we are increasingly assigning high-risk jobs to individuals or vendors about whom we know very little or nothing. Our relationships with these outside organisations need to follow our integrity model - we must insist that they apply the same standards of ethical expectations to themselves as we do to our own organisation. Easy to say, but not so easy to do.

Where is the CSO's role here? Think back to the "I-was-so-busy-I-never-saw-it-coming" guy. "Look," he says, "it's your job to give us a heads up! You guys in security may see this stuff as a routine part of your job, but I've got a committed team here busy working 24x7, and we didn't have a clue."

If your culture shoots the messengers of bad news, don't be surprised when various managers - even those who have been diligent enough to have "seen it coming" - may clam up when concerns are aroused. Explore this issue in your organisation. You'll probably discover that a lack of notice is more indicative of a climate of fear or wagon circling than anything else.

Then there are the interesting places we find ourselves housing critical business processes. We are working in very complex global and technical environments. We depend on global data networks and dispersed computing environments that live within very risky local infrastructures with differing standards of care. While it is recognised that a resilient recovery strategy is essential, don't forget that the cultural issues around corporate hygiene can land you on the front page of The Australian Financial Review or The Wall Street Journal faster than you can say "scandal".

And then there's honesty. It's acknowledged that the "honesty quotient" within our workforce has declined during the past few decades. Don't argue with me - the evidence is everywhere. Effective background investigations, however, will screen out the most serious threats.