ESRM has become important today because it helps organisations identify, prioritise and mitigate potential security threats, comply with regulations and protect financial and reputational well-being.
Enterprise Security Risk Management (ESRM) is an information-gathering and decision-making function that helps an organisation and its leaders understand risk with a perspective on real-time impacts, their relevance, interactions and offsets across the enterprise. A successful ESRM framework must be dynamic and rooted in access to data. This means the framework and processes are easily understood by both end users and senior leadership, content is changeable and applies throughout the business to create priorities and actionable decisions.
ESRM is a security program management approach that links security activities to an enterprise’s mission and business goals through risk management methods.
In ESRM, the role of the Chief Security Officer/Corporate Security Chief is to manage risks to the enterprise’s assets in collaboration with the leaders whose assets are exposed to those risks. This involves the systematic application of management policies, procedures and practices to the tasks of communicating, consulting, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk.
Security has to be engaged actively with and supporting every business unit (R&D, sales and marketing, manufacturing, logistics, customer service, product complaints, third-party providers, human resources, IT), since every one of those units has its own challenges that could affect the company’s reputation and brands.
The ESRM approach is founded on 4 basic assumptions:
• Security risks are strategically relevant to the success of the organisation: Enterprise Security Risk Management encourages everyone to take a strategic view of security, from CSOs and security practitioners to the ‘guys-n-gals’ in the C-suites. ESRM seeks to connect good security and risk mitigation practices to the overall mission and goals of a corporation. In an ideal world, when C-suite members and other managers make decisions, they will include enterprise security risks as part of the decision-making process, just as they would include financial, HR, marketing and other criteria.
• Security risks should be understood holistically and not compartmentalised: ESRM is often referred to as holistic because it comprises the big security picture, not a collection of snapshots. It is about managing the risks of harm to all of the company’s assets, including people, things and processes. It cuts across and even bridges traditional security silos like executive protection, cyber-security, loss prevention, asset management, threat management, resilience, workplace violence, critical incident response, brand protection, fraud investigations, travel safety, etc.
• Security risks must be evaluated, prioritised and managed: ESRM connects security efforts and the organisation’s overall goals with solid risk management practices.
• Security risks are dynamic: Everything changes, so do the factors that affect a corporation’s security risks. Risks have to be assessed everyday.
Corporate security exists to enable business success by being a key business partner in managing and mitigating risks to the enterprise.
In a 2010 survey on ESRM conducted by the CSO Roundtable of ASIS International, more than 50% of the chief security officers from Fortune 500-size organisations said that they and their departments were involved in researching, prioritising, mitigating, or evaluating non-security risks in their organisations. Nearly 60% of respondents said that their organisations had advisory groups that cut across different departments and silos to facilitate the risk management process.
ESRM is performed in a life cycle of risk management that includes:
(The ESRM Life Cycle)
Identify and Prioritise Assets: Identify, understand and prioritise the assets of an organisation that need protection.
Identify and Prioritise Risks: Identify, understand and prioritise the security threats the enterprise and its assets face, both existing, emerging and critically, the risks associated with those threats.
Mitigate Prioritised Risks: Take the necessary, appropriate and realistic steps to protect against the most serious security threats and risks.
Improve and Advance: Conduct incident monitoring, incident response and post-incident reviews. Learn from both success and failure and keep applying the lessons learned to advance the program.
Most organisations rely on a traditional approach to risk management which is built on stovepipe-oriented risk management where the focus is mainly on the tactical business issues and does not consider strategic sources of risk. Traditionally, an organisation’s approach to risk management tends to be internally focused on governance and compliance-oriented risks in the areas of financial reporting, taxes, information security, human resources, fraud and legal. Such traditional organisational silos disperse both information and responsibility for effective risk management. They inhibit discussion of how different risks interact. Good risk discussions must be not only confrontational but also integrative. Businesses can be derailed by a combination of small events that reinforce one another in unanticipated ways. This approach to risk management does not adequately identify, evaluate and manage risk; tends to be fragmented, treating risk as disparate and compartmentalised; limits the focus to managing uncertainties around physical and financial assets; focuses largely on loss prevention, rather than adding value; tends to use linear and sequential process thinking.
Traditional ERM programs assess a wide range of financial issues that could affect a company’s profitability. Large and small businesses, corporations and government agencies organise themselves with departments that perform different functions, each raising certain enterprise risks.
Human Resource departments recruit and retain new people. While it may not happen often, new employees sometimes have criminal pasts and current criminal plans. Thoroughly checking the backgrounds of new hires ranks as an enterprise risk management function that protects business goals.
Similarly, other departments face enterprise risks. Accounting and finance risks include fraud and waste. Purchasing departments risk buying from companies that can’t ultimately deliver. Production and warehousing risks include safety lapses leading to injuries. Transportation departments risk liability problems stemming from negligent accidents.
However, these programs rarely if ever look at physical or IT security, business continuity or brand protection. Success requires a holistic and integrated approach to managing risk – the competitive landscape and risk environment demand it, regulators expect it and securing value, growth and sustainability for investors requires it.
Organisations must identify and avoid major catastrophic events.
Businesses are now experiencing an escalating pace of change, from disruptive technologies, innovative business models, new forms of competition to changing geopolitics. Changing market conditions, employee unrest, negative public relations events, major accidents, legal conflicts, inadequate manpower resources, natural disasters and supply chain disruption are just some of the many risks that challenge an organisation. The proliferation of risks and opportunities that businesses face cannot be ignored. Failure to recognise and respond to the very real ‘signals of change’ in industry sectors and societal behaviour may be the difference between growth and destruction.
Establishing a clear risk appetite is the overall level of risk that an entity is willing to take to support the company in achieving both strategic and financial objectives. Rating agencies have begun to look at ESRM to determine if any issues could hurt the company’s ability to repay its debts.
Many companies still view risk appetite solely as a line not to cross, but leading organisations use it to determine whether they can and should be taking more risk. Developing a more clearly defined, board-endorsed risk appetite and using this to both promote the right risk culture and take a harder look at the ‘upside’ of risk taking, are front and centre of leading edge ESRM practices.
Business imperative, regulatory requirements and increased rating agency interest are prompting a new focus on ESRM. Business leaders are seeking to implement ESRM or are enhancing and developing their ESRM processes, embedding an approach that is tailored to the company’s culture and structure, aligned with their business strategy, operationalised in their business processes, and focused on their most critical risks. ESRM should be able to identify both internal and external events that could threaten an organisation’s viability, including:
1. Natural hazards
2. Major accident hazards
3. Security hazards
4. Unfavourable economic conditions
5. Competition in the marketplace
6. Compliance failures
7. Governance failures
Multiple studies have found that people overestimate their ability to influence events that are heavily determined by chance. We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.
We also anchor our estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain and variable future. This problem with confirmation bias drives us to favour information that supports our positions and suppress information that contradicts them. When events depart from our expectations, we tend to escalate commitment, irrationally directing even more resources to our failed course of action.
Organisational biases also inhibit our ability to discuss risk and failure.
In particular, teams facing uncertain conditions often engage in groupthink. Once a course of action has gathered support within a group, those not yet on board tend to suppress their objections, however valid, and fall in line. Groupthink is especially likely if the team is led by an overbearing or overconfident manager who wants to minimise conflict, delay and challenges to his or her authority.
Collectively, these individual and organisational biases explain why so many companies overlook or misread ambiguous threats. Rather than mitigating risk, firms actually incubate risk through the normalisation of deviance as they learn to tolerate apparently minor failures and defects and treat early warning signals as false alarms rather than alerts to imminent danger.
Effective risk-management processes must counteract these biases.
ESRM attempts to capture and reduce the effects of today’s business complexity and uncertainty by providing a broad framework for managing. ESRM deals with risks and opportunities affecting value creation and helps an entity to get where it wants to go and avoid pitfalls and surprises along the way. It is the leading approach to managing and optimising risks in order to enable a company to determine how much uncertainty and risk are acceptable to an organisation.
It is important to note that the success of a business model innovation depends on the company’s ability to recognize that it is about to perform activities that are more uncertain, complex and therefore also riskier than anything it has experienced in the past and the ability to cope with them.
ESRM must not be a standalone process but an integrated element of an organisation5’s performance management system. ESRM must support business planning cycles, such as budgeting and strategic planning, to guarantee progress in identifying and managing risks. As ESRM is implemented and matured, activities will become risk-informed and key business decisions would have improved because risk impact has been considered as part of the process.
One survey showed that 65% of the assets of the top US companies are not physical, while the World Intellectual Property Organization (WIPO) estimates that intellectual property represents as much as 75% of the value of the Fortune 500. Mergers and acquisitions present prime opportunities for the theft of intellectual property (IP). The loss of intellectual property, whether through theft, counterfeiting, or diversion, adversely affects the world’s economies.
Innovation = Intellectual Property = Products = Jobs
Managing the huge range of risks that corporations face is certainly not getting easier. Rather, it is becoming much more complex as more regulations and legislation add additional challenges to the business of doing business. The adoption of ESRM principles assist the corporation in identifying and quantifying risks.
Endro SUNARSO, MS, CPP®, CIAM®, CPOI, PMP®, CSM®, FSyl, F.ISRM is a senior security professional with extensive experience in corporate and physical security operations and management across APAC.