John Sephton FSyI, Board Director at The Security Institute, details why Enterprise Security Risk Management (ESRM) is so important to an organisation’s security
ESRM is one of the phrases that you may hear being discussed by security professionals. It is not a new phenomenon dreamt up by security purists in white coats to bamboozle the less educated security practitioner, though it does seem ESRM is like a Porsche, most people know of or have heard of a Porsche, they know it is shiny and sleek and it gives a certain type of Kudos to the owner, yet their own experiences are limited to say the least. The same goes for ESRM, lots of security practitioners have heard of the term, yet surprisingly few can actually provide a concise definition or walk you through the concept. Let’s try to break it down into simple understandable terms.
ESRM embeds security and risk management into the fabric of an organisation, whether it be a small single site operation or a global enterprise. It helps to ensure that security and risk management is part of the C-Suite function by ensuring risk owners, those top managers responsible for each area of security risk, are fully aware of their responsibilities and are able to communicate security risk exposures to the Board. The effect of ESRM is to generate a top-down approach to managing security risks as opposed to the typical bottom up approach where the security manager has a daily struggle to secure sufficient budget to manage security risks and has an almost impossible task of communicating those risks to the Board. Usefully, ESRM ties in nicely with corporate governance.
Ask the right questions
ESRM is a holistic approach to managing security risks. It takes into account all areas of the operation, such as physical, cyber and manned guarding and supports the development of a framework of policies and procedures that ensure clear direction has been issued and an operational plan is in place. As a security practitioner, you should be asking some fundamental questions when developing ESRM:
1. What are the assets we are protecting?
2. Who is responsible for the asset? (Usually, department heads but there will also be a Director at Board level).
3. What risks are the assets exposed to?
4. What is our plan to mitigate the risks and what is the plan if any of the risks become reality?
Let’s look at it from a manned guarding perspective. With manned guarding you usually have a nice shiny building, CCTV cameras, access control, server rooms, comms rooms, radio nodes, car parking, teams of personnel etc. You can see that this cuts across physical, personnel, cyber and IT security, so the security strategy must consider all areas of the operation that are exposed to security risks. Because ESRM is embedded within the organisation at all levels, it ensures that security risk management is not confined to a pokey little office in the basement level, but is regularly communicated at Board level and is a key business objective in every department.
ESRM should be part of the security culture and something that everybody is aware of and what they can do to make it a success. Security of the business assets is the responsibility of everybody as everybody has a role to play, no matter how far removed you are from the security department. It is down to a good quality security team to not only understand the role they play in the ESRM mission, but to drive the message home to the occupiers through engagement and awareness. It reminds me of a story from NASA when they asked a cleaner what their role was, their response “I am helping put a man on the moon”.
Everybody makes a contribution to the wider picture and ESRM is no different.
To find out more information about The Security Institute, visit: https://security-institute.org/
This article was originally published in the March edition of Security Journal UK. To read a free digital copy of the magazine, click here.