What Will Your Role in Enterprise Security Risk Management Be?
Posted on Fri, Apr 09, 2010
Many security stakeholders are aware of Enterprise Risk Management (ERM) which analyzes and seeks to mitigate the risks that an organization faces such as financial, strategic, and accidental risk. Unfortunately, ERM traditionally neglects risks associated with security. Enterprise Security Risk Management (ESRM) is a methodology that exists to ensure that these risks are properly considered by an organization.
In October 2009, ASIS International, a membership group of the senior-most security executives from the world’s largest organizations, conducted a survey of its CSO Roundtable and international members. This survey focused on ESRM and what risks were most challenging, where organizational support for ESRM initiatives came from, which business elements were included, who has the ultimate responsibility for risk, and what security’s role is in these initiatives. ASIS International also conducted an interview with 11 senior security executives from some of the world’s largest and most well-respected companies who have first-hand experience in creating and executing ESRM initiatives.
Recently, ASIS International released the results of the survey and interviews in their whitepaper Enterprise Security Risk Management: How Great Risks Lead to Great Deeds. This whitepaper is a great read for any individual who is interested in learning more about ESRM and how such programs impact an organization. But more importantly, the survey results indicate that a number of organizations are either currently enacting ESRM initiatives or have an ERM structure that includes security (according to the survey, nearly 60% of the respondents indicated that security was a part of their organization’s risk management efforts from the outset). The survey also indicates that an increasing number of security departments are focusing on or involved in issues that are typically non-security risks (nearly half of all respondents said they are involved in researching, prioritizing, mitigating, or evaluating non-security risks).
Of course, ASG has been advocating a holistic approach to security for some time now, so it’s no surprise to us that more and more of the world’s top organizations are learning that security can be run so as to create value to the organization, not just function as a costly expense. But I begin to wonder, how many of our readers know what their role in this ESRM structure is? Perhaps your organization applies a different term to this structure. Or maybe (similar to one of the interviewees) your organization organically developed a holistic view of risk across the organization without a formal process. But as holistic risk management becomes a greater priority to executive level management, do you know where you fit in your organization’s ESRM vision?