Enterprise Risk Management

Coupling technology and policy can create an effective strategy

The term enterprise has become so commonly used in recent years that it has lost much of its meaning. Almost all end-users want a scalable enterprise solution; fortunately, almost every security system manufacturer new offers one. But in our careless use of the term, we tend to lose sight of our mandate as practitioners to manage the risks associated with our organization — or enterprise — to an acceptable level. Within this definition, risk management broadens beyond something you can specify and contract to have installed; it becomes a multi-faceted program that relies on every tool at the disposal of the security professional.
At its core, what we often refer to as an enterprise security management system (SMS) is nothing more than a collection — albeit sometimes a very complicated one — of hardware and software that accomplishes predefined functions under predefined circumstances. For example, the enterprise SMS that provides access control, intrusion detection and CCTV management at a few thousand facilities in dozens of countries is the model for the term. However, in no sense does this hardware and software approach necessarily address the total risk management needs of the global organization.
ASIS International (www.asisonline.org) recently published its updated guideline for Chief Security Officers (http://www.asisonline.org/guidelines/inprogress_published.htm#cso) in which long-considered best practices at the senior level of the security industry are aggregated. Of particular interest in this document is the list of broad risk categories that are likely to be present in an organization. They are:

• Human Resources and intellectual assets;
• Ethics and reputation;
• Financial assets;
• Information Technology systems;
• Transportation, distribution and supply chain;
• Legal, regulatory and general counsel;
• Physical and premises; and
• Environmental Health and Safety

Of the above, the Physical and Premises category is the one with which we are likely the most familiar, and, not surprisingly, the category to which the benefits of an enterprise SMS system can be most easily accrued. To this point, the careers of security practitioners have as their foundation the expectation that the risks presented by the built environment can be effectively mitigated through thoughtful implementation of physical controls and associated visual verification through CCTV monitoring.
The other risk categories do not so easily fit this model. For example, a well-designed, implemented and managed access control system does not necessarily address the totality of managing the risk factors around the name and reputation of an organization. Consider a food company whose business is built on the assumed promise that its products are safe. A means to control and monitor individual access to the production process beginning with the raw ingredients and continuing through the packaging and shipment to the retail outlet plays a significant role in reducing the risk of contamination. However, when allegations of product tampering arise, the press conferences do not normally discuss the efficacy of the organization’s SMS; the primary topic is what is being done to mitigate harm and restore confidence. This facet of risk management and mitigation requires the skillful execution of the crisis management plan to preserve and restore a reputation and allow progress toward recovery and future revenues.

This content continues onto the next page...