Enterprise Risk Management

Coupling technology and policy can create an effective strategy

The Role of Technology
So what is the role of technology in addressing the comprehensive scope of enterprise risk management?
The short answer is foundational! While best practices often evolve with a maturing industry and associated technology, an essential core of a security program is the ability to control the flow of personnel, vehicles and products into and out of company-owned — or in some cases contracted facilities. In so doing, the organization has a heightened confidence in the identity and accountability of individuals within their facilities and the potential for their subsequent access to the risk elements identified earlier. Current technology enables the security program to accomplish this remotely with monitoring and notification as close to real-time as the organization is willing to invest in communications infrastructure. Without this foundational programmatic element, the ability of the organization to address the comprehensive risk management task is hindered.
However, consideration must also be given to those areas where the security program and associated technology can be a contributor to the risk management program without necessarily being the primary responsible party. Management of the risks associated with Environmental Safety and Health (ES&H) is a classic example of the need for, and benefits of, collaboration. Security program support to the ES&H risk management program could take a number of forms. The enterprise SMS could be used to control access to designated areas to only those individuals that have had the safety-related training necessary for safe operations. Hazardous operations can be monitored by dedicated CCTV resources. In the event of an ES&H incident, the reach of the enterprise system can provide a range of functions that could contribute to personnel accountability, facility integrity and real-time, site-specific visual information — all of which are key factors in mitigating the consequences of the event and expediting return to normal operations. This could involve security assets and functions including communications, personnel mustering, facility perimeter control and trained security officer support.
Information assurance also falls into that category where the traditional enterprise security program may not provide the primary framework for risk mitigation; however, as a strategic partner, there is much to gain from addressing information-related risk factors within a converged environment. This will be commonplace as the CSO position becomes more prevalent within the corporate structure and as available hardware and software become more effective at seamlessly addressing both the physical and logical security task.

Administrative Policies and Procedures
There are areas where the tools provided by the security program do not constitute primary input to the organizational risk management effort. This is the point where the risk management program turns to administrative policies and procedures to define acceptable behavior in those areas where such standards cannot be enforced by the technological tools. Human resources and intellectual assets may represent a risk area that is beyond primary impact from the technological security program tools. Additionally, as alluded to earlier, planning for off-normal events must take place so that the organization has a clear and rehearsed strategy to deal with those circumstances that occur in spite of organizational efforts to preclude them. Under these conditions, the most important goal is to recover the business as quickly and as cost-effectively as possible. This will not be achieved without a well-developed crisis management plan and a program of effective training to the plan. This is an essential area where security is a key, but not necessarily a primary contributor to the general well-being of the organization.
Clearly, enterprise risk management is not effectively addressed solely with an enterprise-scale security management system. However, it unquestionably provides foundational functions from which all other aspects of the total risk management program can derive benefit. In those areas where risk management strategies go beyond technology solutions, the security program in total is in a unique position to provide key input and support at the senior level. The task is to manage risk with whatever tools are available to suit the need.

Randall R. Nason, PE, CPP is a corporate vice president and manager of the Security Consulting Group at C.H. Guernsey and Co. His experience spans a broad spectrum of the security profession including threat assessment, vulnerability analysis and master plan development through complete system design, construction management and design-led build projects. He has also designed and conducted full-scale emergency response exercises for a federal agency and prepared crisis management plans for public and private entities. Mr. Nason is a member of the ASIS Council on Security Architecture and Engineering.