Taking a holistic view of risk

A look at how ESRM initiatives have evolved


Run a Google search on "risk" and you will come up with an impressive number of results - almost a third of a billion hits. But when you start paging through these results, you will see that the lion's share of the hits focus on financial risk (as well as a popular board game), while very few of the results look at the types of risk that security professionals are responsible for identifying, prioritizing and mitigating on a daily basis.

In fact, the word "risk" has been almost entirely appropriated by the financial world, and even the inclusive-sounding "enterprise risk management" (ERM) focuses largely on investment and other financial matters. While these are certainly important, they do not include the wide range of security threats that imperil our organizations. The chief security officer of a pharmaceutical company, interviewed by the CSO Roundtable of ASIS International, for example, explains that his company had a risk management team that "wasn't addressing things that could affect our reputation, such as quality management, counterfeit brand products, bribery and corruption." This leaves us all vulnerable and with a false sense of security. And this CSO's experience was no anomaly.

But things are starting to change for the better. The CSO Roundtable did a survey and a white-paper study of enterprise security risk management (ESRM) - a holistic view of security across an entire enterprise-and found that the CSOs of some of the world's largest organizations were taking the lead in ESRM programs. In other words, they identify a wide range of risks - including physical asset and employee protection, emergency preparedness and planning, business continuity, the loss or theft of data, as well as reputational risks - and raise them to the same level of urgency as core "business" issues. They do this by leading cross-divisional working groups that include leaders from all departments.

These ESRM initiatives have had remarkable benefits for the organizations that implemented them. Some respondents to the Roundtable survey said that their ESRM programs helped their companies establish priorities and become more proactive in the face of risk; some said that their organizations ran more effectively because these working groups helped ensure that there was no duplication of effort among departments. Some respondents even called their ESRM initiatives "business differentiators" that distinguished them from competitors. There were personal benefits, too. Executives involved with these initiatives learned more about their businesses and how things were done in other departments, positioning themselves as strategic players. Those are lessons that are important for any executive's career.

That the Roundtable study showed that C-suite support was strong or even passionate for these kinds of holistic risk initiatives is proof that business leaders are becoming cognizant of the importance of security when considering the threats to their organizations. It also showed that ASIS International needs to continue to lead the industry toward ESRM.

Several of the CSOs interviewed for the ESRM white paper will be on hand at the ASIS International 56th Annual Seminar and Exhibits (Oct. 12-15) in Dallas this year. On Wednesday, Oct. 13, from 11:00 a.m. to noon, these CSOs will discuss the importance of ESRM and how they helped create and implement their ESRM initiatives. This session will provide a great opportunity to learn why - and how - you can get your own ESRM programs under way.

When looking at risk holistically, it is clear that physical security has a great many overlapping concerns with information security. That's why ASIS is building partnerships with groups such as (ISC)2, the Information Technology Sharing and Analysis Center (IT-ISAC) and the Information Systems Audit and Control Association (ISACA). Those groups will join forces with ASIS to co-brand sessions at Seminar.

This content continues onto the next page...