Enterprise Risk Management

Jan. 27, 2009
Coupling technology and policy can create an effective strategy

The term enterprise has become so commonly used in recent years that it has lost much of its meaning. Almost all end-users want a scalable enterprise solution; fortunately, almost every security system manufacturer new offers one. But in our careless use of the term, we tend to lose sight of our mandate as practitioners to manage the risks associated with our organization — or enterprise — to an acceptable level. Within this definition, risk management broadens beyond something you can specify and contract to have installed; it becomes a multi-faceted program that relies on every tool at the disposal of the security professional.
At its core, what we often refer to as an enterprise security management system (SMS) is nothing more than a collection — albeit sometimes a very complicated one — of hardware and software that accomplishes predefined functions under predefined circumstances. For example, the enterprise SMS that provides access control, intrusion detection and CCTV management at a few thousand facilities in dozens of countries is the model for the term. However, in no sense does this hardware and software approach necessarily address the total risk management needs of the global organization.
ASIS International (www.asisonline.org) recently published its updated guideline for Chief Security Officers (http://www.asisonline.org/guidelines/inprogress_published.htm#cso) in which long-considered best practices at the senior level of the security industry are aggregated. Of particular interest in this document is the list of broad risk categories that are likely to be present in an organization. They are:

• Human Resources and intellectual assets;
• Ethics and reputation;
• Financial assets;
• Information Technology systems;
• Transportation, distribution and supply chain;
• Legal, regulatory and general counsel;
• Physical and premises; and
• Environmental Health and Safety

Of the above, the Physical and Premises category is the one with which we are likely the most familiar, and, not surprisingly, the category to which the benefits of an enterprise SMS system can be most easily accrued. To this point, the careers of security practitioners have as their foundation the expectation that the risks presented by the built environment can be effectively mitigated through thoughtful implementation of physical controls and associated visual verification through CCTV monitoring.
The other risk categories do not so easily fit this model. For example, a well-designed, implemented and managed access control system does not necessarily address the totality of managing the risk factors around the name and reputation of an organization. Consider a food company whose business is built on the assumed promise that its products are safe. A means to control and monitor individual access to the production process beginning with the raw ingredients and continuing through the packaging and shipment to the retail outlet plays a significant role in reducing the risk of contamination. However, when allegations of product tampering arise, the press conferences do not normally discuss the efficacy of the organization’s SMS; the primary topic is what is being done to mitigate harm and restore confidence. This facet of risk management and mitigation requires the skillful execution of the crisis management plan to preserve and restore a reputation and allow progress toward recovery and future revenues.

The Role of Technology
So what is the role of technology in addressing the comprehensive scope of enterprise risk management?
The short answer is foundational! While best practices often evolve with a maturing industry and associated technology, an essential core of a security program is the ability to control the flow of personnel, vehicles and products into and out of company-owned — or in some cases contracted facilities. In so doing, the organization has a heightened confidence in the identity and accountability of individuals within their facilities and the potential for their subsequent access to the risk elements identified earlier. Current technology enables the security program to accomplish this remotely with monitoring and notification as close to real-time as the organization is willing to invest in communications infrastructure. Without this foundational programmatic element, the ability of the organization to address the comprehensive risk management task is hindered.
However, consideration must also be given to those areas where the security program and associated technology can be a contributor to the risk management program without necessarily being the primary responsible party. Management of the risks associated with Environmental Safety and Health (ES&H) is a classic example of the need for, and benefits of, collaboration. Security program support to the ES&H risk management program could take a number of forms. The enterprise SMS could be used to control access to designated areas to only those individuals that have had the safety-related training necessary for safe operations. Hazardous operations can be monitored by dedicated CCTV resources. In the event of an ES&H incident, the reach of the enterprise system can provide a range of functions that could contribute to personnel accountability, facility integrity and real-time, site-specific visual information — all of which are key factors in mitigating the consequences of the event and expediting return to normal operations. This could involve security assets and functions including communications, personnel mustering, facility perimeter control and trained security officer support.
Information assurance also falls into that category where the traditional enterprise security program may not provide the primary framework for risk mitigation; however, as a strategic partner, there is much to gain from addressing information-related risk factors within a converged environment. This will be commonplace as the CSO position becomes more prevalent within the corporate structure and as available hardware and software become more effective at seamlessly addressing both the physical and logical security task.

Administrative Policies and Procedures
There are areas where the tools provided by the security program do not constitute primary input to the organizational risk management effort. This is the point where the risk management program turns to administrative policies and procedures to define acceptable behavior in those areas where such standards cannot be enforced by the technological tools. Human resources and intellectual assets may represent a risk area that is beyond primary impact from the technological security program tools. Additionally, as alluded to earlier, planning for off-normal events must take place so that the organization has a clear and rehearsed strategy to deal with those circumstances that occur in spite of organizational efforts to preclude them. Under these conditions, the most important goal is to recover the business as quickly and as cost-effectively as possible. This will not be achieved without a well-developed crisis management plan and a program of effective training to the plan. This is an essential area where security is a key, but not necessarily a primary contributor to the general well-being of the organization.
Clearly, enterprise risk management is not effectively addressed solely with an enterprise-scale security management system. However, it unquestionably provides foundational functions from which all other aspects of the total risk management program can derive benefit. In those areas where risk management strategies go beyond technology solutions, the security program in total is in a unique position to provide key input and support at the senior level. The task is to manage risk with whatever tools are available to suit the need.

Randall R. Nason, PE, CPP is a corporate vice president and manager of the Security Consulting Group at C.H. Guernsey and Co. His experience spans a broad spectrum of the security profession including threat assessment, vulnerability analysis and master plan development through complete system design, construction management and design-led build projects. He has also designed and conducted full-scale emergency response exercises for a federal agency and prepared crisis management plans for public and private entities. Mr. Nason is a member of the ASIS Council on Security Architecture and Engineering.