Understanding the ESRM Guideline
Last year, ASIS International released the Enterprise Security Risk Management (ESRM) Guideline, which takes a different approach to traditional security. The ESRM Guideline was released at the 2019 Global Security Exchange (GSX) in September, and the Maturity Model is now available on the ASIS website.
The new guideline is the first strategic security management tool of its kind, elevating the security function by encouraging a partnership between security professionals and business leaders to manage security risks.
ESRM is an approach to security management that focuses on risk-based decisions and partnerships with asset owners, and it requires taking a holistic view of overall security risk. In other words, whoever owns the asset in an enterprise, owns the risk.
The objective of ESRM is to identify, evaluate and mitigate the likelihood and/or impact of security risks to the organization with priority given to protective activities that help enable the organization to advance its overall mission. ESRM positions the security professional as a trusted advisor to help guide asset owners through the process of making security risk management decisions.
ESRM recommends that security professionals maintain an understanding of the organization’s overall strategy, including its mission and vision, core values, operating environment, and stakeholders. Understanding this context will enable security professionals to effectively support and align with the organization’s strategic goals.
The new guideline further outlines how the ESRM Cycle is built on a foundation of transparency, governance, partnership with stakeholders, and holistic risk management. By continually repeating the ESRM Cycle, security professionals can bring ESRM practice to maturity and maintain high performance over time.
In addition, ASIS conducted a survey that will help users gauge the level of maturity of their ESRM programs. Even security professionals without a full ESRM program will be able to identify which aspects they may already have in place. ASIS will use the data from this survey to identify areas of need and create educational materials to help users advance their program’s level of maturity.
What are the specifics of the ESRM approach? How can an organization implement ESRM? What are the benefits of doing so? These are all common questions, which this article is meant to address.
Reasons for Adoption
According to David R. Feeney, CPP, advisory manager, cyber and physical security risk services, at Deloitte and chair of the ASIS ESRM Guideline Technical Committee, “For organizations considering adopting ESRM, there are some potential benefits of the approach for the organization, stakeholders and security professionals.”
For the organization, Feeney says, “ESRM provides a mechanism to elevate identified security risks to top management, which in turn can improve the organization’s security program.” Security risk can be more effectively and efficiently managed. For stakeholders, “ESRM offers increased engagement with security professionals, which allows stakeholders to develop a consistent and more accurate understanding of the security function’s role. Through increased communication with security professionals, stakeholders’ priorities are more effectively communicated and understood. By positioning security professionals as trusted advisors instead of authoritarian enforcers, the stakeholders are more inclined to share their insights and priorities…which leads to increased inclusion in the security risk management process,” Feeney says.
For security managers, “By taking the time to understand the context of ESRM initially, many security professionals will benefit from a broader and deeper understanding of the organization and its overall strategy,” he says.
Rachelle Loyear, VP of Integrated Security Solutions for G4S Americas, leads the G4S Security Risk Management and Integrated Practices management office, helping G4S customers take advantage of the powerful risk management business approach as part of their holistic security programs. Loyear was part of an ASIS technical committee that developed a business resiliency standard.
Of the ESRM guideline, Loyear says, “I like the plurality of it, as it shows how to add structure to things that security executives are already doing, while giving them a few more procedures to channel some of the things that they already have in place. The guideline can help enterprise security to change the way they view what they do each day to get more done. It’s a slight change from being an enforcement function to a true partner and sending the message that I’m really here to help you.”
“One of the underlying themes is transparency,” she adds, “but sometimes in security that’s considered a dirty word. A level of transparency builds trusts and partnerships, and having transparency published is a good thing.”
At GSX 2019, Loyear says she noticed in pre-conference ESRM sessions how attendees were “pleased with the amount of focus on soft skills that was in the guideline. It gives enterprise security the ability to have a better focused conversation with business units, to learn and to be more well-rounded.”
There are a number of components of ESRM as described in the ASIS ESRM Guideline that help convey what specific actions should be taken to adopt and embrace ESRM as a security risk management process. Those components -- the context of ESRM, the ESRM cycle, and the foundation of ESRM – will be discussed in future articles.