9 Oct 2015
Enterprise security strategies identify
liabilities & 
ways to mitigate risks, showing
how the cost of 
mitigation prevents larger
liabillity costs
 

The security profession continues to take on new risk management responsibilities. The big thing now is called Enterprise Security and Risk Management (ESRM). ASIS International has issued a standard on the subject: ANSI/ASIS/RIMS RA. 1-2015, and a couple of booths at the recent ASIS International 2015 Seminar explored the subject.

Mitigating risks

“Enterprise Risk Management or ERM is a common business term, so we differentiate ERM from the security world by adding the word security to it,” says Ray O’Hara, CPP, Executive Vice President in the Palm Desert, California, offices of AS Solution.

The growth of multi-national business enterprises with multiple locations domestically and internationally has given rise to this new and multi-faceted form of security. “ESRM covers a myriad of areas that need to be protected today,” says O’Hara.

O’Hara lists domestic and foreign executive travel, manufacturing and production facilities here and around the world, third-party manufacturing facilities, executive offices, intellectual property and the supply chain that ties all of these assets together. ESRM requires continuous risk and vulnerability assessments, too, because the risks change with circumstances.

“What if I have a tractor trailer with electronic equipment sitting in an unsecured truck yard 2,000 miles from its destination?” asks O’Hara. “Do I care? If I transfer the responsibility to the shipper and the shipper’s insurance, I don’t care. Then again, what if I have a customer with a deadline waiting for that equipment? Now I do care. Effective protection requires corporate security to identify all risks — in every department — and rank them as low, medium or high. Then, where appropriate, you mitigate risks to a level that the company can absorb.”

Senior executive buy-in

Effective protection requires
corporate security to identify all risks -
in every department - and rank
them as low, medium or high. Then,
where appropriate, you mitigate risks
to a level that the company can absorb

For an ESRM programme to succeed, senior corporate executives must endorse it and actively support it, continues O’Hara. Suppose you walk into the Human Resources department to discuss risks involved in hiring people around the globe. Suppose further that you have discovered that HR is using a questionable (and inexpensive) service to conduct background checks, and you would like to address that risk.

If the Director of Human Resources doesn’t have time for you, you will need to be able to ask the CEO to tell the director to make time, listen to what you have to say and to act on the advice you give.

Without the active support of senior executives, ESRM programmes addressing departmental risks throughout every department and in facilities around the world cannot succeed. How does a security department generate that kind of support?

Developing enterprise security strategy

According to O’Hara, you have to develop an enterprise security strategy, present it to C-Suite executives and show them how your strategy synchronises with the corporate business strategy. The presentation identifies risks and liabilities, recommends ways to mitigate those risks, and shows how the cost of mitigation can prevent much larger liability costs.

“Mitigation measures could be insurance, where you transfer the risk to someone else,” O’Hara says. “It could be security technology, security patrols, better background checks. It all depends, of course, on the nature of the problem right now.”

For example, explains O’Hara, suppose you have protected a warehouse that is storing a custom-made inventory worth a million dollars awaiting delivery to customers. You’ve secured the warehouse with card access locks, intruder alarms and several cameras. For good measure, you have a security guard swing by a couple times each night.

As the inventory is picked up and trucked away to customers, the financial risk declines. At some point, you might decide the risk isn’t great enough to send the security officer to check on the merchandise.

By the time the warehouse empties out, you won’t need anyone to monitor the surveillance cameras. Depending on when you expect the warehouse to fill up again and the value of the materials, you could move one or all of those cameras to another location.

Enterprise Security and Risk Management is the next big thing for security professionals — and it is a very big, comprehensive thing.