Identifying and mitigating risks across an organization is the purview of enterprise risk management (ERM), which may entail everything from avoiding litigation to assessing credit risk. A subset of ERM is enterprise security risk management (ESRM). It encompasses the more traditional security risks, such as asset protection, as well as broader security issues, such as safety, IT security, and brand integrity. The goal of both ERM and ESRM is to transcend traditional management silos to improve risk assessment and reduction. Security professionals who know how to facilitate ESRM and fit it within the broader ERM landscape will have a permanent seat at the C-suite table.
Security systems and services giant Diebold, Inc., established an ESRM model three years ago with the help of an outside consultant. In the company’s model, a committee of vice presidents from each of the functional areas participates in the initial review of broad security-related risks that the company could face globally. After the initial review, a subset of risks is addressed by affected groups whose members look at risk projections as well as mitigation efforts, says Scott Angelo, Diebold vice president and chief security officer. Results are reported through the senior vice presidents to the president and CEO.
In addition, the company established a formal Governance Risk and Compliance Oversight Board (GRCOB) to address risk related to industry regulations with which the company must comply. GRCOB members represent the lines of business that deal directly with Diebold’s customers: security and professional services, manufacturing, global software development, security operations, and sales. Other groups—such as human resources, legal, and internal audit—are brought in as needed.
The GRCOB reports to the audit committee and provides strategic planning, direction, and oversight to help subsidiaries or affiliates address risk management and compliance in a timely manner. The responsibilities, accountability, and charter of the GRCOB were set by Diebold’s board of directors.
Diebold’s approach is just one example of ESRM.
Greg Acton, CPP, director of global safety and security at mobile products company Palm, Inc., uses a different approach. He looks for root causes of the risks he wishes to mitigate by asking “the five Ws,” and he then models processes around the answers to those questions.
The models for what constitutes enterprise security risk management are exceptionally diverse. “Every model will be specific to your company,” says Dan Hooton, CPP, group security advisor, operations at Prudential PLC, an international financial services company headquartered in London. He emphasizes that the model needs “constant review to make sure it is relevant.”
There are some commonalities across models, however, such as the identification of critical processes, alignment of security objectives to the business, and a risk mitigation phase. The emphasis is on making sure that all the business organizations can demonstrate that their operational risks are being identified, prioritized, remediated, and responded to consistent with their significance and value to that business, says William C. Boni Jr., security director at communications conglomerate Motorola, Inc.
Leadership buy-in is also a factor. At most organizations, the board of directors is involved at least in periodic reviews of the risk model, its assessment, or the identification of specific risks to the organization. Often, that communication is a two-way street, with the board giving feedback on risk decisions. If the board does not become involved, the C-suite certainly does.
The level of interest within the organization can depend on the risk. “At the ERM macro level, you are talking about risks in the hundreds of millions of dollars,” says Boni.
According to Boni, Motorola established its ERM program seven years ago under the aegis of a new audit director. Boni, then the information security officer, was involved in the program from its inception along with other operational risk subject matter experts from such groups as human resources, finance, business leadership, technology, and engineering.
The risk management director, who reported to Boni, was assigned to set up the overall ERM protocols, including communication strategies and assessment tools for the global company. Outside consultants helped initially, but the templates, spreadsheets, and databases were designed specifically for Motorola.
Boni demonstrates ROI for specific recovery efforts by first establishing a baseline for typical industry expectations worldwide. By comparing Motorola’s controls with the baseline, Boni can demonstrate very specific reductions in revenue-at-risk and recovery values.
When Bob Hulshouser, CPP, was hired five years ago to be manager of corporate security services for the Las Vegas Valley Water District (LVVWD), his title did not reflect an enterprise risk management function. However, the utility’s management looked at his security job as a “synergistic arrangement where I would reach out to all functions in the company,” he says. He served as a catalyst to bring the security culture to the other levels and involve security with their processes. “They didn’t call it ERM,” he adds, but “ERM is integrated with everything we do.”
Hulshouser advocates learning different risk approaches by talking to other executives throughout the company. “You can’t protect the enterprise unless you know what their unique concerns are and how your organization blends with theirs.”
Collaboration is key, agrees Evan Wolff, director of homeland security practice at Hunton & Williams, an international law firm that consults on risk issues. That means understanding everyone’s individual objectives based on their responsibilities and knowledge of the risks inherent in their processes, he says, adding “And that’s where the enterprise security risk management model will shine.”