As security continues to move from a support function to a critical business partner, industry professionals have worked to master such skills as financial management, leadership, team building, and strategic thinking. With these skills in hand, security professionals now need a platform to allow them to manage at a higher level and integrate security needs throughout the organization while also overseeing the convergence of operational security and cybersecurity. This platform is enterprise risk management (ERM).
However, the concept of ERM can easily get lost in industry jargon or used as a convenient, but empty, buzzword. To get to the heart of ERM, security must determine the various ways that ERM is being defined and deployed and how it is influencing organizations to take action.
ERM is a holistic process used by organizations to manage risks and capitalize on opportunities. The process includes all the risks that may occur within the context of pursuing an organization’s objectives. ERM focuses on questions related to the likelihood of such risk and the degree of impact it would have on the organization if it occurred. Finally, ERM uses metrics to ensure conformance to internal and external standards, which can also be used for purposes of continuous process improvement. ERM can be a slippery term, however, because it can mean different things in different industries. Historically, for example, ERM in financial institutions has focused on financial risks, largely to the exclusion security-based risks.
It is also worth mentioning that many organizations have ESRM (enterprise security risk management) programs in effect. ESRM, which has been called the on-ramp to a full-blown ERM program, includes all the risks that security professionals or departments can expect to be involved and in which they have some experience and expertise. ESRM might include loss prevention, investigations, background screening, audits, and antifraud measures, for example, but not such topics as process risks, currency fluctuations, and liquidity risks. These latter issues would, however, typically fall within an ERM program.
For the purposes of this article, ERM includes input from the security department and is roughly equivalent to what other organizations might call ESRM. In the following discussion, several consultants weigh in on how they engage their clients to use the ERM method by gaining commitment from executives and defining the problem. The consultants then present case studies that illustrate the power of the process.
Since ERM requires a collective perspective and commitment, executive leadership is indispensable. According to Jeff Slotnick, CPP, PSP, and CSO of OR3M, an endeavor of this nature needs to have firm leadership from the top of the organizational structure. “There should be one person with absolute decision making authority who is directly responsible for the ERM process and keeps stakeholders informed,” he says. “In many organizations this is the chief security officer, or CSO. The CSO should be a full partner in the governance infrastructure of the organization. If a comprehensive assessment of any area of risk supports the need for a function-specific security role, the assignment of high accountability ensures an integrated security strategy, with less duplication of effort and overall cost.”