Enterprise Security Risk Management (ESRM): Just how clear is the objective, intent and likely outcome?

Whereas Enterprise Risk Management (ERM) asserts the management of risk across an entire business, organisation or enterprise; Enterprise Security Risk Management (ESRM) posits the necessity to include security as a posterior inclusion on the premise that ERM omits adequate consideration for dynamic, agile, adaptive human threats seeking to circumvent or intentionally breach controls, preventions, policies and protective measures applied to assets across tangible and intangible realms.

"Enterprise security risk management (ESRM) is a strategic approach to security management that aligns an organisation's security practices to its overall strategy using globally established and accepted risk management principles" - ASIS International

Defined: "The ESRM and approach addresses the full scope of security risk mitigation practices, including physical security, cyber security, information security, loss prevention, organisational resilience, brand protection, travel risk, supply chain security, business continuity, crisis management, threat management, fraud risk mitigation, and workplace violence prevention." - ASIS International

"Security: The condition of being protected against hazards, threats, risks, or loss" - ASIS International

To the uninitiated or for those outside the group think, that seems to cover a considerable range of definitions, concepts, disciplines and constructs rarely deposited in any one person, department or organisation.

Linguistics, definitions, intent, perception and cognition aside, the ESRM approach does make repeated insistence of the requirement for assessment and analysis of matters and factors that may present as a risk to organisational assets, including those which may reside within conventional or traditional security disciplines.

In other words, no evidence of threat or vulnerability... no specific or valid management of risk

The pursuit of security risk management within an organisation or enterprise is in reality the pursuit of a strategy and supporting process that protects all assets within the reasonable responsibility of the organisation.

Therefore inadequate or incomplete coverage exposes assets to threats hazards and the enterprise to risk.

As a result coverage should feature as a metric for efficacy.

That is, does either ERM or ESRM cover the organisation in its entirety or is it artificially/conveniently constrained to select assets, activities, events and processes?

This includes various concepts and application of security as a value chain.

However, it is important to note that security, applied as a blunt, non-contextual instrument takes significantly more than it gives. Perspective, representation and holistic consideration are therefore paramount for ensuring that security is not merely the over emphasis and representation of one person, department, organisation or country's will... which in turn imposes loss, sacrifice and sufferance on those not included under the umbrella of security, protection or management of risk.

Especially where science is invoked as the reasoning or justification of security or any other form or risk management.

An efficacy test for security risk management at an enterprise level is simple enough, like most qualitative and quantitative evaluations of risk at an enterprise level.

That is, don't start with the source documentation, mission, policy or collective assemblance of matters considered or tagged as either risk or security related.

Randomly pick any one or group of assets, activities, value or processes within an organisation and request, then analyse, the specific assessments and evaluations for management of security and risk that inform the view of threat, harm, danger and therefore the risk management (ERM & ESRM) process.

Repeat this a few times.

In the event that any one (no matter how small, obscure, intangible or complex) factor is not currently documented, assessed or considered to an acceptable, evidence-based level within an organisation asserting enterprise security/risk management... then the entire premise is invalid and unsubstantiated.

In reality, what you mostly like have is curated, convenient, ad-hoc, abstract and inconsistent theories associated with security and risk management, concealed under the blanket of big notions, standards and practices that in fact fail to provide security and/or risk management to all assets, at all times, in all contexts.

A lack of disclosure or adequate understanding of these exclusions and oversights remains the basis for many legal claims, litigation, harm, errors and public/private inquiries.

The big question for most organisations is ... do you look, or even care?

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk & Management Sciences

Reference:

ASIS International (2019) Enterprise Security Risk Management