What is Enterprise Security Risk Management?
Enterprise Security Risk Management (ESRM) is a strategic approach to security management through the use of risk management principles. This management philosophy can be applied to any area of security and any task performed by security, such as physical security, cybersecurity, information security, investigations, loss prevention, organizational resilience, brand protection, travel risk, supply chain security, business continuity, crisis management, threat management, fraud risk management, and workplace violence prevention. A holistic ESRM program can be designed based on ASIS guidelines which are implemented by identifying, evaluating, and mitigating the security risk areas of an enterprise to reach its business objectives1. The ESRM cycle includes the following four processes:
- Identifying and prioritizing assets. Anything that adds value to your organization is considered an asset. Assets owners are responsible for mitigating risk areas of assets to a level that your organization considers acceptable. Assets should be valued and prioritized based on your organization’s goals and objectives. The value of an asset could be based on its cost, its replacement cost, or the operational and reputational impact of its unavailability.
- Identifying and prioritizing risk. Conduct a risk assessment of your organization’s assets by identifying risk based the enterprise risk assessment methodology. This methodology should involve determining risk level bases on threats, vulnerabilities, impact, probabilities, and asset value. Once a risk level is determined for each risk, it is match with the risk acceptable value. Risk areas that exceed the acceptable vale and called “high risk” and risks that match or are below the acceptable level are called “low/acceptable risk”. Prioritizing risk involves listing the risk areas in rank order from high risk to low/acceptable risk, which is their order for mitigation.
- Mitigating the prioritized risk. Risks treatments can include:
- Risk mitigation: High risk areas need to be brought down to an acceptable risk level through risk mitigation
- Risk acceptance: Risk scenarios are accepted based on an organization’s risk tolerance level/risk appetite
- Risk transfer: Risk can be transferred through outsourcing or insurance
- Risk avoidance: Risk can be avoided by changing or discontinuing certain operations
- Continuous security program improvement. The ESRM cycle is based on continuous improvement of the four processes based on assessment, mitigation, and monitoring. Investigations and analysis, information sharing, and incident response can contribute to continuous improvement by tracking and analyzing past experiences in order to apply new knowledge and insights that may help to improve and update the security program.
1 ASIS International, 2019, “Guidelines: Enterprise Security Risk Management”