Enterprise Security Risk Management: A Security Programme Maturity Model

As one of its stated strategic initiatives, ASIS International has been actively involved in promoting the adoption of Enterprise Security Risk Management (ESRM). ESRM is a strategic security programme management approach that ties an organisation’s security practice to its mission and business goals using globally established and accepted risk management principles. Rachelle Loyear, Mike Hurst, Michael Gips, Tim McCreight and Tim Wenzel delve into the fine detail for the benefit of practising security managers.

ESRM recognises that security responsibilities are shared by both security and business leadership, but that all final security decision-making is the responsibility of business leaders. The role of the security leader in ESRM is to manage security vulnerabilities to enterprise assets in a risk decision-making partnership forged with the organisation’s leaders in charge of those assets.

When the ESRM approach is applied, ‘Security’ changes its primary driver in the overall organisation from being a group that performs a set of tasks to a role: a role of managing holistic security risk, partnering with the business leaders of the organisation to mitigate that risk in line with business tolerances and enabling the organisation to continue to fulfil its primary business mission with assets protected in line with their business value.

Rachelle Loyear CISM MBCP

Rachelle Loyear CISM MBCP

Security is no longer just about checking IDs at entrance gates, installing anti-virus software or trying to keep retail store employees from stealing. Those are tasks. Under ESRM, security is more about ensuring that all of those tasks are done within an agreed-upon business model that weighs security risk against tolerable business impact and manages security risk mitigation within that model.

That doesn’t mean those tasks are not important anymore. However, it does mean that, when they’re performed, they’re performed for a reason. ESRM means security decisions are made by the right person, with the right authority and accountability and for the right reasons. Reasons based on defined risk principles.

What does ESRM mean in practice?

What does all of this mean in practice, then? In its simplest terms, it means that instead of just ‘doing security’ the way we always have, we first ask ourselves some fundamental – and fundamentally important – questions. Here are a few of the most basic: What’s the asset we need to protect? What’s the risk associated with that asset? Who’s responsible for that risk?

These questions, when presented in the forthcoming ASIS ESRM Guidelines document (to be published later on this year) align to the formal ESRM life-cycle as follows:

*Identifying, understanding and prioritising the assets of an organisation that need protection

*Identifying and prioritising risks​: identifying, understanding and prioritising the security threats the enterprise and its assets face – both existing and emerging – and, critically, the risks associated with those threats

*Mitigating prioritised risks​: taking the necessary, appropriate and realistic steps to protect against the most serious security threats and risks​

*Improving and advancing: conducting incident monitoring, incident response and post-incident review – learning from both successes and failures – and applying the lessons learned to advance the programme​

Implementing an ESRM programme is a process that must take into account all of the phases of the life-cycle.  Transitioning from a traditional security approach to an ESRM programme isn’t an overnight event, but rather a journey towards a mature, risk-focused programme that takes time and commitment from both the security leader and team and the various business leaders in the enterprise organisation.

Beginning the process means stepping back from our day-to-day operations and determining how well we’re already managing with an ESRM approach, and how far we have to go to meet the ESRM goals of the organisation. Continuing it requires an identified target to which the organisation agrees and outlining a path towards it.

Path towards optimised ERSM

An iterative improvement model for ESRM focuses on first embracing the ideas of ESRM and rolling the approach into the security approach from ad hoc to optimised over time. Accessing and using the ASIS ESRM Maturity Model is the first step towards understanding where you are on the path and how you can go about getting to where you want to be. 

A mature ESRM programme encompasses all aspects of security risk mitigation practices: physical security, cyber security, information security, loss prevention, asset management, threat management, organisational resilience, workplace violence, fraud, brand protection, travel safety and all other practices undertaken to prevent security risk impacts to the enterprise.

Set against that backdrop, ASIS International has developed a tool to allow security leaders to see where they stand in six aspects of their security programme in order to determine where they want to be in the future. They can then begin to identify the gaps and develop a path towards closing them.

How does it work? The model defines the maturity steps organisations can benchmark against to evaluate themselves on a continuum between low and high ESRM maturity. Survey takers answer a series of questions using the one-to-five rating in these areas: Programme Strategy, Programme Governance, Organisational Understanding and Awareness, Programme Implementation and Application, Programme Management and Advancement and the Alignment of Security Risk Mitigation Activity.

These maturity levels are defined between Level 1 and Level 5 on a continuum where Level 1 represents approximately the tenth percentile of maturity and Level 5 approximately the 90th percentile of practice. Instructions in the tool itself help survey takers understand how to answer the questions and reach appropriate ratings, which themselves range from ad hoc to optimised:

*Ad Hoc: Processes at this level are (typically) undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. Risk knowledge is limited to a few key personnel, with no cross-training between security teams/groups and departments. This provides a chaotic or unstable environment for the processes

*Repeatable: Processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress. Cross-functional teams are mostly in place and roles/responsibilities regarding risk knowledge are generally understood

*Defined: Processes at this level are defined and documented and subject to some degree of improvement over time. These standard processes are in place and used to establish consistency of process performance across the organisation. Cross-functional teams are in place, ESRM knowledge is transferred between teams and roles/responsibilities regarding risk knowledge are well defined

*Managed: Using process metrics, management can effectively control the process. In particular, management can identify ways in which to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Cross-functional teams are adequately staffed for ESRM, performance for these teams is measured and ESRM development/training programmes are in place for teams across the organisation

Optimised: At this level, the focus is very much on continually improving programme performance through both incremental and innovative changes and improvements. ESRM performance metrics are measured and optimised and drive team actions

What are the results? The tool provides the end user with a set of graphs showing their current state versus their desired future state. These results will help security leaders understand what aspects of their ESRM programme need attention and to seek out standards, guidelines, colleagues, teams, education, articles and other career-development tools that can help both themselves, their departments and their organisations better manage their security risk.

Next Steps for ASIS, ESRM and the model 

Mike Hurst CPP

Mike Hurst CPP

When deciding from whom to seek responses, ASIS International started with a qualitative survey of senior corporate security professionals drawn from the ASIS global membership of 34,000. Once an initial pilot was completed, ASIS opened the tool to the entire global membership, allowing anyone who’s an ASIS member to participate and gain results to deepen their understanding of where they are in their own ESRM journey.

The data collected by ASIS in this tool is anonymous and not directly tied to the participating organisations.  However, as an aggregated set of data, the story told by the results of many enterprises participating in the survey will help ASIS to discover the most common maturity gaps, understand what types of standards, practices and education can best serve both ASIS’ membership and the global security industry at large and tailor new development, standards and guidelines in order to help security professionals become better security risk managers and better business partners and more effectively protect their organisations over time.

Rachelle Loyear CISM MBCP is Vice-President of Integrated Security Solutions at G4S (US), Mike Hurst CPP MSyI FIRP is Vice-Chairman of ASIS UK and Director of HJA Consult, Michael Gips CPP CSyP is Chief Global Knowledge Officer at ASIS International, Tim McCreight CPP is Corporate Security Manager (Cyber) in the City of Calgary and Tim Wenzel CPP CISSP is a Specialist in ESRM

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts