What is ESRM (Enterprise Security Risk Management)?
Enterprise Security Risk Management, ESRM, is an approach to security management that focuses on the partnership between business owners and security professionals. In this approach, asset owners are responsible for the risks and making decisions to manage them. Rather than being viewed as a separate authoritative entity, the security team will support and guide asset owners through the risk management decision-making process.
The partnership incentivizes a business’s stakeholders to work more closely with the security team to ensure that all assets are prioritized and properly protected. Additionally, the security team develops a better understanding of an organization’s assets and how best to protect them. In turn, they become a partner in protecting the overall mission of a business.
By considering and prioritizing all security risks and implementing a risk management plan for each asset, the ESRM approach works to create a more effective and efficient approach to security risk management for businesses and their security teams. In this philosophy, an organization’s security team and stakeholders must consider potential security risks and incidents before they even occur.
Learn more about Enterprise Security Risk Management and how you can implement it in your business or security team below.
Before Implementing ESRM
Before implementing Enterprise Security Risk Management, both the security team and asset owners must first understand the context of the security program, the organization, and the broader environment of the two. ESRM operates under the belief that one cannot properly protect what they do not understand, so this is an essential step in implementing the approach. Important aspects to consider are the overall mission and vision of the organization, which includes its purpose and short-term and long-term goals. The security team must also learn keys aspects of an organization’s internal and external operating environment to effectively protect it. The goal of the security team should be to address how they can enable or improve the business.
The Foundation of ESRM
The ESRM approach to security risk management should be based on a foundation supported by the following four pillars:
Holistic Risk Management: Enterprise Security Risk Management should consider all types of security risks, including:
Partnership with Shareholders: Security professionals are positioned as trusted partners and advisors to asset owners rather than authoritarians who solely define and enforce security policy.
Transparency: The security team must be transparent with an organization’s stakeholders about the nature of identified risks and use the ESRM process to identify, prioritize, and mitigate them.
Governance: Rather than depending on an individual to lead the risk management discussions and make decisions, the organization should create a governing body or committee to handle those tasks.
By creating a strong and informed foundation, the security risk management team of security professionals and stakeholders can begin the ESRM cycle.
The Enterprise Security Risk Management Cycle
- Identify and Prioritize Assets: The first step of the ESRM cycle is to identify and prioritize an organization’s assets. Understanding an organization’s assets begins with identifying an asset, locating it, and evaluating why it is important to the organization. To prioritize assets, the risk management team must evaluate the impact of each asset and how it affects the organization’s ability to execute its mission. This step produces a prioritized list of assets for both the asset owners and security team.
- Identify and Prioritize Risks: Once the organization’s assets have been understood and prioritized, the risks must then be identified and prioritized. The security team in partnership with the asset owners will determine the risk levels for the organization’s assets based on threats, vulnerabilities, impact, probability, and estimated value of each asset. The risk level will then be determined for each identified risk and assigned a risk value. A risk will be labeled “high risk” if the risk areas are above the acceptable value and risks that match or fall below the acceptable value are valued “low” or “acceptable risk.”
- Mitigate the Prioritized Risks: In the third phase, the security team will create a course of action to reduce or eliminate the prioritized risks that can potentially impact the prioritized assets. If a risk is categorized as unacceptable, the security team must bring the risk to an acceptable level. This may include implementing physical security, video surveillance, security awareness training, and more.
- Ongoing Continuous Improvement: Because the ESRM approach works on a cycle, continuous improvement is encouraged for an organization’s security program. Practices like investigations, analysis, information sharing, and incident response allow the security team to implement ongoing improvements to an organization’s security plan.
The cyclical nature of the ESRM approach encourages both the security team and the organization to constantly improve and update their security risk management plan as needed. The ESRM cycle continually repeats so that the organization’s security functions can be analyzed and refined as security risks change or present themselves.
Results of the ESRM Approach
The Enterprise Security Risk Management approach within an organization promotes partnership between the business’s stakeholders and security professionals to ensure their organization’s assets are effectively and efficiently protected and managed. On the one hand, the emphasis on a relationship with stakeholders allows the security team to benefit from increased input from the people who best understand the organization’s goals and assets. On the other hand, stakeholders can make their vision and strategy for their business clear to the team tasked with protecting it. By working together, assets and their security risks can be prioritized and managed based on the business’s needs.
Develop an ESRM Approach with BOS Security
At BOS Security, we work closely with our clients to establish and implement a security risk management plan designed specifically for their business. We have decades of experience in many sects of security, including residential, commercial, corporate, and federal security, and most recently, our remote monitoring service, VirtuGuard™. Contact us below or view our services to learn more about what BOS Security can do to improve your business.