ERM and the security profession

Risk Management, Jan, 2008 by Michael P. Johnson, Jeff M. Spivey

[ILLUSTRATION OMITTED]

Many Organizations are competing to provide the definition of enterprise risk management. Each definition is written from a different vantage point and paradigm, with each attempting to promote a more contemporary process model toward an enterprisewide, holistic view of risk management aligned more closely with business processes, organizational goals and objectives.

The security profession has been struggling to develop methods that align selection criteria for physical and logical mitigation controls with the fundamental aspects of risk management and organizational goals and objectives to quantify returns on investments in security people, processes and technologies. Security and risk management professionals continue to struggle with the inability to quantify a nonevent. How many times in our careers have we experienced the frustration of senior management's decision to reduce funding in our respective areas of responsibility because nothing happened? Is the absence of incidents the result of effective security and risk management? Or is it the absence of risk itself?.

Numerous factors inclusive of regulatory and marketplace drivers have provided the means to answer these questions and many more. Among these factors are:

* the evolution of the concept of security convergence--the combined management of physical and logical security along with risk management and business continuity--into the framework of enterprise security risk management (ESRM) establishing and representing the function of security as a component of a comprehensive ERM model

* the enactment of new federal regulations for the creation of certified security management systems providing the opportunity for specific tort liability reduction in the event of a terrorist attack, a potential reduction of insurance premiums and the potential reduction of underwriting losses.

* the recognition, acceptance and adaptation of the practices and principles of guidelines, standards and frameworks propagated by entities like the International Organization for Standardization (ISO), ASIS International, the National Fire Protection Agency (NFPA) and the U.S. Department of Homeland Security (DHS).

Herein is a synopsis of the factors that enable security and risk management professionals to collaborate and quantify the effects of their efforts on the organization's bottom line.

From Security Convergence to ESRM

ASIS International, the world's largest organization for security professionals, is playing a major role in the refinement of a new security paradigm in the backdrop of risk management; paving the way for a natural migration and progression from security convergence to ESRM.

The first major initiative was the co-creation of the Alliance for Enterprise Security Risk Management (AESRM) in February 2005. This organization embodied the collaborative efforts of ASIS International, the Information Systems Auditing and Control Association (ISACA) and the Information Systems Security Association (ISSA) to accelerate the understanding and adoption of convergence between physical and logical security along with the long-term goal of developing approaches for enterprise security risk management.

According to the AESRM, "The need for the alliance is predicated on the significant increase and complexity of security-related risks to international commerce from terrorism, cyber-attacks, Internet viruses, theft, fraud, extortion and other threats that require corporations to develop a more comprehensive approach to protect the enterprise. That approach often features convergence, a holistic view of security that takes an integrated approach to information and traditional security. It ensures that all functions within the enterprise work together to identify and mitigate risks, and to effectively manage security-related incidents to reduce a potential negative impact on people, profitability and property."

The alliance has four main objectives, which it plans to advance through research, executive seminars and other educational offerings to benefit security and other business executives:

* Develop adaptive risk models that embody interdisciplinary, enterprise wide security risks

* Increase understanding among executive management concerning the critical importance of enterprise security risk management

* Promote consistent enterprise security risk management positions to influence policymakers

* Contribute to the qualifications and competencies of senior executives responsible for security risk.

Security convergence is a powerful concept whose acceptance and adaptation has not moved as quickly as anticipated. Perhaps this is because the word "convergence" has become overused or synonymous with the worlds of technology convergence or regulatory convergence? Or could there be a tendency for most organizations to manage the disciplines inherent in this convergence concept at the tactical and operational levels with little regards to the strategic value of security convergence?