Enterprise Security Risk Management (ESRM); the Holy Grail or a concept found wanting?
Chair: Martin Gill
Rachelle Loyear – VP, Integrated Security Solutions at G4S (US)
Michael Gips, JD, CPP, CSyP, CAE – Principal at Global Insights in Professional Security (GIPS) (US)
Ilya Umanskiy – Director, Resilience Practice at Current Consulting Group (Hong Kong)
Rachelle Loyear starts by highlighting the benefits of ESRM, including it leading to a better use of resources; of not protecting the wrong things; establishing clear metrics to guide actions; in a way that is supported by the business. She disagrees with any assertion this amounts to ‘passing the buck’, indeed argues that it makes a leader more responsible. Rachelle agrees there is a need to simplify the approach and that it is a framework for organising security which always requires a local application, yet it is applicable to organisations of all sizes. You will hear her make some interesting comments about the importance of culture. Ultimately, we need able people to lead on its implementation; it is not always easy.
Michael Gips notes that ESRM generates disparate reactions, some see it as the same bottle but new wine. But it is not that new and he traces its origins back to 2005 when there were papers and discussions evolving the concept albeit it was never treated as a priority until 2016 when adopted by the ASIS International Board of Directors. Summarising the positives he notes that it is well thought out; it defines the asset owners; and provides an understanding of the whole business. Against that, ESRM often lacks an authority figure to implement it; requires asset owners to own the risk and they often don’t do that; and that the risk function all too often operates in silos. Moreover, an overarching concern is the lack of business acumen of security personnel. Reporting on his own research he states that there is a lot of support for the concept, and little opposition; there is a base to build more support and a broader understanding (since many implement elements of ESRM but call it something different).
Ilya Umanskiy asks whether the right skills are being developed, are they being honed in the right way? Drawing on his experience as a consultant Ilya makes the connection between ESRM and the business itself and that is key and an area where security has not always been adept, nor has it always been effective at winning the support of organisational leaders. In short, many security leaders are not effective enough business people, they have not got the same traditions seeped in corporate experience; it is an important gap. It has important knock-on consequences including a lack of innovation which may be another reason the implementation of ESRM has suffered. You will hear him discuss the importance of managing nuances and local contexts and the challenges in achieving the appropriate balance between national consistency and local needs, and the role of standards. It is easier sometimes in bigger companies but he calls for a greater focus on those who are smaller with less resources and expertise.
There is clearly a lot of support for ESRM albeit there is a lack of research underpinning claims to effectiveness, particularly in organisations that vary by size, structure, culture, industry and more. There are graduate courses in the topic now, that emerged in the webinar, and that is encouraging. The principles have a solid tradition and they appeal to a wide audience, albeit not everyone, but there appears to be a lack of understanding about what ESRM is, and how it can best be implemented. Indeed, as far as the latter is concerned this results from a sense that it is complex (hence calls from the panel to make it simpler) and from a lacks of business acumen amongst some security leaders including in some cases a failure to win organisational commitment. The barriers posed by culture, silos, organisational understanding are important to understand and these are amongst the challenges that proponents must now seek to address.
19th January 2021