Skip to content

Implementing Enterprise Security Risk Management (ESRM)

location_on Atlanta, GA
$950 (Standard) Member Price
$1250 (Standard) Nonmember Price

Earn up to 14 CPE Credits

Enterprise Security Risk Management (ESRM) is a strategic security program management approach that ties an organization’s security practice to its mission and goals using globally established and accepted risk management principles. In this two-day course, you will explore the philosophy of ESRM, learn how to implement or transition to an ESRM-based security organization, and participate in practical exercises designed to help you develop and present security solutions with an ESRM approach.

Immediate Benefits

  • Gain a better understanding of ESRM, and the role of security and business leaders in an ESRM program.
  • Learn how to develop a security program in the ESRM model.
  • Discover how to use a business approach to communicate security concepts to business leaders.

Program Overview

Day 1:

Implementing ESRM - The Basics
In this session we will walk through the steps of the ESRM life cycle and discuss the processes involved in setting up a security program that aligns with the ESRM approach. We also cover the essentials for ESRM success.

What Is Your Role in ESRM?
Explore the ESRM view of the security leader’s role in the organization to ensure their internal business leaders understand security risks and tolerances and have sufficient information to make business decisions around implementing security risk mitigation programs.

Exercise: In the Beginning
You and your team will be introduced to a fictional organization for which you will develop an ESRM solution. You will have an opportunity to ask questions of the company executives to learn about the organization, your new business partners, and their concerns.


Transitioning to an ESRM Approach
In this session, we will look at the steps to transition from a traditional, tactically focused security management program to a strategic, risk-focused security program approach.

Security Governance - an ESRM Approach
Examine various options for how organizations might choose to govern their security programs in an ESRM implementation, ranging from executive sponsorship to extended security councils.

Exercise: Building the Base
Discuss potential security governance models with your team and draft a security policy and governance charter for your new program.

Day 2

Manage Your Security Department Through ESRM
Explore how to manage a security department or program through ESRM. Items for discussion include skills needed by your team, potential structures and team roles, and aspects of the security budgeting process.

Risk, Data, and Metrics
Learn how to present reports and metrics that can lead to a better understanding of the state of security risks in the organization. Different types of reports for different audiences also will be explored.

Exercise: Developing a Risk Management Response
In this group exercise, your team will be presented with a security threat facing the organization. You’ll discuss as a team and come up with potential risk mitigation recommendations.

Lunch and Working Break

Talking Security Risk with Executives
In this session, we will explore ways to have factual, not fear-based, discussions about security risk with business executives. Tips and tricks for presenting to a senior executive audience also will be covered.

Exercise: Presenting the Case
This is your opportunity to present your risk management-based security solution to your company executives and receive feedback on how the presentation aligns with the ESRM philosophy and ideals.


Rachelle Loyear

Now the VP of Integrated Security Solutions at G4S Americas, Rachelle Loyear has spent over a decade managing programs in corporate security organizations. Focusing strongly on security risk management, she has been responsible for ensuring enterprise resilience in the face of many different types of risks, both physical and cyber. In 2016 she co-authored The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security, in 2017, she released the book The Manager’s Guide to Simple, Strategic, Service-Oriented Business Continuity, and is a co-author of the 2018 book, Enterprise Security Risk Management: Concepts and Applications.

Tim McCreight, CISSP, CPP, CISA

Tim is the Manager, Corporate Security - Cyber for the City of Calgary. He brings over 35 years of experience in the security industry and is recognized as one of North America’s leading Enterprise Security Risk Management (ESRM) evangelists. Throughout his career Tim has held executive positions at several organizations, notably as the Chief Information Security Officer (CISO) for the Government of Alberta, and as the Director, Enterprise Information Security for Suncor Energy Services Inc. Recently Tim was the owner of Risk Rebels, a global security consulting practice, and a Principal Consultant at Online Business Systems.

Amy M. Poole

Integrated Security Solutions


Amy Poole has five years of experience in managing corporate security programs and projects. With a background in audit and compliance prior to her security career, Amy brings a history of risk-based work to her security approach, tailoring enterprise security programs to an ESRM model. Amy is the co-chair of the Communications Committee within the ASIS Women in Security Council and a member of the ASIS Leadership and Management Practices Council. She is the board secretary for the Global Security Risk Management Alliance, and a certified Project Management Professional (PMP) through the Project Management Institute (PMI).

William (Bill) Phillips

CEO, Managing Consultant
New Source Security

Bill Phillips, P.E., is Managing Consultant and CEO of New Source Security, a multi-risk consulting group with emphasis on business strategies and processes for security, liability, and safety including workplace violence prevention. He has a broad professional background in corporate security as both a safety officer and an independent consultant. Bill has been active with the ESRM initiative helping to develop the initial draft, serving on the current technical and review committees, and as part of the ESRM program management team. He has consulted with and served on the advisory councils for several security industry companies, testified before Congressional Committees on various issues and regulations, and has made presentations internationally including ASIS International.

Tim Wenzel

Program Manager
Special Security Projects, IP Risk Management


Tim Wenzel leads the Global Security Special Projects program at Facebook. In this role, he focuses on managing the privacy risk to Facebook’s Intellectual Property globally. Over the years, he has become a builder of boutique security programs which creatively manage risk while demonstrating business value. Some of his latest projects include building global security risk management programs, post-Benghazi training design for the Diplomatic Security Service, and protective strategist for domestic violence education and intervention. By properly identifying the true sources of risk and vulnerability, Tim and his teams provide clarity to the business and vision to security strategy.

Hotel, Fees and Schedule

Hotel, Fees and Schedule


InterContinental Buckhead Atlanta
3315 Peachtree Road NE
Atlanta, GA 30326

The InterContinental Buckhead  is now sold out for the week of our program. For hotel accommodations, the Grand Hyatt Atlanta in Buckhead and the Embassy Suites by Hilton Atlanta Buckhead are closest in proximity to the InterContinental and recommended by the hotel.

Registration Fees

Member $950 $850
Nonmember   $1250 $1150

Registration fees include daily continental breakfast, lunch on day one, a networking reception, and refreshment breaks. Hotel costs are not included.

Registration Hours

Monday, 24 June
7:00–8:00 am

Program Hours

Monday, 24 June
8:00 am–5:00 pm

Tuesday, 25 June
8:00 am–5:00 pm




If confirmation of registration and payment has not been received three days prior to the event, please email

Certificates of Attendance

ASIS reserves the right to withhold certificates, if attendance requirements are not met.

Last-Minute Registrations

While we welcome all registrations, including those on-site, the availability of handout materials cannot be guaranteed.


Business casual is recommended.

Continuing Professional Education (CPE)

Each 50-minutes of instruction is worth one CPE. 

Alternate Registration Methods

If you prefer, you can register by phone +1.703.519.6200, fax+1.703.519.6299, or mail.

Cancellation and Transfer Policy

For a full refund or transfer credit, written requests must be received at least 10 days before the start date of the program. Those received less than 10 days prior will be charged a $100 cancellation/transfer fee.

Transfers will be limited to a maximum of two per original registration. No refunds or transfers are made for requests received on or after the start date. Contact us at +1.703.519.6200 or fax your request to ASIS Member Services at +1.703.519.6298.

Tours of Third-Party Sites

When a program includes a visit to or a tour of a third-party site, the host organization may require the use of non-disclosure agreements. Subject to the requirements of the host organization, the agreements offered to nationals and non-nationals of the host country may differ.

Team Discount

Receive a 10% discount when three to five attendees register from the same organization, 15% for six or more. Email for details.​

Code of Conduct

ASIS International Event Code of Conduct

ASIS International (“ASIS”) is committed to providing a safe and welcoming experience for all event participants as defined below.

Any participant regardless of:

  • Race or ethnicity
  • Disability
  • Religion or political affiliation
  • Gender, or gender identity or expression
  • Sexual orientation, or
  • Any other distinguishing characteristic

should feel welcome and safe at any ASIS event.

Expected Behavior

This Code of Conduct applies to all event attendees, presenters, exhibitors, sponsors, vendors, contractors, other service providers, and ASIS staff (“participant”) at any event, meeting, conference, forum, social event, or meeting-related event, including those sponsored by organizations other than ASIS but held in conjunction with ASIS events in which they participate (an “event”). As such, ASIS expects that participants at events will:

  • Remain positive and welcoming to others
  • Recognize that an event is a place for diversity of thought, organization, and individuals
  • Be inclusive of others
  • Be alert and report any discriminatory, harassing, aggressive, or exclusionary behavior or speech immediately to the contacts set forth below
  • Respect the specific rules and policies of the event, and
  • Otherwise uphold the reputation of ASIS 

Unacceptable Behavior

Unacceptable behavior includes, but is not limited to:

  • Intimidating, threatening, harassing, abusive, discriminatory, derogatory, or demeaning conduct
  • Inappropriate physical contact (e.g., unwelcome sexual advances, groping, sexual assault);
  • Physical stalking or written, verbal, or other abuse, or
  • Inappropriate use of nudity and/or sexual images or language in event presentations, or otherwise failing to obey any rules or policies of the venue or ASIS.

Whether such behavior constitutes unacceptable behavior as defined above shall be determined by ASIS and its representatives, in their sole discretion. ASIS takes matters of such unacceptable behavior in any form seriously.