Here we present five indications that an organization will benefit from an ESRM approach. If you encounter any of these signs in your organization—or worse, several of them—then it’s probably time for you to be putting ESRM front and center for the benefit of both your organization and your sanity.

For this article, we interviewed Rachelle Loyear, vice president of Integrated Security Solutions at G4S, and Paul Mercer, managing director of HawkSight Security Risk Management, both of whom provided invaluable expertise in developing the ASIS Enterprise Security Risk Management Guideline, the ESRM Maturity Model, and the Essentials of ESRM Certificate online course.

1. People dread seeing the security director, wondering what has gone wrong.

Have you heard this one: The security director walks into a room, and everyone pretends not to see her. If this is real life to you and not the set-up to a joke, then you definitely need to look at ESRM.

It is an antiquated notion that if security is doing its job well then it is invisible—that invisible security means it is so seamlessly enmeshed in the organization and assets so secure that no one needs to think about it. In that organization, when you do see security, it means something bad has happened or they’re coming to put a new restriction on you and make your life more difficult.

“A lot of times, security is perceived as the department of ‘no,’” Loyear says. For example, a department wants to change a process to improve efficiency or enable cross-site collaboration, but security swoops in and says that it goes against security protocols. “Employees roll their eyes when they have to check in, or, heaven forbid, check out.”

With ESRM, security is not about saying “no,” nor is it at all invisible. Security becomes a collaborative exercise, where asset owners and security work cooperatively. “Previously, the answer was ‘no,’” Loyear says. “Now it’s explaining what the risks are, learning the business needs of the asset owner, and coming to an optimal solution for the business.”

A key part of ESRM is building relationships with other departments. “You stop becoming a reactive enforcer,” says Mercer, “and you start becoming an advisor on potential threats and asset protection to the various departments. They come to you and reach out for expertise in the same way they reach out to legal or finance.”

2. Security’s budget is constantly under pressure.

Diamond creation. The Instant Pot. The Deepsea Challenger submarine. If these are low-pressure situations compared to defending your security budget, then you definitely need to look at ESRM.

At many organizations, security is a cost center. An important cost center to be sure—not too many leaders are just going to shrug off safety and security issues.

However, as a cost center, security may continually feel the budget squeeze as organizations prioritize money-making departments.

“Some businesses are so procurement-driven or allow cost centers to be controlled by finance, that they may order a cut of ‘X’ percent from security without regard to how that might affect the business,” Loyear says. “If they go to manufacturing, for example, they’re at least going to ask how a cut will affect the business. It’s a big flashing red sign if they don’t do the same thing with security, if they just tell you stop spending so much money. It shows you they don’t understand what you do.”

In an organization practicing ESRM, security budgets are built in consultation with the asset owners. It changes the conversation from spending money to enabling security tactics that help ensure critical assets can perform their important roles. Security works in concert with the asset owner to understand what assets are most important, what the potential vulnerabilities are, and what that risk profile looks like for the organization. Then you can drawn a straight line between cutting a security budget and increasing the risk that an important asset will be compromised.

“It’s a powerful message when you can demonstrate an agreement with the asset owners on the threats that exist for their critical assets and what control measures are needed to secure those assets,” says Mercer. “It’s a powerful way to justify the security budget.”

3. “What if that happened here?”

If after a minor incident an employee comments about how much worse it could have been and the only response is a nervous snicker—or just total silence—then you definitely need to look at ESRM.

What we are talking about here are degrees of insecurity. If a person works at a department store in a major city and there is a mass casualty event at a department store in another city, it is natural for that person to be shaken. Serious bouts of insecurity will affect productivity. What you want is that person to know—based on previous training and interactions—that security has taken steps to reduce the likelihood of an incident and the severity of one if it happens.

At an organization that uses ESRM, security is part of the strategic fabric of the organization. Not only does security have a better understanding of what other departments are doing to achieve their goals, other departments know more about what security is doing.

Another example of the type of response you do not want to see: If, after an incident hits the news, senior leaders seek you out and ask you what you are doing to prepare your organization. Again, this is one of degrees. A senior leader wants to review processes and procedures based on an incident happening elsewhere? That’s a positive, instructive development. But a senior executive who is unsure if any processes or procedures to protect the organization are in place? That means security has too low of a profile in that organization.

4. Top executives insist on implementing shiny new technology.

If you have a storage room full of inoperable surveillance drones and an email inbox filled with articles about robot attack dogs, then you definitely need to look at ESRM.

This problem has two forms. In the first form, the shiny object is an incident—such as a drone-based perimeter intrusion. Maybe it happened to a competitor or maybe it was just a high-profile corporate loss or failing. Security is told to drop all other priorities and ensure the organization is protected from a similar incident.

“No security happens without a ‘why’ anymore,” Mercer says. “Chasing the last problem rather than anticipating the next problem is not going to keep you safe.”

Rather than follow the shiny object, Mercer says security professionals need to be scanning the horizon. In April and May 2020, the world was a couple of months into an unpredicted and unprecedented lockdown. At the time, Mercer noted some of the pent up frustrations, captured in an April 2020 Security Management article “ESRM and the COVID-19 Pandemic.” “We’re beginning to understand the clear health-related risks associated with this pandemic, but then there’s also the emerging threats that we should begin to start focusing on, for example: civil unrest,” he said at the time. Late the next month, George Floyd was killed while in police custody and a summer of Black Lives Matter protests ensued (and the actors may have changed, but the unrest continued right through the U.S. presidential election and its aftermath).

“The point is, the threat wasn’t hard to see coming,” he says now. “At that time you start assessing the threat. You may determine it does not require any interventions, but you continue monitoring it. As the threat level increases, you begin to model what it could mean to your organization and you take appropriate actions.”

The point? ESRM, by definition, is proactive instead of reactive.

In its second form, the shiny object is a new technology that captivates a senior executive. Let’s say this executive reads an article about how facial recognition helped a company identify someone who was sabotaging a process, potentially saving the company millions of dollars. The executive insists the organization needs facial recognition, and all of a sudden security has a new priority—likely one it wishes it didn’t have.

ESRM would force an organization to step back and analyze any new shiny objects rather than jump into it. Facial recognition may very well serve to protect a critical asset from a dangerous threat. But you would arrive at the decision strategically—by asking and discovering a real reason to have the technology, a real risk to a valued asset that the new technology mitigates better than any other option—rather than as a knee-jerk reaction.

5. Data gathered by security systems and functions is underutilized.

If you have terabytes of video footage being added to cloud storage every day and only refer to it for investigative reasons, then you definitely need to look at ESRM.

This is a problem of security in a silo. ESRM eats silos for breakfast.

Routine security practices generate a ton of data. Some examples: who is in a facility and when, where and when do safety or security incidents tend to happen, video surveillance footage, patrol observations, and the list goes on and on. For security directors, this data will inform the policies and processes needed to ensure the safety and security of assets. But if it stops there, an organization is missing out.

“With ESRM, you’re not just using data to monitor security issues,” Mercer says. “You’re actively engaged with asset holders, and the data is informing you and them in ways that will help them see how security can help protect their assets and help you see the potential challenges that stand in the way of them achieving their goals. When it’s a direct partnership and there’s constant feedback, it’s a sign that it is working well. The data is directly informing the risk assessment process, and it’s that assessment process that leads to controls being either implemented or forecast for immediate or future potential requirements.”

Loyear says it is easy to spot this kind of challenge. “If executives never talk to you, if you’re seen as strictly a function of real estate or facilities or IT, or if you’re only recognized because you’re the ones handing out badges, then you have a pretty big silo around you.” Ramifications: “Everything you are associated with is a tactic and not a strategy. You’re brought into projects at the ninth hour if you’re brought in at all.”

At the risk of sounding like a broken record, ESRM ensures you have an important strategic voice in the organization. Any department with an important asset that wants that asset operating at peak performance would not dream of starting a project involving that asset without trying to understand how the project might change the risks that threaten it. “In these cases, ESRM is essential,” Loyear says.

---