How Mature is Your ESRM Program?
The enterprise security risk management (ESRM) philosophy can apply to any organization—large or small, public or private. But it can be challenging to map out a path from the initial introduction to mature implementation. Thankfully, members of the ASIS ESRM steering committee spent two years building an ESRM maturity model to measure current efforts and enable security practitioners to guide their organizations to the next level of risk management.
The maturity model self-assessment, which is available for free, walks users through the continuum of how an organization can meet its ESRM-related goals and procedures, says Jacob Maenner, CPP, PSP, ESRM steering committee member and chair of the maturity model committee.
“It’s needed, essentially, to show that an organization is improving,” Maenner says. “We can do all kinds of things, but if we don’t measure their effectiveness then we end up wondering: ‘Did I waste my time? Is this a good investment?’ So, we really wanted to offer this as a tool to help organizations determine how well they’re achieving their goals.”
The five elements within the ESRM maturity model are culture, context, stakeholders, risk management, and ESRM governance. There are five levels of implementation: initial, repeatable, defined, managed, and optimized.
Stage one—initial, the lowest level of maturity—is typically the ad hoc implementation of ESRM concepts, Maenner says. Some organizations will need to work to get to level one, but he notes that “if you’re thinking about it, you’re probably doing something right.” The first three levels take ESRM from basic awareness to active effort, eventually reaching a stage of repeatable and consistent processes and procedures around risk management across the entire organization, “so that one asset owner does it over here, you end up with the same or similarly situated results as the other asset owner over there—it puts risk on a level playing field,” he adds.
By level four—managed—the asset owners and security managers are proactively working together to ensure these processes are in place, and by level five—optimized—there are key synergies being leveraged and security is being fully utilized as a risk management advisor.
It is not necessary for each element to be at the same maturity level, Maenner says, but culture underpins everything—without at least defined maturity in that element, other efforts are likely unsustainable.
Setting the Stage with Culture
The cultural element within the ESRM maturity model starts with the basics—has security partnered with asset owners and proposed ESRM-aligned policies—and advances through training and education, partnership agreements with asset owners, development of policies and procedures, and active participation.
This measurement is essential particularly within ESRM, where many stakeholders across the organization have a direct incentive to participate in security and risk management decisions. Within the ESRM philosophy, the asset owner is the risk owner—so a director of product development can make the decisions about what his or her department does or implements around risk based on the department’s risk appetite and need for controls. The security professional serves in a consultative function, advising the asset owner about what risks exist, what mitigations are possible, and what the pros and cons are to different risk management decisions.
This dialog can help break down silos, uncover vulnerabilities, and enable security convergence, provided lines of communication are open and the process is objective driven, Maenner says.
The only bad thing that happens to me as security leader if everything goes to hell is I get fired; you literally can no longer run your business. That’s a big difference.
It can be challenging for security professionals to loosen their control over security implementation decisions, says Rachelle Loyear, vice president of integrated security solutions at Allied Universal and a member of the ASIS North American Regional Board of Directors. And it can be similarly challenging for non-security asset owners to understand why these decisions are their responsibility.
“That’s a big change for them because they’re used to saying, ‘Oh, well, security takes care of security,’” Loyear says. “That’s true. Security is the function that does it, but the only bad thing that happens to me as security leader if everything goes to hell is I get fired; you literally can no longer run your business. That’s a big difference.”
This disconnect is largely a change management challenge, which is one of the major pitfalls many organizations face when they implement ESRM principles, says Jeffrey Slotnick, CPP, PSP, president of Setracon Enterprise Security Risk Management Services. There are three main buckets for change management, he shares:
Create a climate for change. This includes creating a sense of urgency, forming a coalition of allies that support your decision, and create a vision for the change that you can easily and compellingly share.
Engage and enable the organization. Once you have a vision in place, start communicating it with key stakeholders both up and down the organization. Empower people to take action, and create quick wins to build momentum and enthusiasm.
Implement and sustain change. Those quick wins get you started, but don’t stop there. Continue to build on the change you implemented, and reinforce your vision—and your results—regularly to help make the change stick.
“ESRM is a great concept, but lacking the business acumen to move an ESRM program forward the effort will stall,” Slotnick tells Security Management via email.
What’s the Context?
The context element of the maturity model covers regulatory functions that need to be accounted for, as well as internal and external context that affects risk management, Maenner says. This includes establishing common understanding across stakeholders about the organization’s values, business processes, regulations, stakeholder responsibilities, and the operating environment.
But as the ESRM approach matures, the issue of context falls primarily on security professionals to guide ongoing conversations.
For instance, by the second level of maturity—repeatable—security leaders need to be able to articulate clearly how ESRM can support all business functions, and by level three—defined—security should be able to demonstrate how security functions can help asset owners manage security risk. This communication requires well-cultivated and maintained soft skills to connect ESRM in context with various asset owners, stakeholders, and executives in ways that relate clearly to them.
A #GSX2023 pre-conference workshop on enterprise security risk management (ESRM) gave security practitioners a chance to learn how to use this approach to create connections and influence with the c-suite. https://t.co/a14Xc2uD9s
— Security Management (@SecMgmtMag) September 12, 2023
Who’s My Audience?
On the topic of stakeholders and soft skills, ESRM relies heavily on relationship management and partnerships. The tactic of leveraging fear, uncertainty, and doubt (FUD) to generate buy-in can backfire, and the alternative business-enabling method is more effective, says Loyear.
“FUD is my least favorite methodology for that because it’s really easy to engage them in a conversation that says, ‘What do you need to run your organization, and how may I help you realistically keep that in place?’ It’s especially important, and that’s why I like to do data-driven analysis,” she says.
For instance, your stakeholders might bring up the threat of terrorism based on what they see on the news. A consultative-minded and well-informed security professional could steer the conversation in a more business-centric way, noting that while terrorism is a scary, high-impact, low-probability threat, it is being addressed already in holistic security management plans. Instead—especially if speaking with a stakeholder focused on the supply chain or reputation management—open a discussion about how many trucks in the company’s fleet were vandalized in the past year, how much cost was incurred repainting them, and how a simple fence around fleet parking could reduce that impact.
“To me, that’s the conversation. It’s not going in to somebody and waving the high-impact, low-probability flag—that doesn’t build long-term trust,” Loyear says. “You can absolutely sell anything based on fear, and then a year later when that thing has not happened, you lose credibility. Some people are highly visible and have that profile and do need to be more aware of those kinds of risks, but for the most part, most organizations lose way more to theft, vandalism, and things like that.
“The nice thing about security is that an access control system or a security guard, or something, covers a large swath of vulnerability,” she continues. “Once you have these things in place to protect you from theft, it's going to do double duty to protect you from other things that may not have as high a likelihood.”
As that conversation evolves, your stakeholders are likely to personally change, too. Part of ESRM is educating your asset owners about risk, vulnerabilities, and mitigation, as well as what their security partners can do to affect their operations. It’s a big change to go from seeing security as “those annoying people who make me do X, Y, and Z as opposed to ‘Oh, you’re really just here to keep all of my products from walking out the door. I need this product, I can’t do my job without it,’” Loyear explains. “I think those are the changes you’ll see in the other side of the partnership as you move along.”
Measuring Risk Management
To help with those partnerships, measurement and metrics are imperative.
“Once governance, roles, and responsibilities are set and the ESRM journey is underway, the risk management part still needs to happen,” says David Feeney, CPP, PSP, a Deloitte Risk and Financial Advisory senior manager in the cyber and strategic risk practice and a member of the ASIS ESRM Community’s steering committee. “Organizations need a methodology for identifying and prioritizing risks as well as mitigating those prioritized risks. This comprises the ‘day-to-day’ of security risk management, and organizations still need a way to measure, monitor, and report risks to stakeholders.
“Concepts of inherent and residual risk and the establishment of risk thresholds—in collaboration with asset owners—are some of the common steps that come later in the process of further maturing ESRM within an organization,” he adds.
Security professionals might believe they have risk management principles mastered, but ESRM requires involvement from a wide variety of participants—many of whom might be foggy on the concept.
Maenner recommends taking a blunt and honest view at your entire organization using the ESRM maturity model self-assessment tool.
Consider the questions laid out in the self-assessment tool to determine if an organization has reached level four—managed—of ESRM around risk management, which should signify that security leaders are unified across all security functions to actively monitor the strategy’s effectiveness.
- Have security leaders across all security functions adopted the security risk management methodology agreed upon with top management?
- Do security leaders across all security functions monitor the progress of an integrated security risk management approach?
- Do security leaders across all security functions engage with asset owners and relevant stakeholders as an integrated security function to measure and improve the enterprise’s security risk management approach?
- Do all security leaders across all functions engage with top management as an integrated security function to report the effectiveness of the security risk management approach across the enterprise?
Do not sugarcoat where you stand, and consider asking other stakeholders to evaluate the organization’s risk management efforts as well, Maenner advises. Those other voices might surprise you and uncover additional outreach you need to perform.
In rare cases, or if the security team gets stuck, a third-party consultant could be brought in to conduct the assessment or look for sticking points.
Guided by Governance
The governance function of ESRM codifies the approach within the organization, building an agreed-upon structure to drive participation, link security risk management to key organizational processes, and track outcomes. But a key element here is reporting—discussing ESRM outcomes at recurring meetings and reporting out to organizational leadership, which again requires executive or soft skills to deliver the news with impact.
This aspect of ESRM has changed dramatically in the decade since the concept’s introduction, Loyear reflects.
You can absolutely sell anything based on fear, and then a year later when that thing has not happened, you lose credibility.
“It is so different now than it was when I started,” she says. “It was so academic 10 years ago when we were talking about this, and now I am much more functional—how do we get it to be easy? I’ve changed all my language. I don’t talk about assets and risks anymore. I talk about what do we have to protect and what do we have to protect it from. I think that's real growth in the industry—just seeing that you have to be part of the business. That was a personal lesson learned.”
Along those lines, she recommends that security directors keep up with widespread business reports such as reports from the World Economic Forum that show top CEO concerns—such as climate change, political unrest, war, and regulatory changes.
“All of those things are now also what CSOs have to care about,” Loyear says. “Yes, you didn’t make climate impact, you didn’t make war, you didn’t make this, but it is sure going to be impacting your company’s supply chain, and you better have some kind of solution at least in your consideration list for it. You can't ignore the CEO’s concerns just to be the CSO. It has to be part of that entire business conversation.”
Claire Meyer is managing editor of Security Management. Connect with her on LinkedIn or email her directly at [email protected].
