Time to Pivot: Applying ESRM After COVID-19
As organizations navigate through the aftershocks of the COVID-19 pandemic on their operations, workforces, and the global economy, the time may be right to reframe the conversation about resilience and security with a revitalized enterprise security risk management (ESRM) lens.
ESRM is a management approach that can enhance security programs while aligning security resources with organizational strategy to manage risks—both known and unknown ones. By employing ESRM strategies, security professionals work closely with asset owners throughout their organization to identity and prioritize assets and risks for a holistic security program that supports the mission of the organization.
Throughout the pandemic, security professionals have been called to participate in more business-critical discussions around resilience, supply chain stressors, and remote workforce management. These emergency partnerships with other departments have opened the door for long-term coordination and integration of security into key business functions.
As security professionals catch their breaths after a year or more of crisis management, two members of the ASIS International ESRM Community Steering Committee—David Feeney, CPP, a Deloitte Risk & Financial Advisory manager in the cyber and strategic risk practice, and Rachelle Loyear, vice president of Integrated Security Solutions at G4S—shared their thoughts with Security Management.
The interviews have been edited and condensed for clarity and brevity.
Can you explain, from a high level, what role ESRM can play in building a crisis management approach? How does an ESRM-informed plan differ from a traditional security-siloed plan?
DF. While the enterprise security risk management (ESRM) cycle dictates how risks are managed, the context and foundation of ESRM characterizes the approach and permeates everything the security organization does—including crisis management planning. As such, ESRM can help ensure crisis management plans not only support the mission and vision of the organization but are also aligned with the organization’s core values. Most importantly, plans are to be created in collaboration with stakeholders—allowing for more input into their security planning.
RL. Organizations that have a well running crisis management and resilience program have a huge advantage in leveraging the ESRM approach, because the discovery, understanding, and internal partner relationships built for the resilience plan have an enormous—if not complete—overlap with those needed for ESRM.
“Crisis management is a team effort and cannot be done in a vacuum.”
That said, it works the other direction too. If an organization has a security function that has already embraced ESRM and is taking a risk lifecycle approach to their chosen security tactics and program, then building a crisis management program on that same foundation means a large part of the resilience program initiation is already done. You’ve understood the critical assets and functions, you’ve explored the risks. You even have a clearer understanding of the likely people who need to be on the crisis teams because you’ve got those relationships in place already.
A siloed security organization that is treated as outside of the regular business operations will be at a disadvantage if that organization thinks that department can also “manage crisis” by itself. Quite simply, crisis management is a team effort and cannot be done in a vacuum.
How does ESRM affect preparedness and business continuity?
DF. ESRM acknowledges that asset owners know their assets and security practitioners know security. In an ESRM environment, asset owners make decisions about risks to their assets based on potential impacts to the organization’s mission. Security practitioners act as trusted advisors and leverage their security expertise to guide asset owners through this risk management decision-making process. The partnership of these roles is most effective in determining plan components such as Recovery Point Objective (RPO) and Recovery Time Objective (RTO), which help increase an organization’s preparedness and ability to recover.
RL. So much of preparedness isn’t about the actual plan or checklist or recovery instructions. “The best laid plans,” and all that... But the act of discovery, of truly understanding the organization, the moving pieces and parts, the players, the critical activities—all of those things that we consistently teach are foundational for ESRM—these are what actually makes an organization resilient. People being able to come together and respond to the event that isn’t in the plan, the thing nobody saw coming—that’s where the foundation of ESRM comes into making preparedness and resilience more possible. And a good crisis management program will leverage all those same things, not just be a list of phone numbers and the instructions for how to turn on the generator.
How did ESRM help organizations weather COVID-19 effects compared to teams that had not adopted an ESRM approach?
DF. The roles and responsibilities of asset owners and security practitioners in an ESRM environment enable effective planning and response while supporting rapid recovery. Asset owners understand the impact asset loss will have on the organization’s ability to execute its mission. As such, they are best suited to make decisions—with guidance from security practitioners on things like how much downtime or data loss can be endured.
RL. Planning is an act that inherently makes the organization more prepared. I doubt that even 10 percent of businesses had a pandemic plan pre-COVID that actually took into account the impact it would have. We were all planning for “normal” pandemic flu—25 percent of your workforce being sick, not entire economies closing down. However, those organizations that had planned—that had teams used to coming together to make tough decisions, even in a training exercise, who knew what team members needed to think about what responses—well, they were ahead of the game. ESRM is about that larger view, that team approach.
Any crisis program and planning makes that difference. The risk-based approach inherently makes you more able to respond because you know that a variety of different things might happen to you. ESRM simply encourages that thinking. It’s the thinking, teamwork, philosophy, and the people that make this happen—not a magical label of ESRM. ESRM is a mind-set we can take with us.
The vast amounts of information—especially early in the COVID-19 pandemic—made sifting through the volume and finding relevant data and metrics challenging. How does an ESRM approach help hone your focus, as a security leader and a business leader, so that you could deliver data more effectively for the C-Suite?
DF. As with all stakeholders, ESRM promotes strong security practitioner relationships with top management A key element to that partnership is for security professionals to gain an understanding of the C-suite’s priorities, such that security can put its data and findings in front of top management as distinctly and efficiently as possible.
RL. It’s knowing the key drivers of the company, knowing what they have to do, and knowing what the critical points of protection need to be that can help.
Example—if you know that you are heavily “people” dependent to get the mission of the organization done, then you are first going to look for things to help support and protect them. If your supply chain is the major point of failure, you can focus your attention there. But really, ESRM hones the focus. It’s not a magic bullet—the research was still moving fast, the data was changing each day, you had to be nimble enough to sort through it, but your knowledge of the highest priority would at least give you a place to start.
“Security incidents are unpredictable and don’t stop just because other incidents are happening.”
How have the events of 2020—from COVID-19 to supply chain disruptions to civil unrest—changed or adjusted your risk management approach? Are you looking at risk or reporting any differently?
DF. I think leaders and stakeholders are leaning into risk management more than they have in the past. Security incidents are unpredictable and don’t stop just because other incidents are happening. And I think most organizations are still grappling with inconsistent security resourcing, continuity, and morale—among other things.
RL. So much of the world is now operating in uncharted business and social territory. No matter what area of life or business, we’ve had to make adjustments to accommodate risks associated with COVID-19. Now that we have a vaccine and at least some level of "business as usual" is on the horizon, we all have a need to evaluate those adjustments, see which ones are most likely to be permanent, and determine how we will face the changing risk environment in the near future and potentially for a long time.
For security professionals who have not adopted ESRM yet, where can they start, specifically around crisis management and business continuity (striking while the iron is hot, so to say)?
DF. Unfortunately, there are no shortcuts. But certain things can accelerate crisis management processes while also piquing broader organizational interest in supporting security risk management. The starting point for ESRM is really in the context—understanding the organization’s mission and vision, core values, operating environment, and stakeholders. To get this understanding, security practitioners should focus on relationships and learning about the organization. As stakeholder discussions take place, the focus should be on whatever they need from a security risk perspective to be able to deliver on the organization’s mission and overall strategy.
RL. I think the conversation around COVID allows people an entry into the discussion of resilience in general. If companies are concerned about one type of crisis, that’s good, because it gives an opportunity to show that protective and mitigating activities can be applied holistically, and not just focused in one place. It’s an unfortunate fact that tragic events are a major driver of BCM and crisis program improvement. But it’s human nature to do that, and any company that takes advantage of the focus on resilience to get their internal teams all working together to prepare for whatever’s next is going to have an advantage.
That said, it doesn’t have to be hard. A lot of this is just about knowing the critical people, processes, and technologies, and making sure they are all able to have the flexibility and backup to continue running in any situation.
The nice thing about the ESRM cycle is it’s a path anyone can follow. If you want to start, pick up the ASIS guideline (or the book Brian Allen and I wrote, if you like—Enterprise Security Risk Management: Concepts and Applications) and just jump in.
If you already have some good partners, start with them. If you already understand one piece of the business, see how you can flow through the rest of the cycle in just that area. The important thing is to get those foundational elements into your security philosophy: transparency, awareness, openness, and partnership. And don’t stop with the ESRM guide. ASIS has guides for crisis, risk assessments, business continuity—take a look at all of them. They aren’t long and they are not tough reads. Take what you can use for your program, try it out. Just take a step and then see what the next one is.
This advice isn’t about “go ask for money for ESRM while people are worried,” it's “start a conversation about a coordinated and transparent approach to all kinds of risk while people have an awareness of a novel risk they were not expecting.” It all flows from there.