There is a lot of talk in the security industry about Enterprise Security Risk Management, or “ESRM” as it’s usually abbreviated. ASIS International went all in several years ago, making ESRM a strategic priority. Many in the security industry and risk management professions now embrace it wholeheartedly. Others think it’s just another old-wine-in-new-bottles buzzword that will trend for a while and then be replaced by the next new shiny thing.
The executive protection industry has been pretty anonymous in the ESRM debate. As far as we can tell, many (most?) folks in our industry have not even heard about ESRM. Certainly, very few have embraced ESRM as part of their executive protection practices. We hope this blog will change that. It’s time for executive protection professionals to understand what ESRM is all about, separate the hype from the helpful, and start integrating the ESRM approach into our protective practices and client relationships. This “ESRM thing” is here to stay.
So, what is ESRM, anyway?
Before offering a definition of ESRM, let’s start by considering ESRM as a systematic approach to security within complex organizations rather than a nitty-gritty security technique. It’s more of a mindset than a method – although it does get applied in very methodical ways. From our point of view, the ESRM approach is founded on four basic assumptions:
- Security risks are strategically relevant to the success of the organization: Enterprise Security Risk Management encourages everyone in an organization to take a strategic view of security, from CSOs and security practitioners to CEOs, COOs, CFOs, etc. As such, ESRM seeks to connect good security and risk mitigation practices to the overall mission and goals of an organization – just like the CFO seeks to connect good financial practices to a company’s goal of making a profit, for example. In an ideal world, when C-suite members and other managers make decisions more of them will consider enterprise security risks as part of the decision-making process – just as they would include financial, HR, marketing, and other criteria.
- Security risks should be understood holistically, and not compartmentalized: ESRM is often referred to as “holistic”, because it aims to comprise the big security picture, not just a collection of snapshots. It’s about managing the risks of harm to all of the company’s assets, including people, things, and processes. It cuts across – and even bridges – traditional security silos such as physical security, executive protection, cyber-security, loss prevention, asset management, threat management, resilience, workplace violence, critical incident response, brand protection, fraud investigations, travel safety, etc.
- Security risks must be evaluated, prioritized, and managed: ESRM connects security efforts and the organization’s overall goals with solid risk management practices. These time-tested, transparent ways of assessing and managing risk are nothing new. What is new is their systematic use in making decisions about security risks as they relate to the organization’s overall goals and performance.
- Security risks are dynamic: Life’s a movie, not a Polaroid. Just as everything else changes, so do the factors that affect an enterprise’s security risks. So, if we want to understand the strategic importance of security risks holistically as we evaluate, prioritize, and manage them – we have to be prepared to do this in an ongoing way. I.e., we have to keep assessing risks in the light of every new day.
But we promised you a definition. Here’s one by John Petruzzi, CPP, who along with Ray O’Hara, CPP, sat on an ASIS committee a while back to adopt ESRM as a strategic initiative:
“ESRM is a security program management approach that links security activities to an enterprise’s mission and business goals through risk management methods. The security leader’s role in ESRM is to manage risks of harm to enterprise assets in partnership with the business leaders whose assets are exposed to those risks. ESRM involves educating business leaders on the realistic impacts of identified risks, presenting potential strategies to mitigate those impacts, then enacting the option chosen by the business in line with accepted levels of business risk tolerance.”
Digging into all the ins and outs of ESRM would be way beyond the scope of this blog, but we hope the above gives you at least a rough idea of what ESRM is all about. If you want to learn more about ESRM, there are many useful articles online, and ASIS offers a variety of courses worldwide. We include a few links at the end of this blog.
You can also read Brian Allen’s and Rachelle Loyear’s book, Enterprise Security Risk Management: Concepts and Applications, which we highly recommend. The image below, from Brian Allen’s website, illustrates some key ESRM concepts.
We suggest reading the book through the lens of executive protection. You won’t be disappointed.
All of the key concepts map very nicely onto a professional approach to EP. Using this perspective to understand what we do in executive protection – and viewing this with other stakeholders through the shared framework of ESRM – is a real eye-opener for everyone concerned with executive protection – both on the client and service provider sides of the equation.
Here are just some of the thoughts that popped up in reading the book:
- Identify and prioritize assets: To whom are EP professionals providing services, and what are the priorities of that group? A quick table that outlines the service level agreement for each level of executive can be a helpful start. How does EP support for these people support and enable the overall mission and objectives of the organization?
- Identify and prioritize risks: Our risk, threat, and vulnerability analyses are a great start in understanding the highest priority risks our clients face.
- Mitigate prioritized risks: Before any EP boots hit the ground, we need to gain buy-in from the protectees, their staff members, and sometimes their boards or C-suite colleagues on what needs to be done to mitigate the highest-priority risks. Executive protection program building starts here. Keep in mind how you will grow your program to mitigate more and more of those prioritized risks along with the approval and authorization of the risk “owners”. As you can see in one of our previous blogs, this is how we build an executive protection strategy. Often, this takes place with “baby-steps” in a gradual process designed to instill trust in the program and demonstrate its value. Once that starts, it is easier to grow and implement more risk mitigation along the way.
- Incident Response: We build guidelines and SOPs around how incidents are handled, communicated, and by whom. We do the same to prevent incidents from occurring. This is the meat and potatoes of everyday EP.
- Root cause analyses: These help us to establish continuous improvement cycles that identify why and how incidents happen, and to create a set of options to mitigate the risk of them happening again. Proper documentation and regular audits are key success criteria here.
- Ongoing risk analysis: Things change. We must always understand the volatility, unpredictability, complexity, and ambiguity of the risk situation around our principals so that we can maintain timeliness, adaptability, and relevance in a fast-moving risk environment. Principals and organizations want to know that our programs pay attention, and have the “smarts” to make adjustments along the way. This then leads to increased trust and understanding of the program’s value proposition.
Why should executive protection professionals care about ESRM?
As we mentioned above, we believe ESRM is here to stay. More and more CSOs are adapting the ESRM approach. It’s coming up in more discussions with corporate clients. And security companies of all kinds – and in all segments – are beginning to learn more about it. We think executive protection professionals should do the same.
We need to understand these concepts and applications so that we can participate at the same level as the rest of the corporate security organization. Moving forward, ignorance of these concepts will almost certainly cause the executive protection effort and those responsible for it to be out of alignment with the rest of corporate security. This will lead to even more misunderstandings about EP’s strategic role and continue to make people think that we are out of touch with the rest of the industry.
We have recently been asking ourselves a lot of questions about ESRM, and we would encourage everyone working in corporate executive protection and related fields (e.g., protective intelligence, GSOCs, event security) to do the same:
- What does ESRM mean to our business?
- How can we utilize the concepts and applications of ESRM to serve our clients and organizations better?
- How can we partner with the CSO to further the intent of ESRM within our organizations?
And one final question: What do you think about ESRM? If you believe it is something that the EP industry needs to get a better handle on – and even if you don’t – we’d love to hear from you and understand your thinking. Ping us on social media!