First released in 2019, the ESRM Guideline on Enterprise Security Risk Management (ESRM) from ASIS International is meant to be a strategic tool to elevate security as a function of a business and encourage partnership between security professionals and other departments and business leaders, while reducing the silos that exist in many enterprises.

ESRM is not an abstract concept, but rather, can give security professionals (and enterprises as whole) a tangible plan that will allow corporate security leaders to keep up with their industry peers, meet executive expectations and mitigate risk.

The road to ESRM is long and takes hard work. It often involves a change in culture, a reduction of silos, and visibility of security within the company. 

“ESRM goes and takes a holistic view of security. It takes all security elements and opens a door by breaking down old silos and moving it from a ‘lone wolf’ operation into making a ‘wolf pack,’” says Thomas Berkery, Enterprise Security Investigations & Reporting, Discover Financial Services.

So how can security professionals begin taking an ESRM approach to risk within their organizations?

Arguably the most important key to a implementing a successful ESRM strategy is fostering a risk management culture across the entire organization. This automatically removes silos and remove overall responsibility for security and safety from just one person or one department. Security professionals can begin by building those relationships across the organization and keeping security from being siloed.

At the same time, however, though ESRM takes a holistic view of overall security risk, one of the major elements of the strategy is defining who is responsible for what. With the ESRM approach, whoever owns the asset in an enterprise, owns the risk.

But where do you begin?

Well first and foremost, enterprises must look at workflows and establish very clearly defined workflows, according to Berkery. Speaking at a webinar titled The Path to ESRM in late September, Berkery says that building out workflows, allow security professionals and the enterprise to bridge gaps in terms of ownership of assets. In other words, identifying who exactly is responsible for what allows all parties to build workflows and bring them together for a better response.

Bridging the gap between departments, between employees and between locations, allows organizations to clearly see who is responsible for what and encourages working together. Indeed, working together is essential for the success of an ESRM model. If one party isn’t willing to take ownership of their role, then the model can’t succeed. Here, communication is key and strong leadership is at the tip of the sphere, says Berkery.

Once risks are identified and determined, a proper gap analysis enables efficient response.

Another key to the ESRM approach is proper identification of risks, Berkery says. “Proper identification of risks is the only way to work toward a solution. [In this regard] asset ownership is so important.” Berkery adds that if the same risk or issue keeps surfacing again and again within a company, this shows the enterprise that proper remediation, asset ownership or co-partnership is missing.

Having a proper culture in place and buy-in from the entire organization are the starts of implementing ESRM. But one of the other keys to ESRM strategy, particularly in regards to its long-term effectiveness, is continual assessment and communication. Of course, this goes back to fostering a culture of risk management. ESRM is a continual approach and one that must be backed by regular assessments and communications as part of the daily life in an organization, says Brad Rooke, CPP, Senior Solutions Consultant, Customer Success at Igloo Software.

How can organizations ensure success?

Rooke says traditional risk assessments should be done quarterly or annually. But that’s not the end of it, he cautions. “They shouldn’t be reactionary,” he says. When processes or plans change within an organization – at any level, in any department – risk must be reassessed and addressed. The only way to achieve this, of course, is through communication (one of the pillars of ESRM that we talked about earlier).

Risks may be small or large scale, and the question to address is, how risky is this, and if not addressed or not communicated properly when something changes, how will it impact the overall business or enterprise? “It takes time to do this and it can’t just be one person,” Rooke says.

If organizations can successfully introduce a collective culture of risk management, then there’s no need for a lone wolf. “Everybody then has skin the game and everyone also has a concept of their territories,” Rooke says.