Improving Security Risk Management

By Faessler, Mike; Morgan, Mark | Journal of International Peace Operations, September/October 2011 | Go to article overview
Save to active project

Improving Security Risk Management

Faessler, Mike, Morgan, Mark, Journal of International Peace Operations

A case for enterprise risk management

THE security industry is moving towards placing greater importance on risk management, especially where it converges with security management. This reality will eventually affect all security professionals at all levels of an organization: it will change the way we think about our jobs and the way we communicate what we do for our organizations. In some cases, it will require that we acquire and apply new skills. To be successful, we will also need to find and employ better tools.

The View From The Top

ASIS International is the preeminent global association of security professionals. In April 2011, their CSO (Chief Security Officer) Roundtable published How Great Risks Lead to Great Deeds: A Benchmarking Survey and White Paper, which surveyed of 80 CSOs and 200 security professionals indicated 80 percent of those organizations have formalized their risk analysis processes. For instance, 50 percent of those participating in the survey stated they have a regulatory mandate to conduct enterprise risk management (ERM). ERM is a framework that includes the methods and processes that drive risk management for an entire organization, including managing risks and leveraging opportunities. Those "highest risks" within the organization often must be communicated to the Board, and likewise disclosed to stakeholders.

Intellectual leaders at the Security Executive Council echo the survey's results and state that ERM is one of the universal issues that will come to significandy impact the security industry. ERM is not a new concept, but senior security professionals' participation in the ERM process is more recent and on the rise.

For any organization to determine its highest, or ifboard level," security risks, it must assess and know about security risks from its various business units, as well as those security risks from within the corporate offices. That would seem easy enough. Yet, the key question is often not IF one should perform security risk assessments, but rather how one does them. Is everyone even using a common methodology? That challenge is magnified for multinationals or organizations operating in dozens of countries, with different languages and different levels of maturity and basic understanding of risk management.

The Quest for a Common Methodology

While many security professionals have recognized the importance of using risk management practices in daily duties, only recendy has a consensus regarding a common methodology come forth. ISO 31000 - Risk Management - Principles and Guidelines is the most recent international standard on the general subject of risk management. Published in November 2009, it is a relatively new publication. It is intended to be a broad-based tfbest practice" that can be applied to a "wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets," and "applied to any type of risk, whatever its nature, whether having positive or negative consequences." This standard is accompanied by ISO 31010 - Risk Management - Risk Assessment techniques.

In drilling down from the macro (ERM or ESRM) toward the micro (Performing a Security Risk Assessment), ASIS already has a guideline entided ASIS General Security Risk Assessment Guideline. According to the guideline, it "provides a seven- step process that creates a methodology by which security risks at a specific location can be identified and communicated." Although it was published in 2003, predating ISO- 3 1000, many of the tenets in this seven- step process are consistent with the new ISO standard. ASIS is also now forming a committee to develop a new Risk Assessment Standard (201X). According to Dr. Marc H. Siegel, Commissioner of the Global Standards Initiative at ASIS International, this new ASIS Standard "will be aligned with the ISO31000." All indicators seem to point to the new ISO- 3 1000 standard becoming that base for a common methodology.

The rest of this article is only available to active members of Questia

Sign up now for a free, 1-day trial and receive full access to:

  • Questia's entire collection
  • Automatic bibliography creation
  • More helpful research tools like notes, citations, and highlights
  • Ad-free environment

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
Loading One moment ...
Project items
Cite this article

Cited article

Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

Cited article

Improving Security Risk Management


Text size Smaller Larger
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

While we understand printed pages are helpful to our users, this limitation is necessary to help protect our publishers' copyrighted material and prevent its unlawful distribution. We are sorry for any inconvenience.
Full screen

matching results for page

Cited passage

Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

Cited passage

Welcome to the new Questia Reader

The Questia Reader has been updated to provide you with an even better online reading experience.  It is now 100% Responsive, which means you can read our books and articles on any sized device you wish.  All of your favorite tools like notes, highlights, and citations are still here, but the way you select text has been updated to be easier to use, especially on touchscreen devices.  Here's how:

1. Click or tap the first word you want to select.
2. Click or tap the last word you want to select.

OK, got it!

Thanks for trying Questia!

Please continue trying out our research tools, but please note, full functionality is available only to our active members.

Your work will be lost once you leave this Web page.

For full access in an ad-free environment, sign up now for a FREE, 1-day trial.

Already a member? Log in now.

Are you sure you want to delete this highlight?