Improving Security Risk Management
Faessler, Mike, Morgan, Mark, Stability Operations
A case for enterprise risk management
THE security industry is moving towards placing greater importance on risk management, especially where it converges with security management. This reality will eventually affect all security professionals at all levels of an organization: it will change the way we think about our jobs and the way we communicate what we do for our organizations. In some cases, it will require that we acquire and apply new skills. To be successful, we will also need to find and employ better tools.
The View From The Top
ASIS International is the preeminent global association of security professionals. In April 2011, their CSO (Chief Security Officer) Roundtable published How Great Risks Lead to Great Deeds: A Benchmarking Survey and White Paper, which surveyed of 80 CSOs and 200 security professionals indicated 80 percent of those organizations have formalized their risk analysis processes. For instance, 50 percent of those participating in the survey stated they have a regulatory mandate to conduct enterprise risk management (ERM). ERM is a framework that includes the methods and processes that drive risk management for an entire organization, including managing risks and leveraging opportunities. Those "highest risks" within the organization often must be communicated to the Board, and likewise disclosed to stakeholders.
Intellectual leaders at the Security Executive Council echo the survey's results and state that ERM is one of the universal issues that will come to significandy impact the security industry. ERM is not a new concept, but senior security professionals' participation in the ERM process is more recent and on the rise.
For any organization to determine its highest, or ifboard level," security risks, it must assess and know about security risks from its various business units, as well as those security risks from within the corporate offices. That would seem easy enough. Yet, the key question is often not IF one should perform security risk assessments, but rather how one does them. Is everyone even using a common methodology? That challenge is magnified for multinationals or organizations operating in dozens of countries, with different languages and different levels of maturity and basic understanding of risk management.
The Quest for a Common Methodology
While many security professionals have recognized the importance of using risk management practices in daily duties, only recendy has a consensus regarding a common methodology come forth. ISO 31000 - Risk Management - Principles and Guidelines is the most recent international standard on the general subject of risk management. Published in November 2009, it is a relatively new publication. It is intended to be a broad-based tfbest practice" that can be applied to a "wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets," and "applied to any type of risk, whatever its nature, whether having positive or negative consequences." This standard is accompanied by ISO 31010 - Risk Management - Risk Assessment techniques.
In drilling down from the macro (ERM or ESRM) toward the micro (Performing a Security Risk Assessment), ASIS already has a guideline entided ASIS General Security Risk Assessment Guideline. According to the guideline, it "provides a seven- step process that creates a methodology by which security risks at a specific location can be identified and communicated." Although it was published in 2003, predating ISO- 3 1000, many of the tenets in this seven- step process are consistent with the new ISO standard. ASIS is also now forming a committee to develop a new Risk Assessment Standard (201X). According to Dr. Marc H. Siegel, Commissioner of the Global Standards Initiative at ASIS International, this new ASIS Standard "will be aligned with the ISO31000." All indicators seem to point to the new ISO- 3 1000 standard becoming that base for a common methodology. …