Improving Security Risk Management

By Faessler, Mike; Morgan, Mark | Stability Operations, September/October 2011 | Go to article overview

Improving Security Risk Management


Faessler, Mike, Morgan, Mark, Stability Operations


A case for enterprise risk management

THE security industry is moving towards placing greater importance on risk management, especially where it converges with security management. This reality will eventually affect all security professionals at all levels of an organization: it will change the way we think about our jobs and the way we communicate what we do for our organizations. In some cases, it will require that we acquire and apply new skills. To be successful, we will also need to find and employ better tools.

The View From The Top

ASIS International is the preeminent global association of security professionals. In April 2011, their CSO (Chief Security Officer) Roundtable published How Great Risks Lead to Great Deeds: A Benchmarking Survey and White Paper, which surveyed of 80 CSOs and 200 security professionals indicated 80 percent of those organizations have formalized their risk analysis processes. For instance, 50 percent of those participating in the survey stated they have a regulatory mandate to conduct enterprise risk management (ERM). ERM is a framework that includes the methods and processes that drive risk management for an entire organization, including managing risks and leveraging opportunities. Those "highest risks" within the organization often must be communicated to the Board, and likewise disclosed to stakeholders.

Intellectual leaders at the Security Executive Council echo the survey's results and state that ERM is one of the universal issues that will come to significandy impact the security industry. ERM is not a new concept, but senior security professionals' participation in the ERM process is more recent and on the rise.

For any organization to determine its highest, or ifboard level," security risks, it must assess and know about security risks from its various business units, as well as those security risks from within the corporate offices. That would seem easy enough. Yet, the key question is often not IF one should perform security risk assessments, but rather how one does them. Is everyone even using a common methodology? That challenge is magnified for multinationals or organizations operating in dozens of countries, with different languages and different levels of maturity and basic understanding of risk management.

The Quest for a Common Methodology

While many security professionals have recognized the importance of using risk management practices in daily duties, only recendy has a consensus regarding a common methodology come forth. ISO 31000 - Risk Management - Principles and Guidelines is the most recent international standard on the general subject of risk management. Published in November 2009, it is a relatively new publication. It is intended to be a broad-based tfbest practice" that can be applied to a "wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets," and "applied to any type of risk, whatever its nature, whether having positive or negative consequences." This standard is accompanied by ISO 31010 - Risk Management - Risk Assessment techniques.

In drilling down from the macro (ERM or ESRM) toward the micro (Performing a Security Risk Assessment), ASIS already has a guideline entided ASIS General Security Risk Assessment Guideline. According to the guideline, it "provides a seven- step process that creates a methodology by which security risks at a specific location can be identified and communicated." Although it was published in 2003, predating ISO- 3 1000, many of the tenets in this seven- step process are consistent with the new ISO standard. ASIS is also now forming a committee to develop a new Risk Assessment Standard (201X). According to Dr. Marc H. Siegel, Commissioner of the Global Standards Initiative at ASIS International, this new ASIS Standard "will be aligned with the ISO31000." All indicators seem to point to the new ISO- 3 1000 standard becoming that base for a common methodology. …

The rest of this article is only available to active members of Questia

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

Improving Security Risk Management
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Help
Full screen

matching results for page

    Questia reader help

    How to highlight and cite specific passages

    1. Click or tap the first word you want to select.
    2. Click or tap the last word you want to select, and you’ll see everything in between get selected.
    3. You’ll then get a menu of options like creating a highlight or a citation from that passage of text.

    OK, got it!

    Cited passage

    Style
    Citations are available only to our active members.
    Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

    1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

    Cited passage

    Thanks for trying Questia!

    Please continue trying out our research tools, but please note, full functionality is available only to our active members.

    Your work will be lost once you leave this Web page.

    Buy instant access to save your work.

    Already a member? Log in now.

    Author Advanced search

    Oops!

    An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.