ESRM
The New ESRM Best Practices for Risk Management
Let me ask you something: how closely does Security work with Business Continuity Planning (BCP) at your organization?
I asked this question during our ESRM Best Practices Panel at GSX 2024, and got some interesting answers.
“How many of your organizations separate their business continuity planning and security functions?” The majority of people raised their hands.
“How many of you would say the two groups have a good working relationship?” Again, there were several raised hands.
“How many of you are lying about that?” Hands went up again.
I appreciated the (reluctant) honesty in the room.
Security and BCP are natural partners, especially now that our industry is embracing Enterprise Security Risk Management (ESRM) which prioritizes a proactive, data-informed approach to physical security.
However, despite the rise of ESRM, many organizations are still siloing Security and BCP, using paper checklists, and clinging to other old ways of doing things. If we truly want to be proactive, it’s time for our industry to evolve past spreadsheets and the annual gap analysis.
Why is the industry moving away from traditional security practices?
When it’s time to evaluate the security of your enterprise’s sites, a traditional security approach is likely to bring in a subject matter expert (SME). This person visits your sites, makes notes, takes pictures, and records vulnerabilities. Then the expert disappears for a while to write up a comprehensive narrative report including their findings and recommendations.
What’s wrong with this process?
It’s subjective: Many assessments are entirely based on the experience and point of view of your particular SME. You could hire two different excerpts to assess the same site and receive two different reports.
It’s not a good use of your SMEs’ time and expertise: SMEs should not be conducting every assessment themselves. Your SMEs are much better utilized later in the assessment process, when you need their diagnosis of problems, and recommendations for mitigation.
There’s no action component to the report: Paper reports provide information about the risks at your sites and are helpful when your organization is applying for grants and insurance. However, reports should not be the end deliverable of a security assessment. There is no easy way to make the report actionable. Often someone has to manually enter data into a spreadsheet or project management platform - which can pose its own problems during remediation.
The data’s static: Paper reports provide a point in time picture of your organization's security risk, rather than providing a continuous living document that is updated in real time, and shows remediations as they are made.
What are ESRM best practices for managing risk and reducing liability?
ESRM relies on data, reporting, and collaboration between departments in an enterprise, as well as on new technologies, such as risk management software, to take a proactive approach to security.
Plan for all foreseeable scenarios: We often hear “we thought it would never happen” after an incident. Assume anything you can foresee can and will happen.
Go beyond security assessments: Rather than conducting security assessments, conduct risk analysis. Risk analysis is different — it’s data driven, and offers in-depth insights about the risk at each of your sites. For example, which scenario is most likely at each of your sites? Which threats should you prepare for first?
Create a strategic plan: Once you’ve assessed your risk, you should develop a strategic plan for each scenario. This is where security should be working with BCP and other stakeholders. If there’s a cyber attack, for example, it’s important to know how business will continue while the threat is dealt with.
Security is everyone’s job: It’s very easy to silo security and other departments, but security and BCP aren’t always on hand when an incident occurs — often maintenance workers are the first on the scene when something happens. Everyone should be aware of your strategies and business continuity plans.
Assess continuously: Security should constantly be assessed and assessed. Risk is dynamic, and an assessment every year isn’t often enough. By using a risk management platform, you can analyze and update risk constantly, using site managers, maintenance and security officers to actually update the assessments.
How can your organization become more proactive? What challenges will your business face in 2024?