ASIS embracing ESRM- Enterprise Security Risk Management

ASIS is embracing the Enterprise Security Risk Management (ESRM) methodology which can help bridge the gap between security management and business leadership.
We need your help to begin building the ESRM brand within the Chapters and Councils. ASIS has initiated the ESRM Board Initiative. They are tasked with infusing the Enterprise Security Risk Management (ESRM) methodology into the DNA of ASIS, its membership, and ultimately the security industry.

Tim Wenzel, CPP, and Ray O’Hara, CPP, are heading up this initiative. If you have any interest or would like to learn more, please reach out to them at ESRM@asisonline.org.

A presentation on this topic has been prepared and can be viewed [here].

When ESRM principles are applied, the security function changes completely — from a set of tasks, performed discretely, to a role. It’s no longer about checking IDs at entrance gates, or installing antivirus software, or trying to keep employees from stealing from retails stores. That doesn’t mean those functions aren’t important anymore. But it does mean that when they’re performed, they’re performed for a reason. ESRM means security decisions are made by the right person, with the right authority and accountability, and for the right reasons — reasons based on defined risk principles.

What does this mean in practice? In its simplest terms, it means that instead of just “doing security” the way we always have, we first ask ourselves some fundamental, and fundamentally important, questions. Here are a few of the most basic:

• “What’s the asset we need to protect?”
• “What’s the risk associated with that asset?”
• “Who’s responsible for that risk?”
• “How should we mitigate the risk, and how should we respond if the risk becomes a reality?”

To find out more, contact Tim or Ray at ESRM@ASISonline.org.