In a recent article John Petruzzi, CPP, 2018 secretary-elect, ASIS International Board of Directors, explained why the organization is focusing strongly on enterprise security risk management (ESRM) and why the foundational ideas of ESRM can change the risk profession as a whole.
In the article Mr. Petruzzi defines ESRM as ‘a security program management approach that links security activities to an enterprise's mission and business goals through risk management methods’. The security leader's role in ESRM is to manage risks of harm to enterprise assets in partnership with the business leaders whose assets are exposed to those risks. ESRM involves educating business leaders on the realistic impacts of identified risks, presenting potential strategies to mitigate those impacts, then enacting the option chosen by the business in line with accepted levels of business risk tolerance.
An agreed approach to ESRM is set out in the ESRM Life Cycle Model, which will be ‘expanded on in 2018 and 2019 as part of an exciting new ASIS initiative to promote ESRM in the security industry,’ says Mr. Petruzzi.
On November 15th a project charter was approved by the ASIS International Board of Directors. The charter calls for four value steams:
- ESRM Standards and Guidelines
- Education / Certification / Research
- Marketing and Communications
- ESRM Support Tools.
Each project stream will be carried out over 2018 and 2019, led by a board sponsor and an ESRM subject matter expert, teamed with volunteers from around the globe, and staff members from ASIS headquarters.