Characteristics and Metrics of a Mature Corporate ESRM Program

September 9, 2019

Introductions

Toby HouchensFounder & CEO

Alpha Recon

thouchens@alpharecon.com

Agenda

• Challenges

• Background of risk management

• The case for security in risk management

• Factors of value

• Factors of maturity

The Challenge of ESRM

4

Challenges

• Lack of event driven motivation for change

• Risk culture vs. security culture

• Change resistance

• Immature standards and supporting guidelines

• Lack of academic study

• Lack of understanding of how security impacts risk

• Perception of security as a cost center

Background

6

Timeline and evolution of risk management

20102000 2019

Enterprise Risk Management (ERM)

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

COSO 2004

ISO

• International organization for standardization

• ISO is an independent, non-governmental international organization with a membership of 164 national standards bodies.

• Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.

• ISO 31000

COSO

Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is dedicated to providing thought leadership through the development of comprehensive frameworks and guidance on internal control, enterprise risk management, and fraud deterrence designed to improve organizational performance and oversight and to reduce the extent of fraud in organizations.

Characteristics of ERM (COSO)

• A process, ongoing and flowing through an entity

• Effected by people at every level of an organization

• Applied in strategy setting

• Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk

• Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite

• Able to provide reasonable assurance to an entity’s management and board of directors

• Geared to achievement of objectives in one or more separate but overlapping categories

Updates from COSO (2017)

• Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.

• More clearly connects enterprise risk management with a multitude of stakeholder expectations.

• Positions risk in the context of an organization’s performance, rather than as the subject of an isolated exercise.

• Enables organizations to better anticipate risk so they can get ahead of it, with an understanding that change creates opportunities, not simply the potential for crises

Characteristics of ERM (ISO)

• 31000 starts from the premise that risk management establishes and sustains value.

• Organizations need to integrate ERM as part of all organizational processes.

• Include risk in decision making and include the best info available

• ERM requires a systematic, structured, and timely process.

• Organizations need to tailor their ERM to their specific risks. To tailor the risk, they need to integrate human and cultural factors to ensure they address stakeholder needs. Practice transparent and inclusive risk management.

• Respond to change by being dynamic and iterative in their process.

The Case for Security

14

ESRM: What It Is

ESRM is a strategic approach to security management that ties an organization’s security practice to its mission and goals using globally established and accepted risk management principles.

ESRM: What It Isn’t

• It’s not Security Convergence:• Convergence integrates IT and

Physical under one team

• The degree of integration identifies the degree of convergence

• First efforts were based on budget

• It’s not Enterprise Risk Management:• ERM manages all company risk

• ESRM is a component of ERM

• ESRM uses similar philosophy to manage security risks

* A mature ESRM program encompasses all aspects of security risk mitigation practices to prevent security risk impacts to the enterprise.

* ESRM does not require an ERM program to be successful, but the presence of an ERM program can ease the process of ESRM adoption.

Security’s value

“In summary, an organization's current policies and procedures regarding its risk frame, ability to assess risk, response to risk, and monitoring capabilities help increase its overall effectiveness.”Waithe, E. (2016). An analysis of enterprise risk management and IT effectiveness constructs

“In addition to globalization trend which facilitates the quick spread of any local disruption, the increasing interconnection of different types of risks makes the matter even worse. That is, different categories of business risks are not independent of each other.”

Elahi, E. (2013). Risk management: The next source of competitive advantage. Foresight : The Journal of Futures Studies, Strategic Thinking and Policy, 15(2), 117-131.

Case studies in ESRM

• Cemex (one of the pioneers)• Intel driven ESRM, measured

• Manufacturing/Power“We built a Bayesian model in power enterprise safety risk management, which can identify the risk source from four areas which include human factors, equipment factors, environmental factors, and management factors.”Guo, J; Shen, X (2010). 2010 3rd International Conference on Advanced Computer Theory and Engineering

• Pharma• Growing security/risk complex

• Law enforcement/Education• More integrated, holistic, and cultural GSOC across threats

• ESRM Cycle:• Identify & Prioritize Assets

• Identify & Prioritize Risks

• Mitigate Prioritized Risks

• Continuous Improvement

• ESRM Context:• Mission & Vision

• Core Values

• Operating Environment

• Stakeholders

• ESRM Foundation:• Holistic Risk Management

• Partnership with Stakeholders

• Transparency

• Governance

ESRM Strategic Approach

Used with permission

ESRM: Value

20

The Achilles heel

Risk Classifications

ERM Value

• Increase range of opportunities

• Identifying and managing risk entity-wide

• Increasing positive outcomes and advantage while reducing negative surprises

• Reducing performance variability

• Improving resource deployment

• Enhancing resilience and continuity Does security impact any of these?

Value components of ESRM

• Strategic, Operational, Tactical

• Surveillance, Risk intelligence

• Asset impact understanding

• Exposure dynamics

• Liability Control

• Efficiency

• Decision making support, Advantages

• Culture

• Subject matter expertise (indicators)

ESRM Benefits to Security Professionals

• Enables security to define its own role as advisors and strategic partners of asset owners, stakeholders, and top management;

• Developing a better understanding of the organization and its overall strategy;

• Improving communication and interaction opportunities with diverse stakeholders (internal and external) to learn what they consider important;

• Developing a more timely and comprehensive understanding of security risks;

• Obtaining greater support from asset owners by better aligning security efforts with their needs; and

• Enabling innovative problem solving by increasing focus on the concepts of risk as opposed to the specific tactics used to mitigate risk.

ESRM Benefits to the Organization

• Enabling enterprise-level risk-based decisions, supporting the organization’s mission and objectives;

• Enabling asset owners & stakeholders to develop a greater, consistent understanding of security’s role;

• Providing a mechanism to elevate identified security risks to top management;

• Better alignment of security resources & organizational strategy to effectively manage prioritized risk;

• Improving effectiveness and efficiency of the security program;

• Early identification and proactive monitoring of threats and vulnerabilities;

• More effective risk prioritization & mitigation based on partnership between security & asset owners;

• Improving engagement with stakeholders with a vested interest in the security of the organization;

• Better support for the organization’s legal, regulatory, contractual, and internal audit responsibilities;

• Integrating security into the culture of the organization; and

• Enhancing organizational resilience and event response capabilities, to include crisis management.

ESRM: Maturity

27

• Horizontal Organization

• Communication development and structures

• Organizational Commitment Levels

• Culture, Training, transparency

• Authority and Leverage

• Accountability mapping and consequences

• Degree of Integration in strategy, processes, prioritized activities

• Monitoring continuum, success, failure, and self actualization

• Metrics, case studies, tangible gains

Maturity Factors

• Inclusion

• Total exposure

• Changes in exposure

• Accomplished goals

• Spend/Efficiency

• Intelligence gain

• Decision making support

• Technology/BI development

Metrics

_

Quantitative

Defined

Managed

Initial

Maturity Levels and Models

Optimizing

31

Questions and Answers…

Thank you!

Toby HouchensFounder & CEO

Alpha Recon

thouchens@alpharecon.com