Enterprise Security Risk Management
The key to managing changes in the security risk environment brought about by the ongoing evolution of Enterprise Security Risk Management (ESRM) is to focus on risk-based security management. The protection and function of business operations in the risk environment goes beyond the scope of just information security. The risks associated with networked devices transcend technology and reach deep into the domain of overall business resiliency.
Flexibility of the organization enables it to respond quickly, change focus and alter activities to keep meeting the organizations mission and goals no matter what is happening. It is a philosophy that relies more on an attitude of preparedness, and on understanding that a crisis is likely to occur no matter how many mitigation plans you put in place, than on rules for responding to a crisis event. Organizational flexibility is a team approach that allows the risk managers and business leaders to work together in a partnership to ensure that critical functions can continue to operate.
In addition to information technology personnel and upper management, internal auditors play an important role in evaluating the risk-management processes of an organization and advocating their continued improvement. However, to preserve their organizational independence and objective judgment, internal audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the organization or managing the risk-management function.
A bank’s internal auditors typically perform an annual risk assessment of the organization, to develop a plan of audit engagements for the upcoming year. This plan is updated at various frequencies in practice. This typically involves review of the various risk assessments performed by the organization, consideration of prior audits, and interviews with a variety of senior management. It is designed for identifying audit projects, not to identify, prioritize, and manage risks directly for the organization.
ESRM is a security paradigm that is a perfect response to the kinds of changing risk environments associated with organizations. It is a risk-based security management philosophy that focuses on building partnerships across your business to manage security risk and to ensure that your business leaders are making educated risk decisions for their assets and critical functions. ESRM embraces risk identification and mitigation while at the same time recognizing that businesses need to sometimes take risks to succeed. It enables business owners and security practitioners to work together to find the best solution for protecting your organization without interfering with their ability to perform their job functions.