ERM Demystified

• By Steven Titch
• Nov 14, 2008

Chase Farms in Walkerville, Mich., didn’t plan to turn video surveillance into a risk management tool; it just happened.

The agricultural producer originally set out to watch over a seasonal work force by positioning Internet protocol (IP) cameras wherever they were needed. Because the cameras recorded the pace and volume of each day’s harvest and processing, the number of laborers working specific fields and the number and frequency of truck pick-ups, Chase realized the cameras were providing a wealth of information it could use to more efficiently manage business operations.

With quantifiable numbers, Chase could better anticipate labor requirements, match shipments to hourly volume, reduce waste, increase safety and compliance and train new workers faster. Savings from all of these improvements plummeted to the bottom line. Beyond reducing Chase Farms’ exposure to theft and other physical security vulnerabilities, the process contributed to measurable reductions in workplace accidents, emergency response time, and product spoilage and loss.

Security tools such as video cameras, management software and analytics applications once perceived as purely surveillance tools now have a key role in managing corporate risk, says Eric Fullerton, president of the U.S. office for Milestone Systems A/S, Brøndby, Denmark, which supplies video management software to Chase Farms.

Enterprise risk management is one of many buzzwords bandied about the executive suite these days. Because it is often an illdefined term, it can be intimidating to chief security officers who suddenly find themselves part of an ERM initiative emanating from the corporate board. In truth, once launched, ERM is a fairly simple process.

Most companies have ERM principles in place, although they may never have been identified or qualified as such. Nonetheless, a sudden directive from the executive suite, accompanied by few details, that department managers collaborate on an ERM plan can add pressure and confusion.

But it shouldn’t be overwhelming.ERM might be the new watchword of the day, but it is what security has done for years, says Bob Hayes, managing director of the Security Executive Council, a Marietta, Ga.-based professional association of CSOs. ERM is about protecting the assets of the corporation. What’s new is that, because of compliance laws designed to protect corporate shareholders such as the Sarbanes-Oxley Act, ERM has senior management attention.

“A lot of this was done internally, but it didn’t go very high in the organization,” Hayes says. “Now it has to be reported and monitored by the board.”

A Convergence Driver

ERM also goes hand-in-hand with convergence. First, there’s convergence from a management perspective. Once senior managers get involved, they look at how security operations can be applied to a broader ERM strategy that takes in finance, information technology and even marketing and branding.

“What’s changing is that the board and executive management are looking at all hazards and all risks and asking for a plan that handles all,” Hayes says. Business continuity, disaster recovery, emergency planning, supplier disruption planning, weather emergency planning and crisis management planning, which may all have once been independent processes, are unified under one plan.

This process is not much of a shift for CSOs in the Fortune 1000, Hayes says, but for some in the “Fortune 50,000,” it can be very different. “It’s new for companies that have never done this before,” he says.

Broader Role For CSO

For security professionals, ERM presents new opportunities.

“The CSO needs to assist in crafting a security policy plan,” says Mario Sanchez, chief security architect for Hewlett- Packard’s ProCurve unit, Palo Alto, Calif.

Questions of risk must be viewed from a holistic perspective that addresses both the protection of tangible assets -- people and property -- as well as intangibles such as brand equity. “It’s a process, not a product,” Sanchez says.

John Szczygiel, president of Mate Inc., McLean, Va., the U.S. subsidiary of Israel’s Mate Ltd., agrees. “ERM forces a CSO to put the security investment in the context of a number of possible risk responses,” he says. Those responses cross IT, human resources, financial and legal departments.As a result, risk becomes more broadly defined, Szczygiel says.

Szczygiel, who is also vice chairman of the Open Security Exchange, a cross-industry forum promoting platform interoperability, says another change is that many CSOs now must create a business case for their investments.

That means assessing the impact of a negative event, delineating methods to handle the risk and articulating the cost. Szczygiel offers key questions: “What’s the right place to protect? Where is the risk to expose? Can you weigh business objectives against the corporate risk appetite?”

A CSO who can supply a board with the answers to these questions can end up being elevated to a position where he or she is creating solutions that allow the business to expand, Szczygiel says. He advises CSOs not to view the business case requirement as just a layer of overhead but as an opportunity to work “elbow to elbow as a partner” with other executives in creating and protecting value for the company and its shareowners.

Coverged And Open

Along with organizational convergence comes technology convergence. ERM arguably would not be possible without the convergence of physical and logical security.

“When people talk about ERM, even without realizing it, it turns into a convergence discussion,” says Fredrik Nilsson, general manager with Axis Communications Inc., Chelmsford, Mass., the U.S. unit of Sweden’s Axis Communications AB.

The integration of physical and logical security stimulates a process that is greater than the sum of its parts. IP integration allows CSOs to network surveillance, access control and system sensors to derive information that can be used to create more business value and efficient operations.

Data from converged systems also enables better risk identification, evaluation and management.This in turn leads to additional IP integration of security systems. It’s a virtuous circle.

It’s almost a given that there is a robust IP network within the enterprise to support convergence, says Nilsson, who argues using IP-based products is the best way to manage security convergence. “It’s the only way to ensure the operation is keeping current with technology evolution,” he says.

Milestone’s Fullerton emphatically agrees. “A CSO must choose a truly open platform to get best-of-breed. No one today knows what the best piece of equipment will be tomorrow,” he says. “That’s why it’s important to choose an ecosystem with partners that play together.”

“They must be able to incorporate the benefits of new technology when it comes along,” adds Fred Wallberg, director of marketing for the Americas at Milestone.

SEC’s Hayes, however, advises end users not to get too caught up in breathless vendor pitches. They still should consider costs, and even a sound ERM program doesn’t necessarily call for a forklift overhaul.

“Would I put in an all-new system for that reason?” he asks. “No.”

Hayes advises that CSOs begin with systems that help them assess the threats they face and how they are prepared to handle them. “I think there are products that will help,” he says.

Analytics And Other Tools

Hayes is referring to analytics and situation awareness tools, which sit on top of a security system and gather information that can be analyzed and mined for security weaknesses and vulnerabilities. Users then set policies and procedures via the software that identify and confirm a threat or emergency and ensure a proper response. Vendors include Orsus, New York, and Or Yehuda, Israel; ioimage, Herzliya, Israel; and Mate.

Analytics and forensic tools also can help strengthen the all-important value proposition, says Divr Doron, vice president of marketing for ioimage. Analytics, he says, provide statistical information for aggregating types of threats and their causes, a key ERM data set. “It is instructional in providing information patterns -- high-risk sites, highrisk time frames,” Doron says.

This approach can be especially effective in achieving cooperation and buy-in from IT security counterparts, who already are accustomed to making procurement cases through identification and cataloguing of events, adds John Whiteman, ioimage’s vice president and general manager for the Americas.

“The equipment a CSO has becomes more valuable to the organization. All of a sudden you can extract value from that,” says Rafi Bhonker, Orsus’ vice president of marketing (see “Finding Danger in the Data,” April 2008). Situation management systems allow CSOs to map the risk concepts, he says.

“The platform takes the ERM concept and implements it in a way you can use,” Bhonker says. Consultants are big on the “book” -- the binder that describes top to bottom security policies -- but in the heat of the moment, Bhonker says, “no one’s going to open the book.”

Stay On Target

Threats and vulnerabilities are always changing. That’s why CSOs must work to understand not just security issues purely related to physical protection but also the larger risks their organizations face. Security at a defense contractor or pharmaceutical company might be excellent at stopping trespassers or blocking a denial of service attack but fail to recognize other threats.

“The threat landscape is more professional,” ProCurve’s Sanchez says. “Attacks are elegant and finessed.” For example, someone may use a password-guessing program to log on to a corporate network, or they may simply try to walk off with a laptop or flash drive left in an unsecured area.

“People are after information, not to take down the network for the sake of doing it,” Sanchez says. “It’s important not to remain stagnant in the ever-changing environment.” But there’s no reason this should happen, Bhonker says.

Because of ERM, enterprises are making security a strategic part of the organization. “ERM is an issue to everyone,” he says. Certain verticals -- transportation, seaports, airports, railroads -- are ahead of the curve because of their high-profile vulnerability. But ERMdriven convergence is visible in the growing trend of end users investing in interoperable video, access control, radar, infrared systems, emergency notification, analytics and situation management.

“Two years ago, no RFP addressed this,” Bhonker says. “Now there are RFPs that are very specific as to how the end user wants all their technologies to work in a coordinated manner.”