ERM Demystified

Chase Farms in Walkerville, Mich., didn’t plan to turn video surveillance into a risk management tool; it just happened.

The agricultural producer originally set out to watch over a seasonal work force by positioning Internet protocol (IP) cameras wherever they were needed. Because the cameras recorded the pace and volume of each day’s harvest and processing, the number of laborers working specific fields and the number and frequency of truck pick-ups, Chase realized the cameras were providing a wealth of information it could use to more efficiently manage business operations.

With quantifiable numbers, Chase could better anticipate labor requirements, match shipments to hourly volume, reduce waste, increase safety and compliance and train new workers faster. Savings from all of these improvements plummeted to the bottom line. Beyond reducing Chase Farms’ exposure to theft and other physical security vulnerabilities, the process contributed to measurable reductions in workplace accidents, emergency response time, and product spoilage and loss.

Security tools such as video cameras, management software and analytics applications once perceived as purely surveillance tools now have a key role in managing corporate risk, says Eric Fullerton, president of the U.S. office for Milestone Systems A/S, Brøndby, Denmark, which supplies video management software to Chase Farms.

Enterprise risk management is one of many buzzwords bandied about the executive suite these days. Because it is often an illdefined term, it can be intimidating to chief security officers who suddenly find themselves part of an ERM initiative emanating from the corporate board. In truth, once launched, ERM is a fairly simple process.

Most companies have ERM principles in place, although they may never have been identified or qualified as such. Nonetheless, a sudden directive from the executive suite, accompanied by few details, that department managers collaborate on an ERM plan can add pressure and confusion.

But it shouldn’t be overwhelming.ERM might be the new watchword of the day, but it is what security has done for years, says Bob Hayes, managing director of the Security Executive Council, a Marietta, Ga.-based professional association of CSOs. ERM is about protecting the assets of the corporation. What’s new is that, because of compliance laws designed to protect corporate shareholders such as the Sarbanes-Oxley Act, ERM has senior management attention.

“A lot of this was done internally, but it didn’t go very high in the organization,” Hayes says. “Now it has to be reported and monitored by the board.”

A Convergence Driver

ERM also goes hand-in-hand with convergence. First, there’s convergence from a management perspective. Once senior managers get involved, they look at how security operations can be applied to a broader ERM strategy that takes in finance, information technology and even marketing and branding.

“What’s changing is that the board and executive management are looking at all hazards and all risks and asking for a plan that handles all,” Hayes says. Business continuity, disaster recovery, emergency planning, supplier disruption planning, weather emergency planning and crisis management planning, which may all have once been independent processes, are unified under one plan.

This process is not much of a shift for CSOs in the Fortune 1000, Hayes says, but for some in the “Fortune 50,000,” it can be very different. “It’s new for companies that have never done this before,” he says.

Broader Role For CSO

For security professionals, ERM presents new opportunities.

“The CSO needs to assist in crafting a security policy plan,” says Mario Sanchez, chief security architect for Hewlett- Packard’s ProCurve unit, Palo Alto, Calif.

Questions of risk must be viewed from a holistic perspective that addresses both the protection of tangible assets -- people and property -- as well as intangibles such as brand equity. “It’s a process, not a product,” Sanchez says.

John Szczygiel, president of Mate Inc., McLean, Va., the U.S. subsidiary of Israel’s Mate Ltd., agrees. “ERM forces a CSO to put the security investment in the context of a number of possible risk responses,” he says. Those responses cross IT, human resources, financial and legal departments.As a result, risk becomes more broadly defined, Szczygiel says.

Szczygiel, who is also vice chairman of the Open Security Exchange, a cross-industry forum promoting platform interoperability, says another change is that many CSOs now must create a business case for their investments.

That means assessing the impact of a negative event, delineating methods to handle the risk and articulating the cost. Szczygiel offers key questions: “What’s the right place to protect? Where is the risk to expose? Can you weigh business objectives against the corporate risk appetite?”

A CSO who can supply a board with the answers to these questions can end up being elevated to a position where he or she is creating solutions that allow the business to expand, Szczygiel says. He advises CSOs not to view the business case requirement as just a layer of overhead but as an opportunity to work “elbow to elbow as a partner” with other executives in creating and protecting value for the company and its shareowners.

Coverged And Open

Along with organizational convergence comes technology convergence. ERM arguably would not be possible without the convergence of physical and logical security.

“When people talk about ERM, even without realizing it, it turns into a convergence discussion,” says Fredrik Nilsson, general manager with Axis Communications Inc., Chelmsford, Mass., the U.S. unit of Sweden’s Axis Communications AB.

The integration of physical and logical security stimulates a process that is greater than the sum of its parts. IP integration allows CSOs to network surveillance, access control and system sensors to derive information that can be used to create more business value and efficient operations.

Data from converged systems also enables better risk identification, evaluation and management.This in turn leads to additional IP integration of security systems. It’s a virtuous circle.

It’s almost a given that there is a robust IP network within the enterprise to support convergence, says Nilsson, who argues using IP-based products is the best way to manage security convergence. “It’s the only way to ensure the operation is keeping current with technology evolution,” he says.

Milestone’s Fullerton emphatically agrees. “A CSO must choose a truly open platform to get best-of-breed. No one today knows what the best piece of equipment will be tomorrow,” he says. “That’s why it’s important to choose an ecosystem with partners that play together.”

“They must be able to incorporate the benefits of new technology when it comes along,” adds Fred Wallberg, director of marketing for the Americas at Milestone.

SEC’s Hayes, however, advises end users not to get too caught up in breathless vendor pitches. They still should consider costs, and even a sound ERM program doesn’t necessarily call for a forklift overhaul.

“Would I put in an all-new system for that reason?” he asks. “No.”

Hayes advises that CSOs begin with systems that help them assess the threats they face and how they are prepared to handle them. “I think there are products that will help,” he says.

Analytics And Other Tools

Hayes is referring to analytics and situation awareness tools, which sit on top of a security system and gather information that can be analyzed and mined for security weaknesses and vulnerabilities. Users then set policies and procedures via the software that identify and confirm a threat or emergency and ensure a proper response. Vendors include Orsus, New York, and Or Yehuda, Israel; ioimage, Herzliya, Israel; and Mate.

Analytics and forensic tools also can help strengthen the all-important value proposition, says Divr Doron, vice president of marketing for ioimage. Analytics, he says, provide statistical information for aggregating types of threats and their causes, a key ERM data set. “It is instructional in providing information patterns -- high-risk sites, highrisk time frames,” Doron says.

This approach can be especially effective in achieving cooperation and buy-in from IT security counterparts, who already are accustomed to making procurement cases through identification and cataloguing of events, adds John Whiteman, ioimage’s vice president and general manager for the Americas.

“The equipment a CSO has becomes more valuable to the organization. All of a sudden you can extract value from that,” says Rafi Bhonker, Orsus’ vice president of marketing (see “Finding Danger in the Data,” April 2008). Situation management systems allow CSOs to map the risk concepts, he says.

“The platform takes the ERM concept and implements it in a way you can use,” Bhonker says. Consultants are big on the “book” -- the binder that describes top to bottom security policies -- but in the heat of the moment, Bhonker says, “no one’s going to open the book.”

Stay On Target

Threats and vulnerabilities are always changing. That’s why CSOs must work to understand not just security issues purely related to physical protection but also the larger risks their organizations face. Security at a defense contractor or pharmaceutical company might be excellent at stopping trespassers or blocking a denial of service attack but fail to recognize other threats.

“The threat landscape is more professional,” ProCurve’s Sanchez says. “Attacks are elegant and finessed.” For example, someone may use a password-guessing program to log on to a corporate network, or they may simply try to walk off with a laptop or flash drive left in an unsecured area.

“People are after information, not to take down the network for the sake of doing it,” Sanchez says. “It’s important not to remain stagnant in the ever-changing environment.” But there’s no reason this should happen, Bhonker says.

Because of ERM, enterprises are making security a strategic part of the organization. “ERM is an issue to everyone,” he says. Certain verticals -- transportation, seaports, airports, railroads -- are ahead of the curve because of their high-profile vulnerability. But ERMdriven convergence is visible in the growing trend of end users investing in interoperable video, access control, radar, infrared systems, emergency notification, analytics and situation management.

“Two years ago, no RFP addressed this,” Bhonker says. “Now there are RFPs that are very specific as to how the end user wants all their technologies to work in a coordinated manner.”

Featured

  • New Gas Monkey Garage Venue Uses AI-Enhanced Video Technology

    Gas Monkey Garage, the automotive custom shop and entertainment brand founded by Richard Rawlings of Fast N’ Loud TV fame, has opened a vibrant new restaurant and bar in South Dakota, equipped with advanced, AI-enhanced video tech from IDIS Americas. Read Now

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

Most   Popular

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.