By /

Back to: ASIS CPP preparation course

0

Lesson 1.3: Risk Management Fundamentals (ESRM)

Goal: To master the modern ASIS approach to risk—Enterprise Security Risk Management (ESRM)—and the risk assessment process.

esrm

Learning Objectives:

  1. Define ESRM and the role of the Asset Owner vs. Security Manager.
  2. Calculate risk using the standard variables.
  3. Differentiate between Quantitative and Qualitative analysis.

Key Terms:

  • Asset: Anything that has value to the organization (People, Property, Information, Reputation).
  • Threat: An adversary or event that can harm an asset.
  • Vulnerability: A weakness that can be exploited by a threat.
  • Risk: The probability that a threat will exploit a vulnerability to cause harm.

Core Content:

  • The ESRM Philosophy:
    • Old View: Security owns the risk and fixes it.
    • ESRM View: The Asset Owner (business leader) owns the risk. The Security Manager is the subject matter expert (SME) who advises on mitigation. The Asset Owner decides whether to accept the risk or pay to mitigate it.
  • The Risk Equation: Risk = Threat x Vulnerability x Impact (Consequence)
    • If any variable is zero, the Risk is zero.
  • Risk Treatment Options (The 4 T’s):
    1. Treat (Mitigate): Implement controls (e.g., install cameras).
    2. Transfer: Move the financial risk to a third party (e.g., Insurance, Outsourcing).
    3. Tolerate (Accept): Acknowledge the risk but do nothing (usually because the cost of protection > value of asset).
    4. Terminate (Avoid): Stop the activity causing the risk (e.g., close a branch office in a war zone).
  • Assessment Methods:
    • Quantitative: Uses numbers and money (e.g., Annual Loss Expectancy). Data-heavy, objective.
    • Qualitative: Uses descriptive scales (e.g., High/Medium/Low). Subjective, faster, easier
risk matrix.webp

Simulation 1.3: The Risk Assessment Dilemma

  • The Scenario: You are the Security Director for a retail chain. You are opening a new store in a neighborhood with a very high rate of vandalism (graffiti, broken windows) but a very low rate of violent crime. Your budget is tight. The Regional Manager wants to spend $50,000 on armed guards to “scare off the bad guys.”
  • The Decision: Do you approve the armed guards?
  • ASIS Analysis:No. You should reject the armed guards.
    • Why? According to ESRM, you must align mitigation with the specific risk. High vandalism (property crime) does not justify the high liability and cost of lethal force (armed guards). The correct “Treatment” is Target Hardening (shutters, lighting, anti-graffiti paint) and perhaps unarmed patrols. Armed guards for graffiti is a misalignment of risk vs. mitigation.