Categories: SJA Exclusives

EXCLUSIVE: Risk management and agility in uncertain times

Lightbulb and risk management

Share this content


Tim Wenzel, Associate Managing Director of ESRM at Kroll, outlines the crucial steps to take when developing a risk management plan for the future.

Looking toward the future

Q4 is here. As 2023 comes to a close, all eyes are turning toward 2024. Wrapping up the year, measuring our progress, contemplating goals and the roadmap for next year.

It’s the same old exercise to address a year that has been anything but the same.

The popularity of ChatGPT has given new life to the AI debate, while kidnappers are using that technology to deepfake ransom calls of people who weren’t abducted.

Economic uncertainty continues to spur layoffs and diminish stockholder trust. Add to this the political instability which defines the year.

From wars to coups to deeply divided countries and cultures all over the world, confidence in alliances and institutions has been shaken.

The overwhelming fact is that the businesses we serve are still in flux since the beginning of the pandemic, more than three years ago.

Our attempts to normalize and stabilize life have been futile. We thought the ability to travel and be together in person again would reset everything.

We thought that opening the offices again would usher in normalcy. We thought the “new normal” we heard so much about would fall into place, resembling the normal we had once taken for granted.

Looking toward 2024, the only promise is continued change and uncertainty. Our continued suspension in a form of purgatory… where reality remains difficult to define.

What foundations have we built our programs upon which are no longer true?

I asked my team this question because the global program I led had been built on specific assumptions and conditions that were erased in 2020.

Certain types of work would be done in specific environments, utilizing well-designed safeguards and controls.

People would act and conduct business according to specific protocols.

However, KPIs in well-established, peer-reviewed security programs which were once vibrant illustrations of risks mitigated are now the identifiers of gaps.

The world has changed, rendering our once premier strategies ineffective or obsolete. The risk remains, yet it remains outside of our control.

Are you feeling this as well?

The new operational environment for the foreseeable future can be described as “change is always.”

Change creates risk and opportunity. While businesses may be primed to take advantage of both, security departments tend to be far less agile.

We need a strategy to become agile and remain relevant in this tumultuous environment.

Enterprise security risk management

I have good news. Enterprise security risk management (ESRM) can help foster agility and relevance within security departments.

Last year, my article ESRM: Starting with coffee was published in SJA. I discussed how enterprise security risk management could be used to understand the role of security within any business, within any culture.

How it could create alignment with stakeholders and solidify the purpose and mission of security in their eyes.

The core philosophy of enterprise security risk management is to get security practitioners away from thinking of security as the things that we do and to help them understand and define security as a genre of risk management.

“Properly understood, ESRM provides an excellent framework to study the organization you serve…”

Tim Wenzel, ESRM: Starting with Coffee | SJA Dec 2022

What is no longer true?

Take a look at your policies, your security programs, all your documentation and begin to redline everything that is no longer true or is far less relevant.

This could include your reporting structure as you’ve possibly lost people to layoffs or staffing difficulties, resulting in a lack of good people willing to work in some roles.

This could be facilities or operations that were once the hallmark of the business but are no longer relevant, business activities or security programs that have been defunded.

Create a visual of everything that you’ve built upon but is no longer true or relevant. What is left? What are you protecting, with what resources, in what environments?

Time to move forward. The core four-step process of enterprise security risk management is:

  1. Identify and prioritize assets
  2. Identify and prioritize the risks to the prioritized assets
  3. Risk management as the business dictates
  4. Monitor and analyze results, improve processes, begin the cycle again

I’m sure you’ve heard this before, but let’s contextualize this to account for the “change is always” environment.

Step 1

Identify and prioritize assets – it is crucial to align with the organization’s currentpriorities. In the “change is always” operational environment, business objectives evolve rapidly.

Which assets are most critical to your success over the next quarter and half? Why is that?

Where do you think your priorities will shift in the following quarter and half? What do you hope to accomplish and how will you build off these accomplishments?

Out of those accomplishments, what will need to be sustained and what will become less business critical or deprecated? Who can help in the risk management of these prioritized assets and understand their critical lifecycles?

Questions like these with the right stakeholders will promote agility and transparency. They will help you maintain relevance with the business and assist them navigate this new normal.

These conversations should be had often. Coffee and lunch help facilitate access to stakeholder’s calendars to have these discussions.

Step 2

Identify and prioritize risks – assume that your legacy risk management, register and threat scenarios around these assets are obsolete. Let’s rework them.

You need to find stakeholders in the business to help you. Ask your stakeholders to insert you into critical meetings and working groups to listen and observe. This will help you understand the current environment these assets live within.

Remember, risk is the product of: 

  • The value of an asset to someone in ownership of it
  • Vulnerability or uncertainty
  • A specific threat to that asset 

What uncertainty are your stakeholders discussing? What gray areas are they seeking to clarify? This is the mechanism to build and communicate their prioritized risks around their prioritized assets and increase risk management.

In a hyper dynamic, agile environment, we cannot reasonably guard against every vulnerability.

We cannot build a completely insulated environment around assets whose value to the organization’s bottom line will rise and recede in three to six months.

Prioritizing based on what the business is concerned with, demonstrating a bespoke approach and educating on the residual risk factors will resonate and align with their strategy while decreasing the cost and resourcing of mitigation efforts.

Step 3

Risk management – provide a menu of options and the logic of how they will mitigate the prioritized risks in a manner that complements the dynamic flow of business.

Document and implement the choices of your business stakeholders. Set expectations with the team on the temporal nature of these mitigations and the unique criteria of success.

Step 4

Monitor and analyze results – assign some data or intel analysts to understand your successes and failures.

What are your KPIs? How well are they capturing the performance of risk controls? What is working as projected and what is not? What are the root causes of the risk? What are the root causes of process deviation and scope creep?

What are the residual risks? Do they align with your projections? What have you learned? How can you bring this message back to your stakeholders?

What makes up your current value proposition? At what point does this asset’s value begin to fall beneath the cost of the risk management activities?

It’s time to give up on the mindset of building protection programs for perpetuity. Why? It isn’t profitable or valuable in a “change is always” economy.

We need to understand when an asset’s value or priority falls to a level where active risk management is no longer warranted. We need deprecation plans to offboard assets from active management activities.

Using ESRM as a framework to study organizations and build value propositions and programs that are meaningful in their universe has been my competitive advantage for almost ten years.

It has been the key to my success while crafting strategies for executives and security departments across industries and regions of the world.

Properly understood, ESRM could be your competitive advantage as well.

To read more of Tim’s thoughts and advice on security, find his Crossroads in leadership series here. 

About the author

1-ISJ- EXCLUSIVE: Risk management and agility in uncertain times
Tim Wenzel

Tim Wenzel, Associate Managing Director of Enterprise Security Risk Management at Kroll and the Creator of The Kindness Games, is a global security executive, public speaker and thought leader in the security, leadership and wellness industries.

Tim has a passion for helping to transform the existing paradigms of leadership and risk management while building highly effective teams and joyful environments for them to thrive within.

In 2022, Tim was named a Global Influencer & Thought Leader in the Security Industry by IFSEC International and is leadership columnist with the Security Journal Americas magazine.

He is a sought-after SME in ESRM and helped lead the effort to codify it as the official risk doctrine within ASIS International as the Outreach & Education Lead on the 2017 ESRM Steering Committee.

This article was originally published in the October edition of Security Journal Americas. To read your FREE digital edition, click here.

Receive the latest breaking news straight to your inbox