ENTERPRISE SECURITY RISK MANAGEMENT SECURITY AND THE ISO31000 STANDARD? Julian Talbot Jakeman Business Solutions Pty Ltd ISO Conference May 2012 G31000 the Global Risk Management Platform
Once upon a time… Pre-4360 AS/NZS Integrated RM 4360 (1995) F ear U ncertainty D oubt 31000
ISO31000 Principles Framework Process Communication and Consultation Communication and Consultation Monitoring and Review Monitoring and Review Risk Assessment Establish the Context Risk Identification Risk Analysis Risk Evaluation Risk Treatment
Why ISO31000 works for Security?
‘Apples for apples ’ comparison: – taxonomy (eg: likelihood and consequence) – risk assessments by different assessors – Longitudinally – between divisions or other organisations – against environmental, safety, financial risks Better decisions and allocation of resources Permission to add value Ability to integrate methodologies
Enterprises… $30 billion budget 120,000 people 8,000 facilities 41 Risk Criteria 15 Divisions Talbot (ASIS 2009)8
Australian Trade Commission (Austrade) Assists Australian businesses to export 1,400 staff in 60 countries 120 offices including 22 Consular posts $400 million annual budget
Understanding the risks Official sources including – Department of Foreign Affairs & Trade (DFAT) – National Threat Assessment Centre (NTAC) Open source and commercial providers Internal capability – Austrade posts and officers – Austrade Security Team Security Risk Assessments Incident reporting
Terrorism Source: Nationmaster.com
Assault Source: Nationmaster.com
Fraud Source: Nationmaster.com
Enterprise Security Risk Assessment (ESRA) Defensible, systematic and robust basis for decision making and planning Provide senior management with an assessment of current and emerging risks Inform the development and application of ongoing budgets and security measures
Enterprise Security Risk Assessment (ESRA) Whole of organisation/enterprise Inform budget and systems planning Known & emerging threats to the ‘business’ – Not location, activity or function specific ‘Enterprise Security Standards’ – Based on location, activities and functions
Enterprise Security Standards
Results… Austrade: – 5 year $60 million security plan – Robust, well documented analysis – Business case - AUD$18.4 billion exports with Austrade assistance (vs $12M p.a. on security) Defence – 5 year $300 million security plan – Included - $120 million existing treatments Finance – 3 year $2 million security plan – Proportional - to the agency
Last points… 1.All SR Managers 2.Something free? 3.Business card? 4.Been robbed? 5.Been a robber? 6.Illegal drugs? 7.Been to Africa? 8.Papua New Guinea? 9.Motorcycle license?
Last points… 1.All SR Managers 2.Be prepared 3.Time critical 4.Emotional decisions 5.Red teaming 6.15% of the economy 7.It’s personal! 8.Big risk taker! 9.HUGE risk taker!
THANK YOU Contact me at: Download this presentation from: