by Juan Oliva Pulido

 

Abstract

Enterprise security risk management (ESRM) has become a necessary innovative security approach for  twenty-first century organizations to manage security risks.  This innovative approach of holistically managing organizational security risk is not the first of the kind but is the first time for the physical security industry.  First time innovative endeavors have skeptics, and the diffusion of innovations theory applies with many people in the industry of physical security landing in the laggard adopter category.  Therefore, leaders must adopt specific innovative leadership traits and competencies to champion and successful implement ESRM.  Innovative leadership is not a formalized theory, but a conceptual framework of identified traits and competencies at the intersect of adaptive and transformational leadership theories.  This article will emphasize the importance for leaders facing this innovative endeavor to consider adopting innovative leadership traits and competencies to move ESRM implementation forward.  As innovative leadership is not a formalized theory, many opportunities exist to continue studying leaders who demonstrate these traits and competencies while leading innovative efforts to further provide more empirical evidence that may lead to developing a theory.

How Innovative Leadership will move ESRM Implementation forward

Cyber and physical security threats have evolved in complexity and frequency world-wide, influencing organizations to search for a risk management framework that will cross-functionally align to governance, risk, and compliance areas for a holistic security risk management approach.   According to Petruzzi and Loyear (2016), “As a philosophy and life cycle, enterprise security risk management is focused on creating a business partnership between security practitioners and business leaders to more effectively provide protection against security risks in line with acceptable risk tolerances as defined by business asset owners and stakeholders” (p. 44).   An ESRM program requires organizational alignment, a centralized risk management framework, strategic management of resources, and many other elements to sufficiently align business functions to begin mitigating risks at every level of the organization’s operations.

The implementation of an ESRM program requires a resourceful and innovative leader who understands the value of holistically managing risks from one program across various business functions under the umbrella of security.  The leader must demonstrate subject matter expertise in the areas of ESRM and have the characteristics of an innovative leader to progressively advocate and implement this comprehensive program framework and approach.  There are many organizational barriers that can prevent leaders from implementing an ESRM program.   This article will demonstrate the alignment between innovative leadership traits and competencies and the comprehensive ESRM program framework and approach.  ESRM has diverse applicability, but this article is referring to ESRM that primarily focuses on improving the organization’s risk resilience through governance and operational risk management of the cyber security, business continuity, and physical security functions to include asset management.

Enterprise Security Risk Management

“ESRM is the application of fundamental risk principles to manage all security risks” states Allen and Loyear (2018), “whether related to information, cyber, physical security, asset management, or business continuity, holistic, all-encompassing approach” (p.2).  ESRM has diverse applicability in many types of organizations, such as not-for-profits, private companies, public and government agencies.  The purpose of an ESRM program is to identify, evaluate, and mitigate the impact of security-related risks to the organization, with risk ranking to prioritize findings and remediation tasks that enable the organization to reduce risks enterprise-wide.  The organization must first centralize and standardize the security function through the implementation of a governance structure with aligned programs, policies, standards, procedures, and processes to regulations or laws and common industry best practices (Ai, Brockett, & Wang, 2017).  This governance structure initiative is a major cornerstone of the ESRM implementation efforts because it forms the guiding infrastructure to support on-going risk management activities.

ESRM is most successful when integrated into a software-based platform, however most organizations may not have a centralized and standardized governance structure and the sufficient cross-functional collaboration to move forward.  Typically, a holistic system-wide approach compares to systems thinking that emphasizes social systems that exist within the organization (Lee & Green, 2015).  The social or cultural aspect of organization contributes to some of the greatest challenges in implementing an ESRM program and establishes the business care for leaders to adopt innovative leadership traits and competencies to navigate these challenges.   Ogutu, Bennett, and Olawoyin (2018) There are many obstacles in implementing an ESRM program, innovative leadership is central to support in mitigating the following factors:

• Siloed environments: This refers to an environment when actions or tasks are undertaken by individuals or single departments without seeking support or guidance from other individuals or departments.
• Lack of standardized frameworks: Organizations in compliance within many frameworks directly connected to governance, risk, or compliance business functions, therefore a lack of standardization or an integrated control framework disrupts risk mitigation efforts.
• Cultural struggles: There are many cultural struggles within organizations, but this article focuses on the culture that embraces change and technology in physical security.
• Ineffective controls and monitoring: Security controls may range from physical security controls in the form of cameras or card readers on doors to logical cyber security controls in the form of a firewall or encryption protection for information or access.
• Addressing risk at a process level: Identification and categorization of processes within business functions that may have risk, therefore developing security controls to mitigate potential risks at the process level.
• Poor communication between offices: Communication is essential between interconnected business functions, because managing security risks requires an organizational effort not segmented uncoordinated efforts.
• Inefficiencies due to politics: Political boundaries or power politics reduce efficiency when influential individuals use their influence to introduce obstacles and deter innovative efforts.
• Executive team’s buy-in: Senior leaders of organizations commonly called executives, are stewards of administrative approval for projects and resources, thus leaders must gain acceptance and approval of ESRM.

ESRM Literature and Organizational Value

There have been limited studies conducted on the value of ESRM, and the articles that exist provide inconsistent information on the organizational value the ESRM can create. “Enterprise risk management has become an indispensable aspect of business operations that provide organizations a long run competitive advantage” (Kommunuri et. al, 2016, p. 17).

Previous studies have found inconclusive results in determined if ESRM has value creating ability because of the lack of alignment on ESRM principles and measurable success (Lundqvist, 2014).  The contradiction between studies have concluded in how the studies measured value and if having an ESRM contributed to improving the organizations ability to manage security risks.  “The rating is a sophisticated and comprehensive index that assesses the risk management culture, systems, processes, and practice” (McShane, Nair, & Rustambekov, 2011).  Overall, the studies utilized in the development of this article concluded that an ESRM is valuable if the approach is systematic and measurable within their culture, systems, processes, and practice.  Ogutu, Bennett, and Olawoyin (2018) highlighted the best-in-class practices involving leadership and management that supported the implementation of an ESRM framework and approach:

• Empowering process owners at all levels to identify, assess, and deal with risk: Encouraging the identify of risk is challenging, once identified organizations must implement controls to mitigate risks.
• Focused attention on cross-functional communication: ESRM is grounded in cross-functional collaboration, therefore strategic communication between business functions is necessary to holistically many various security risks.
• Structured peer reviews: Support collaboration efforts and provide the opportunity to everyone to provide input on the project and increase the acceptance and success of the implementation of ESRM.
• Leadership audits and accountability: Continuous input and review by executive leadership is needed to keep this large-scale project on track.
• Executive team receiving quality metrics and reporting: Executive leaders need realistic metrics displaying the progression and success of the ESRM program to include how the culture is adapting to the changes within the business functions.
• Increased focus on transparency: Transparency is necessary when implementing a cross-functional program that will affect many stakeholders.  Preparing them for the change is critical and keeping them informed of upcoming milestones will create a supportive environment.
• Embracing technology: Organizations may struggle with embracing technology; therefore, it is imperative to establish change management initiatives to support the affected stakeholders.

Intersection of Adaptive Leadership and Transformational Leadership

The brief ESRM literature review thoroughly outlined the obstacles and the best practices to overcome the challenges when implementing an integrated cross-functional program.   Navigating obstacles and leveraging best practices require a unique style of leadership.  Innovative leadership may have components from adaptive and transformational leadership, as the primary focus of innovative leadership is to guide through the adaption and transform process.  According to Khan (2012), “Adaptive leaders do not just make changes, they carefully recognize potential changes in the external environment and consider the best path that will positively affect the organization” (p. 179).  Adaptive leadership focuses on followership and understanding how to support changes in behavior to respond to the organizational changes.  Transformational leadership focuses primarily on transforming the subordinates or followership group but does not focus on transforming the organization (Rune, Hughes, and Ford, 2016).  Therefore, innovative leadership is at the intersection of adaptive and transformation with the focuses on both the subordinate and organization.

Defining Innovative Leadership

Innovative leadership is not a formalized theory and limited studies have been conducted with small sample sizes identifying key traits and competencies.  This article utilizes two studies involving the testing and interviewing of industry leaders who are leading innovation and demonstrated competence in innovation. The studies identified key traits and competencies that will establish a baseline for the definition and support for the position of how innovative leadership can move ESRM forward.  Zenger and Folkman a leadership consulting firm conducted the first study, they selected 33 individuals from a telecommunications company who tested above the 99th percentile on innovation. These 33 individuals were evaluated based on peer and leadership comprehensive 360-degree feedback surveys, the results were 10 traits these individuals shared.  XBInsight conducted the second study involving over 5,000 leaders from various industries with the focus on innovative competencies, the survey result in the identification of 5 competencies shared by the 5,000 leaders surveyed.  These studies identified traits and competencies that directly correlate the unique leadership style necessary for ESRM implementation.

Innovative Leadership Traits

Zenger and Folkman (2014) highlighted the key innovative leadership traits from combined interviews from 360-degree feedback:  display excellent strategic vision, have a strong customer focus, create a climate of reciprocal trust, display fearless loyalty to doing what’s right for the organization and customer, put their faith in a culture that magnifies upward communication, are persuasive, excel at setting stretch goals, emphasize speed, are candid in their communication, and inspire and motivate through action. These traits embodied what innovative leaders can execute with their followership and organization.  These dynamics traits provide insight to the various traits the leader must possess, the second study has five specific competencies that collectively start defining innovative leadership.

Innovative Leadership Competencies

XBInsights identified the following competencies from the 5,000 leaders surveyed: manage risks, demonstrate curiosity, lead courageously, seize opportunities, and maintain a strategic business perspective.  These competencies continue to build upon the established dynamic, the key competency that stands out is demonstrate curiosity.  Demonstrating curiosity is a significant competency to evaluate, as the ESRM efforts will require experimentation in the integration of a comprehensive approach.  Curiosity will support with cross-functional collaboration across various business functions, as integration may have a different approach within each of the business functions.

Examples of Innovative Leaders

“Leaders make the difference” (Mercer & Meyers, 2013, p. 2).  We will further explore what type of leaders possess the identified innovative leadership traits and competencies.  The innovative leaders or executive leaders that can champion this level of enterprise effort include a Chief Security Officer, Chief Information Security Officer, Chief Technology Officer, Chief Information Officer, Chief Risk Officer, and other senior leadership level executives.  These innovative leaders may have the best strategic vision that integrates the organizations business objectives with the ESRM compliance goals to reduce or mitigate risks enterprise-wide. The behavioral traits identified above demonstrate the key characteristics an innovative leader must practice, including the most important trait of displaying excellent strategic vision of risk management.  The organization’s culture presents the most difficult barrier; therefore, the innovative leader must demonstrate persuasiveness to clearing communicate to internal and external stakeholder’s key benefits of the ESRM to obtain formal acceptance of the endeavor.

Innovative Leadership moving ESRM Forward

This article has now established a working definition of innovative leadership and will explore the alignment with ESRM principles.  Innovative leadership is an essential element of integrating an ESRM framework and approach within an organization. Allen & Loyear (2018) identifies the various qualities needed as a Chief Security Officer or that innovative leader to champion the implementation of an ESRM.   Alignment was found through these two studies in various areas with the most significant alignments in the following three areas:  strategic business perspective, risk manager, and can communicate in a persuasive manner.  Innovative leadership can move ESRM forward with identified leaders who possess many of these traits and competencies.   This article provided the basic introduction to innovative leadership utilizing the available literature and with existing literature on ESRM to perhaps begin to draw attention to both evolving fields in the twenty-first century.

Study Limitations

It is important to acknowledge that ESRM as a security risk methodology and approach is a recent innovation in the physical security industry.  Equally, innovative leadership has not become a formalized theory limiting the available literature to validate innovative leadership traits and competencies.  This study provides introductory information on ESRM and innovative leadership, as these topics lack empirical research and available literature for a thorough research study.  An in-depth analysis to further refine the traits to top five like the competencies can support organizations in identify these potential innovative leaders. In 2019, the professional security association of The American Society for Industrial Security International (ASIS International) will release a software-based tool for ESRM.   Research opportunities may exist once this tool has become established in the physical security industry and leadership competencies needed to implement this solution have been normalized.

Conclusion

This article provided key insights on from studies conducted on innovative leadership and ESRM specifically within the lens of cyber, physical security, business continuity, and asset management.  The article identified that innovative leadership theory is in an infancy stage and ESRM studies are still limited.  Innovative leadership has a key role in the implementation of ESRM, as the executive leader tasked with implementing this solution must have the required traits and competencies described in this article to accomplish the goal of implementation effective through the many challenges.  This initial study provides many opportunities, with one for potential leadership certified training for individuals seeking to implement ESRM programs.  ESRM is the future of holistically managing risk enterprise-wide and innovative leadership is the key for moving this endeavor forward.

 

---

References

Allen, B.J., & Loyear, R.L. (2018). Enterprise Security Risk Management: Concepts and Applications (2nd ed.). Brookfield, CT: Rothstein Publishing.

Ai, J., Brockett, P.L., & Wang, T. (2017). Optimal Enterprise Risk Management and Decision

Graham-Leviss, K. (2016). The 5 Competencies that Innovative Leaders Have in https://hbr.org/2016/12/the-5-competencies-that-innovative-leaders-have-in-common

Zenger, K., & Folkman, J. (2014). Research: 10 Traits of Innovative Leaders. Retrieved from https://hbr.org/2014/12/research-10-traits-of-innovative-leaders

Khan, N., (2017). Adaptive or Transactional Leadership in Current Higher Education: A Brief Comparison. International Review of Research in Open and Distributed Learning, 18(3), 178-183

Kommunuri, J., Narayan, A., Wheaton, M., Jandug, L., & Gonguntla, S. (2016). Firm Performance and Value

Effects of Enterprise Risk Management. New         Zealand Journal of Applied Business Research,           14(1), 17-28

1. J., A., & V. R., U. (2017). The Determinants of Firm Value of ESRM Perspective: A Conceptual Model. Journal of Management Research, 17(4),             194-203

 

Lee, L.S, & Green, E. (2015). Systems Thinking and its Implication in Enterprise Risk Management.

Journal of Information Systems, 29(2), 195-210

 

Lundqvist, S.A. (2014). An Exploratory Study of Enterprise Risk Management: Pillar of ERM.

Journal of Account, Auditing & Finance, 29(3), 393-429

Making with Shared and Dependent Risk. Journal of Risk & Insurance, 84(4), 1127-1169

McShane, M. K., Nair, A., & Rustambekov, E. (2011). Does Enterprise Risk Management Increase Firm Value? Journal of Accounting, Auditing, & Finance, 26(4), 641-658

Mercer, D. K., & Meyers, S. (2013). Theory into Practice: A Cry from the Field of Innovative Leadership Development. Educational Considerations, 41(1), 2-5.

Ogutu, J., Bennett, M.R., & Olawoyin, R. (2018). Closing the Gap: Between Traditional &  Enterprise Risk Management Systems. Professional Safety, 63(4), 42-47

Petruzzi, J., & Loyear, R. (2016). Improving organizational resilience through enterprise security risk management. Journal of Business Continuity & Emergency Planning, 10(1), 44-56.

Rune, T., Hughes, M., & Ford, F. (2016). Change Leadership: Oxymoron and Myths, Journal of Change Management, 16(1), 8-17