Image by iStock; Security Management Illustration

How to Implement ESRM

By Art Fiero, CPP

1 August 2018

Print Issue: August 2018

International Paper (IP) is one of the world's leading producers of fiber-based packaging, pulp, and paper. Headquartered in Memphis, Tennessee, IP employs approximately 52,000 people worldwide and has operations in more than 24 countries serving customers around the globe.

The Challenge

When IP's director of security announced his retirement, the IP team—Deon Vaughan, vice president, deputy general counsel, chief ethics and compliance officer; Casey Yanero, HR manager, corporate staff groups; and Jennifer Carsley, director, legal operations—recognized it was time to transform corporate security to an enterprise level function.

The ever-changing threat landscape and IP's core values of "Safety, Ethics and Stewardship" underscored the need for IP to transition to a proactive security posture. To lead this transition, IP hired Art Fierro, CPP, in February 2017 to fill the newly created chief security officer (CSO) role.

ESRM Solution

Enterprise security risk management (ESRM) links security activities to an enterprise's mission and business goals through risk management methods.

The CSO's role in ESRM is to manage risks to enterprise people and assets in partnership with the business leaders. ESRM involves collaborating with business leaders on the realistic impacts of identified risks, presenting potential strategies to mitigate those impacts, and then implementing the strategy in line with accepted levels of business risk tolerance.

Fierro's background is rooted in ESRM in both the government (FBI) and the corporate space. To move IP from a traditional security organization to an ESRM enterprise model, Fierro conducted an extensive security analysis to identify where the organization excelled and where the data showed opportunities for improvement.

The analysis included conversations across business groups and corporate partners. It served as the foundation for IP's ESRM strategy and helped create its vision statement: "To protect IP people, information, products, and the corporate brand in support of business objectives and enterprise success."

IP's new enterprise security strategy is grounded in the principles of security mitigation steps based on risk and using cost-benefit analysis to ensure a return on security investment. The strategy also aligned with IP business operations and is designed to help achieve business objectives—meaning security would not just be a cost center but also a business enabler.

Partnerships

Sharon Ryan, senior vice president, general counsel, and corporate secretary, embraced ESRM as IP's new enterprise security strategy, because the strategy was aligned with IP's core values and business strategy.

"We recognize that by adopting the latest risk management strategies in enterprise security and bringing on experienced security professionals, not only are we helping protect our people and property, we are also reducing the risk of negative exposure related to our brand and reputation," she says.

Ryan supported the strategy by rebranding IP Corporate Security to Enterprise Security Management and creating three new positions reporting to Fierro and designed to address IP's enterprise risks: global threat manager, global physical security manager, and global investigations manager. The three functional roles cover the spectrum of enterprise risk and each has a deployment roadmap, which ties into the larger Enterprise Security Management global strategy.

Vaughan also supported the effort by endorsing a campaign for Enterprise Security Management to build partnerships across business lines, such as IP's Environmental Health and Safety (EHS) department, and to partner on initiatives to protect IP's employees—one of Enterprise Security Management's strategic objectives.

Outcomes

With the endorsement of ESRM at the leadership level, Fierro was able to work with partners to create a risk-based security program to focus security resources on identified risks. The program also provides the operating manual for vulnerability and risk assessments, so IP can make informed business decisions about its risk tolerance.

Enterprise Security Management created a new concept, a virtual operations center, which produces a global threat picture that helps it identify and address emerging global threats to IP employees and facilities. The virtual operations center is outsourced to leverage economies of scale, leading edge technology, and professional threat analysts and operators, while providing an excellent return on security spend.

Over the past year, Enterprise Security Management focused on a number of strategic initiatives. One is the geospatial traveler-tracking program for IP's traveling employees.

The program provides real-time mobile device GPS monitoring, on a voluntary basis, with a panic button for emergencies. The program is monitored at all times by the virtual operations center.

Another initiative is the corporate campus security capital improvement project. Enterprise Security Management is leading a security improvement project for IP's corporate headquarters based on ASIS International physical security standards and guidelines, as well as geographic risk demographics and the return on security spend.

Enterprise Security Management also launched its first national security guard force contract to consolidate and standardize guard force operations across certain U.S.-based facilities. The consolidated operations agreement helps ensure consistency and reduce cost.

Enterprise Security Management is also working with EHS to add a security aspect to the current field assessment process to identify actual risk at IP's global locations. Assessment results will be used to develop security recommendations, including leveraging security technology.

Additionally, Enterprise Security Management created a new active shooter response training program for employees. The training included Virginia Tech shooting survivor Kristina Anderson, who shared a survivor's perspective, as well as the Memphis Police Department, which provided training for employees on Run. Hide. Fight. The active shooter plan is also available on IP's internal website for employees to reference.

Working across business groups and with critical internal partners, Enterprise Security Management developed new crisis communications reporting, dissemination, and functional requirements that include mass communications features for a unified enterprise response to manmade or natural disasters.

Art Fierro, CPP, is CSO at International Paper. He formerly served as CEO of Ronin Option - Cyber; executive vice president at Resilient Integrated Systems; and vice president at 20th Century Fox Film Corporation. He is a member of ASIS International.