Enterprise Risk Management

 

 

Book Review - Resolving Conflictshttps://sm.asisonline.org/Pages/Book-Review---Resolving-Conflicts.aspxBook Review - Resolving ConflictsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-01-01T05:00:00Z<p>​Routledge; routledge.com; 160 pages; $44.95.</p><p>The need for resolving conflicts is an issue that touches all aspects of modern society. When conflicts remain unresolved, anger and violence can ensue. International conflict can impact public policy, political rationale, and actions, and directly impact the citizenry. </p><p>In the book, <em>Resolving Structural Conflicts: How Violent Systems Can Be Transformed</em>, Richard Rubenstein offers an intellectual and academic approach to understanding the rationale for large conflicts. Rubenstein presents various aspects of the creation and potential resolution of conflict. The book includes detailed theoretical, historical, and political views pertaining to various aspects of conflict. These concepts include the potential causes of conflict based upon societal, religious, and geopolitical factors, the rationale for seeking resolution in a politically complicated environment, and the rationale for seeking resolution within complicated and turbulent settings. The content of the book is insightful yet broad enough to apply to various conceptual situations of cultural or political discord.  </p><p>Although the book is well researched, supported, and composed, it will not assist industry professionals looking to deter acts of violence in the workplace. It does not offer methods or policies that can be easily applied to the business or corporate working environment. Better suited to those seeking a theoretical understanding of conflict, it would be useful for those working in governmental policy development or as a textbook in global politics and administration.</p><p><em><strong>Reviewer: Dr. Joseph Jaksa, CPP</strong>, is a professor of criminal justice at Michigan's Saginaw Valley State University. He is a member of ASIS International and the Saginaw Valley Chapter of ASIS.  </em></p>

Enterprise Risk Management

 

 

https://sm.asisonline.org/Pages/Book-Review---Resolving-Conflicts.aspx2018-01-01T05:00:00ZBook Review: Resolving Conflicts
https://sm.asisonline.org/Pages/A-New-Social-World.aspx2017-12-01T05:00:00ZA New Social World
https://sm.asisonline.org/Pages/Fake-News-Real-Threats.aspx2017-11-01T04:00:00ZFake News. Real Threats
https://sm.asisonline.org/Pages/November-2017-SM-Online.aspx2017-11-01T04:00:00ZNovember 2017 SM Online
https://sm.asisonline.org/Pages/October-2017-SM-Online.aspx2017-10-01T04:00:00ZOctober 2017 SM Online
https://sm.asisonline.org/Pages/Klososky-Opines-on-the-Future-of-Technology.aspx2017-09-27T04:00:00ZKlososky Opines on the Future of Technology
https://sm.asisonline.org/Pages/Members-Discuss-Concerns-in-Town-Hall.aspx2017-09-26T04:00:00ZMembers Discuss Concerns in Town Hall
https://sm.asisonline.org/Pages/Security-Cares-Aids-the-Dallas-Community.aspx2017-09-25T04:00:00ZSecurity Cares Aids the Dallas Community
https://sm.asisonline.org/Pages/Less-is-More.-A-KISS-Approach-to-ESRM.aspx2017-09-12T04:00:00ZLess is More: A KISS Approach to ESRM
https://sm.asisonline.org/Pages/Five-Insights-on-ESRM.aspx2017-09-01T04:00:00ZFive Insights on ESRM
https://sm.asisonline.org/Pages/Book-Review---Soft-Targets.aspx2017-09-01T04:00:00ZBook Review: Soft Targets
https://sm.asisonline.org/Pages/Calm-in-the-Crucible.aspx2017-09-01T04:00:00ZCalm in the Crucible
https://sm.asisonline.org/Pages/A-Professional-Path.aspx2017-09-01T04:00:00ZA Professional Path
https://sm.asisonline.org/Pages/A-Shift-in-Global-Risk.aspx2017-08-01T04:00:00ZESRM: A Shift in Global Risk
https://sm.asisonline.org/Pages/Action-Needed-To-Better-Manage-Physical-Security-Risks-To-The-National-Mall.aspx2017-07-28T04:00:00ZAction Needed To Better Manage Physical Security Risks To The National Mall
https://sm.asisonline.org/Pages/Report--Most-InfoSec-Professionals-Think-Their-Companies’-Security-Solutions-Are-Outdated.aspx2017-07-14T04:00:00ZReport: Most InfoSec Professionals Think Their Companies’ Security Solutions Are Outdated
https://sm.asisonline.org/Pages/NIST-Releases-Digital-Identity-Guidelines.aspx2017-06-23T04:00:00ZNIST Releases Digital Identity Guidelines
https://sm.asisonline.org/Pages/Book-Review---Info-Risk.aspx2017-05-01T04:00:00ZBook Review: Info Risk
https://sm.asisonline.org/Pages/The-Roots-of-Risk.aspx2017-05-01T04:00:00ZThe Roots of Risk
https://sm.asisonline.org/Pages/Facebook-Takes-Action-To-Limit-Spread-of-Propaganda.aspx2017-04-28T04:00:00ZFacebook Takes Action To Limit Spread of Propaganda

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Protecting-Executives-at-Home.aspxProtecting Executives at Home<p>​</p><p dir="ltr" style="text-align:left;">Maybe it's temporary copycatting, or it could be a new trend, but more and more executives and other high-profile figures are experiencing protest attacks at home.</p><p dir="ltr" style="text-align:left;">In just the first five months of 2017, protesters have gathered outside the homes—not offices—of the following U.S. executives, political leaders, and other prominent persons:</p><ul dir="ltr" style="text-align:left;"><li>Wells Fargo CEO Tim Sloan</li><li>Facebook CEO Mark Zuckerberg </li><li>U.S. Bank CEO Richard Davis</li><li>Robert Mercer, co-CEO of hedge fund Renaissance Technologies</li><li>Ivanka Trump</li><li>U.S. Senator Mitch McConnell</li><li>U.S. Representative Maxine Waters</li><li>U.S. Federal Communications Commission Chairman Ajit Pai</li></ul><p dir="ltr" style="text-align:left;"><br></p><p dir="ltr" style="text-align:left;">Protests at executives' homes are wildly unpredictable in their timing and other characteristics. Throngs ranging from a dozen to hundreds of protesters may appear overnight after a news report or a social media posting. This can happen despite the real possibility that the account that led to the protest is inaccurate, exaggerated, or even completely false. </p><p dir="ltr" style="text-align:left;">Regardless, spontaneous mobs or paid protesters may show up at an executive's house to express their displeasure, disturb the neighbors, block access to the home, and frighten the home's occupants by bombarding them with chants, signs, and angry marchers. </p><p dir="ltr" style="text-align:left;">One client of ours was targeted at home by protesters opposed to his company's marketing, which appealed to children. The protesters' presence and aggressive tactics caused the executive's special-needs son to panic and attempt to escape the home from a second-story window. Protests at homes are not always innocent. They are sometimes belligerent and can lead to bad outcomes for the family or the protesters. </p><p dir="ltr" style="text-align:left;">What can a security department or its executive protection division do to minimize the potential harm to executives (a duty they owe to those important, exposed employees) and even to protesters (whose injury could lead to bad press for the company)? </p><p dir="ltr" style="text-align:left;">The answer is anticipation and preventive measures. As for anticipation, one of our clients, a large multinational corporation, takes special efforts to track mentions of the company and its executives—not only in news sources but also in social media. The company's intelligence team also joins the distribution lists of adversarial organizations and, when possible, uses geofencing to monitor social media activity that mentions executives' homes or originates near them. Staff members also conduct research on the specific individuals who make potentially threatening comments online to gauge their possible dangerousness. </p><p dir="ltr" style="text-align:left;">In addition, it makes sense to delist the executive's home phone number to minimize the risk of abusive calls and to make it harder to find the executive's address. Delisting is difficult and not reliably permanent, but it is worth a try. A dedicated adversary may still be able to find the phone number and address, but there is no reason to make the task easy, especially for less-organized, spur-of-the-moment, or unbalanced persons. </p><p dir="ltr" style="text-align:left;">This anticipatory work, along with planning, makes it possible to implement special measures quickly when risk spikes. The following are some of the measures security personnel can put in place when they detect a plausible risk of protests at an executive's home:</p><ul dir="ltr" style="text-align:left;"><li>Provide security driving services to the executives and possibly to members of their families. Protesters may swarm or attack personal vehicles, and a security-trained driver would be better equipped to avoid or otherwise handle such incidents.</li><li>Contract for a law enforcement presence outside the executive's home. If the protesters remain on public property and are not violating the law, police may not do anything to protect the executive. However, a police officer in a marked or unmarked patrol car parked in front of the house may help keep the situation from escalating. </li><li>Set up temporary exterior video cameras, viewing 360 degrees outward from the home, to monitor and document protester behavior, especially any trespassing or throwing of projectiles.</li><li>Make sure the home has bright floodlights shining outward at night so protesters cannot easily trespass undetected.</li><li>Remind the family to turn on its security alarm system.</li><li>Consider having the family live elsewhere for a few days.</li></ul><p dir="ltr" style="text-align:left;"><br></p><p dir="ltr" style="text-align:left;">Protests at executives' homes are disturbing and potentially dangerous. They cannot be prevented, but with careful research and planning, they can be managed.</p><p dir="ltr" style="text-align:left;"><em>Robert L. Oatman, CPP, is president of R. L. Oatman & Associates, Inc.</em></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Put-Training-to-the-Test.aspxPut Training to the Test<p>​The classroom door flies open. An emotionally distraught student rushes into the doorway, produces a semiautomatic pistol, presses the muzzle of the gun to his temple with his finger on the trigger, and proclaims, "I can't take it anymore."</p><p>How will the teacher respond to this stressful, high-stakes situation? Will she intervene with verbal tactics or physical ones? Will she inadvertently put other students in danger by reacting too quickly? </p><p>An analysis by school security firm Safe Havens International found that teachers and administrators who had undergone traditional active shooter training were more likely to react to this situation by opting to attack the student or throw things at him, rather than taking the action steps outlined in the school's policies and procedures, such as calling 911 or instigating a lockdown. In other scenarios, trainees reacted in a similar manner that could intensify and aggravate the situation when time allowed for safer policies and procedures to be applied.</p><p>In the wake of high-profile massacres at schools and college campuses, institutions are preparing themselves for the emergency situations with scenario-based training programs. </p><p>The percentage of U.S. public schools that have drilled for an active shooter scenario rose from 47 to 70 percent from 2004 to 2014, according to a study by the National Center for Education Statistics. But the intensive search for solutions to these deadly events can lead to hasty planning and decision making, ultimately resulting in an ineffective response. </p><p>The number of teachers and administrators who opt to attack or otherwise approach the armed perpetrator indicates that current active shooter programs may be overwhelming for participants, causing them to respond to threatening scenarios in a dangerous way. Schools have also become narrowly focused on active shooter scenarios, when most deaths and accidents on campuses do not involve an active shooter. </p><p>Taking these factors into consideration, an all-hazards approach to scenario-based training allows schools to prepare for a range of incidents, including bullying, sexual harassment, and natural disasters. Fidelity testing then allows administrators and teachers to put those plans to the test and see how participants apply the training under stressful scenarios. </p><p>School leaders can then learn to rely on the solid foundational principles of policies and procedures, as well as communications and emergency plans, to diffuse potentially hazardous situations. Using these basic elements of active threat response and evaluating training programs to identify gaps could save lives.​</p><h4>Evaluations</h4><p>During the stress of an actual crisis, people often react differently than they have been trained to do. Fidelity testing of a training program can help determine if there are gaps between what the trainer thinks the trainees will do, and what actions trainees will take in real life. This was the aim of evaluations completed by campus security nonprofit Safe Havens International of Macon, Georgia. </p><p><strong>Methodology.</strong> Analysts conducted the evaluations at more than 1,000 K-12 public, faith-based, independent, and charter schools in 38 states. More than 7,000 one-on-one crisis scenario simulations were conducted by Safe Havens International in a series of school safety, security, and emergency preparedness assessments over the last five years. The participants were observed and scored by analysts who had completed a 16-hour formal training program and one day of field work. </p><p>Prior to running the scenarios, analysts came up with several action steps that should be taken in each scenario. These steps included initiating a lockdown, calling 911, sheltering in place, or pulling the fire alarm, for example. Based on those steps, the analysts developed a standardized scoring system to keep track of participant performance in the scenarios. </p><p>This type of training is known as options-based active shooter training because it gives the participants various responses to choose from. Many popular options-based programs are based on the U.S. Department of Homeland Security's Run. Hide. Fight. approach.  </p><p>Drawing from Safe Havens International's repository of more than 200 audio and video crisis scenarios, analysts ran the simulations and let administrators, support staff, and teachers respond accordingly. These simulations covered a range of scenarios, which were presented in several formats. </p><p>For example, some participants were guided through an audio narration of a school bus taken hostage by an armed student. The audio was paused, and the trainees were asked what they would do next in that situation. </p><p>Similarly, video scenarios depicted potentially violent situations that left participants with a number of choices on how to react. </p><p>In one scenario, a woman screams at staff in the school office while brandishing a claw hammer. In another, a student on a school bus jumps up with a gun and yells, "Nobody move, and nobody gets hurt!" The video is stopped and trainees are prompted to say how they would react. </p><p>Based on action steps that were predetermined to be ideal, analysts then scored the trainees' responses on tablet devices. The scoring was be tailored to individual clients. For instance, if analysts were training a school district that has a police officer on every campus, its response would be different from that of a rural district that does not have a law enforcement officer within 20 miles.</p><p><strong>Results. </strong>The results of the evaluations consistently showed that participants who were provided with options-based active shooter programs had lower scores than those who had not completed any type of training. </p><p>This outcome shows that current active shooter training methods may be overwhelming for administrators and teachers because they provide too much information—prompting them to attack when it is not necessary.</p><p>In an assessment in the northeastern United States, test subjects completed an options-based active shooter training program that was three and a half hours long. Evaluators found that the 63 administrators and staff members from 28 schools missed 628 out of 1,243 critical action steps that should have been implemented. That's more than 50 percent.</p><p>For example, participants failed to initiate or order a lockdown when it was appropriate 70 percent of the time. More than 55 percent of participants failed to call 911 or the school resource officer in scenarios depicting a person with a weapon, and 39 percent of participants failed to pull the fire alarm in situations involving fire. </p><p>During an assessment of a school district in the southwestern United States, 32 people from two groups participated in scenario simulations. One group completed a five-hour live training program based on the Run. Hide. Fight. video, developed by the district's school resource officers. The second group did not receive the training or view the video. </p><p>The simulation results revealed that none of the top five scoring participants had received any type of active shooter training. All five of the lowest scoring participants, on the other hand, had completed the training program. </p><p>The overall score was also significantly lower for the group that had completed training than it was for the untrained group. The lower scoring participants often opted to attack in situations where it was not the best option. </p><p><strong>Opting to attack. </strong>For the scenario described in the beginning of the article, where a student is potentially suicidal, analysts found that in one out of every four incidents, a school employee who had completed an options-based active shooter training would try to throw an object at or attack the student armed with a weapon. </p><p>Many of the participants in the simulations responded by opting to use force for almost any scenario involving a subject depicted with a gun. If the student in question was suicidal, such a reaction could be deadly, possibly leading to the student to shoot himself or others. </p><p>Participants who had not received formal training began talking to the student, encouraging him to put the gun down, and asking if it was okay for the other students in the classroom to leave. These basics of communication are essential in an active suicide threat situation and can help defuse possible violence.  </p><p>Another scenario featured a drunk man who was 75 yards away from a school at the same time that a teacher and her students were 25 yards from the school building at recess. The analysis found that 30 percent of participants playing the teacher chose to approach—and even attack the drunk man—even though he was three-quarters of a football field away from the school.</p><p>The best option in this scenario is for the teacher to instruct the students to go into the school and put themselves in lockdown, then go into the building and ask the office to dial 911. </p><p>In November 2017, a school in Northern California initiated its lockdown procedure when the school secretary heard gunshots nearby. The gunman tried to enter the campus but could not find an open door. Because school faculty followed policies and procedures, countless lives were saved.</p><h4>Active Threat Approach</h4><p>The narrow focus on active shooter incidents has left many schools ill-prepared for other active attacker methods, including edge weapons, acid attacks, and fire. Relying on active shooter training also neglects response to incidents that often go undetected, such as bullying and sexual harassment. </p><p>The Safe Havens International assessments revealed that many K-12 schools lack written protocols for hazardous materials incidents or do not conduct any training or drills for these easy-to-orchestrate, devastating types of attacks. Evaluations also revealed an unwillingness among some school staff to report incidents of sexual harassment.</p><p>Policies and procedures. Edu­cational institutions have written policies and procedures on a range of issues, including bullying, sexual misconduct, signing in visitors, and traffic safety. Scenario-based training will help demonstrate whether staff are prepared to apply those policies appropriately. All staff should be included in this training, including bus drivers, cafeteria employees, and custodial workers.</p><p>Scenario-based training can reveal the gaps between what procedure dictates and what staff would actually do when confronted with a threat. </p><p>For example, in one simulation conducted by Safe Havens International, a student sat in a classroom with a teacher after hours. The teacher stroked the pupil's hair inappropriately and used sexually explicit language. Some custodial staff faced with this scenario responded that they did not feel comfortable reporting what they saw to school administrators. Janitors, who may be more likely to witness such incidents, said they felt an imbalance of power among the staff, leaving them unwilling to speak up. </p><p>Administrators should address such issues by using multiple scenarios related to sexual misconduct to demonstrate to employees that they are not only empowered but required to report these situations. Reviewing these policies and procedures as part of scenario-based training, and incorporating possible threats other than active shooter, will bolster preparation among staff. </p><p><strong>Attack methods. </strong>While mass shootings garner the most media attention, most recent homicides at schools were caused by attacks that did not involve active shooter events, according to Relative Risk of Death on K12 Campuses by school security expert Steven Satterly. </p><p>The 2014 study revealed that of 489 victims murdered on U.S. K-12 campuses from 1998 to 2013, only 62 were killed by active shooters. The Columbine, Sandy Hook, and Red Lake Reservation School shootings made up 74 percent of those 62 deaths.</p><p>Several weapons possibilities exist, and should be acknowledged in training programs, including edged weapons, explosive devices, and fire. </p><p>There have been dozens of mass casualty edged weapons attacks in schools, and serious damage can occur in a matter of minutes. A mass stabbing and slashing incident in Franklin, Pennsylvania, in April 2014 left 21 victims injured when a sophomore began attacking other students in a crowded hallway. Similar attacks have occurred in China, Japan, and Sweden that have killed and seriously injured students and school employees.  </p><p>Acid attacks are occurring more frequently in the United Kingdom, as well as in India, East Africa, Vietnam, and other regions. </p><p>For example, in September 2016, a student rigged a peer's violin case with acid at a high school in Haddington, Scotland. The victim's legs were disfigured as a result.  </p><p>These types of attacks are relatively easy to carry out because acid is inexpensive and can be concealed in bottles that appear harmless. The injuries sustained in these attacks are gruesome and irreversible, and there are concerns that this attack method may become more common in the United States. </p><p>Many active shooter training approaches also fail to address combination attacks, in which the perpetrator uses two or more attack weapons, such as firearms and explosives, firearms and fire, and so forth. </p><p>In the 2013 attack at Arapahoe High School in Colorado, a student shot his classmates and a staff member several times before throwing three Molotov cocktails that set part of the library ablaze. The student then shot himself. </p><p>Combination attack methods can present complications for first responders who may have to decipher where each threat is located and which one to deal with first. These campus attacks demonstrate the danger of training concepts that focus intently on active shooter incidents, while not offering viable options for other extreme attack methodologies.</p><p>There are ways to better prepare school staff to react to violence and reduce the chance of unintended consequences. Scenarios that present a range of threats and situations help trainees learn to react in the most effective manner, and remind them to rely on existing policies. </p><p>Fidelity testing that includes a scoring system for action steps will help determine whether active shooter and active threat training concepts have been received by the faculty. Including all staff members who have contact with students creates an inclusive environment where everyone feels empowered to report misconduct. </p><p>Putting a mirror to current school emergency preparedness will reflect where changes need to be made. If there are significant gaps between the training concept and application of those concepts when reacting unscripted to scenarios, improvements are in order. By applying these principles, schools can prepare themselves for the common emergencies, the worst-case-scenarios, and everything in between.  </p><p>-- </p><h4>​Sidebar: keeping simulations safe<br></h4><p>​Even the most well-intentioned scenario-based training can result in injuries. Training programs that teach throwing of objects, taking people to the floor, punching and kicking, or similar uses of force can wind up hurting trainees and trainers alike.</p><p>At least one popular active shooter training program has resulted in high rates of serious injuries among trainees, according to Jerry D. Loghry, CPP, loss prevention information manager for EMC Insurance.</p><p>Loghry verified that EMC Insurance has paid out more than $1 million in medical bills to school employees for injuries sustained in trainings from one active shooter program over a 22-month time period. In addition, one police department is being sued due to those injuries. </p><p>Instructors can be trained on how to engage participants in use-of-force in a safe way. Reasonable safety measures should be put into place, such as floor mats, and participants should wear protective padding, goggles, and even helmets if necessary. </p><p>Safety rules should be written in advance and observed during training simulations. </p><p>Local law enforcement can be a valuable resource for simulating active threat situations in a safe manner, because police officers complete similar close-quarters combat training on a regular basis. Observing these best practices can help prevent litigation and liability issues, as well as enhance the overall experience of participants and instructors.​</p><h4>sidebar: fidelity Testing<br></h4><p></p><p>For stereo systems, fidelity means that the sound generated by the speakers is nearly identical to the sound of the music that is recorded. In marriage, fidelity means that a person will be faithful to their promises to another.</p><p>In the world of school safety, fidelity indicates a close alignment between what is intended by safety policies, plans, drills, and training, and what people do in reality. Fidelity testing is the best way to verify the level of alignment between intentions and reality.</p><p>In the case of active shooter preparedness, fidelity testing involves efforts to measure whether there is a close match between theory and what people will actually do under the stress of a violent incident.  </p><p>With properly designed active shooter preparedness approaches, practical application under extreme stress should mirror, to a reasonable extent, the theoretical expectations of the approach. If people cannot correctly apply the active shooter survival options they have been provided under simulated conditions, their performance will likely not improve when they are placed under extreme stress. </p><p>A high degree of fidelity helps reduce the distance between what people ideally do under stress and what they are likely to do. A reasonable level of fidelity testing of active shooter survival concepts should document that people are able to:</p><p> </p><p>•             Demonstrate the ability to identify when they are in an active shooter situation.</p><p>•             Apply each option they are taught in an appropriate fashion when tested with scenarios they do not know in advance.</p><p>•             Apply each option under limited time frames with incomplete information.</p><p>•             Demonstrate knowledge of when applying each option would increase rather than decrease danger.  </p><p>•             Demonstrate the ability to identify when they are in a situation involving firearms that is not an active shooter event.</p><p>•             Demonstrate the ability to properly address a wide array of scenarios involving weapons other than firearms.​</p><p>​<br></p><p><em><strong>Michael Dorn </strong>is the CEO of Safe Havens International. He has authored 27 books on school safety and emergency preparedness, and his work has taken him to 11 countries. He has provided post-incident assistance for 12 active shooter incidents at K-12 schools, and helped coauthor a u.s. government IS360 Web training program on active shooter events. He can be reached at mike@weakfish.org ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Book-Review---Enterprise-Risk-Management.aspxBook Review: Enterprise Risk Management<p>A curated collection of contributions by many expert authors, <em>Enterprise Risk Management </em>offers a comprehensive look at the risks that can endanger an organization. It covers everything from physical risks (environmental, health and safety, operational risk, project risk management, etc.) to intangible risks like cybersecurity. It has chapters on financial risk management, the role of insurance, global and strategic risk, and more.</p><p>Each chapter of this work can stand alone as a discussion of the risks associated with a particular area, such as supply chain management. Although this book cuts a wide swath, several chapters stand out as being particularly interesting.</p><p>The chapter on the insider threat (what the book calls human capital risk) is outstanding. It covers all of the different types of trouble that employees can get into, and discusses how to manage and avoid those risks. The only shortfall with this section is that it assumes that all of the actions of the insider are malicious; in practice, many well-intentioned employees have damaged their employers merely by clicking on a malicious link. Phishing, in all its forms, has become part of the insider threat spectrum, and should be treated as such.</p><p>The chapter on risk culture contains a fascinating section on how the attempts to control some forms of risk through the use of incentive programs end up exacerbating the very problems they seek to avoid. This section, while interesting, also shows the depth of this book: if you can’t find it here, there’s a good chance you don’t need to worry about it.</p><p>All of the risks discussed are in organized via a common framework: risk context, assessment, treatment, monitoring, and review. This framework will be familiar to anyone with experience in ISO 31000 Risk management—Principles and guidelines, although there is little discussion of the standard in the book, where it appears only in the footnotes.</p><p>Finally, the book ends with a case study on the rise and decline of Blockbuster, the video rental chain, and how it was felled by Netflix. It is relevant because it is an example that most readers are familiar with, and it shows how an incorrect assessment of risk can have catastrophic consequences.</p><p>Because of its breadth and depth, Enterprise Risk Management may have difficult sections for many readers. For example, the areas on financial risk may not be of interest to someone interested in brand risk. This points to a strength in this book: an authoritative work, it best belongs in the enterprise risk management department of an organization, on the chief risk officer’s desk, in internal audit, and most importantly, in the CEO’s office.  </p><p><em><strong>Reviewer: Ross Johnson, CPP</strong>, is the senior manager of security and contingency planning for Capital Power. He is an ASIS Council Vice President and the author of Antiterrorism and Threat Response: Planning and Implementation. He is an executive committee member of the North American Electric Reliability Corporation’s Critical Infrastructure Protection Committee, and is the infrastructure security advisor for Awz Ventures, Inc.</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465