Enterprise security risk management (ESRM) is a management process that creates a consistent and holistic approach to managing threats to any organization through an ongoing process of assessing all security-related risks across the entire enterprise. Under an ESRM framework, security professionals quantify the range of threats, create and implement mitigation plans, identify the appropriate risk owners, manage any incidents that arise, and develop remediation efforts. The ESRM process ensures that any new risks that treated in the same way.
Unlike "convergence," which has typically meant the ways in which traditional and IT-security teams are integrated, ESRM can and is used to manage security risks without regard to organizational structures.
The process of ESRM is one of continuous improvement:
The CSO Center of ASIS International has released several papers describing the ESRM process and how it has been implemented by corporations around the world. The first, Enterprise Security Risk Management: How Great Risks Lead to Great Deeds, was released in 2010. This groundbreaking paper was a CSO Roundtable initiative based on a survey of more than 200 members of the Roundtable as well as to the rest of the ASIS membership.
The second, Enterprise Security Risk Management: A Holistic Approach to Security, was the work of a diverse group of security executives in 2014. This paper provides a detailed description of ESRM, explains how it is distinct from enterprise risk management, and offers case studies that detail how ESRM can help organizations manage risks that arise outside the traditional parameters of the security department.