1. ENTERPRISE SECURITY RISK MANAGEMENT SECURITY AND THE ISO31000 STANDARD? Julian Talbot Jakeman Business Solutions Pty Ltd ISO 31000 Conference 21-22 May 2012 G31000 the Global Risk Management Platform

2. Once upon a time… Pre-4360 AS/NZS 4360 31000 Integrated RM 4360 (1995) F ear U ncertainty D oubt 31000

3. ISO31000 Principles Framework Process Communication and Consultation Communication and Consultation Monitoring and Review Monitoring and Review Risk Assessment Establish the Context Risk Identification Risk Analysis Risk Evaluation Risk Treatment

4. Why ISO31000 works for Security?

5. ‘Apples for apples ’ comparison: – taxonomy (eg: likelihood and consequence) – risk assessments by different assessors – Longitudinally – between divisions or other organisations – against environmental, safety, financial risks Better decisions and allocation of resources Permission to add value Ability to integrate methodologies

8. Enterprises… $30 billion budget 120,000 people 8,000 facilities 41 Risk Criteria 15 Divisions www.riskebooks.comJulian Talbot (ASIS 2009)8

9. Australian Trade Commission (Austrade) Assists Australian businesses to export 1,400 staff in 60 countries 120 offices including 22 Consular posts $400 million annual budget

10. Understanding the risks Official sources including – Department of Foreign Affairs & Trade (DFAT) – National Threat Assessment Centre (NTAC) Open source and commercial providers Internal capability – Austrade posts and officers – Austrade Security Team Security Risk Assessments Incident reporting

11. Terrorism Source: Nationmaster.com

12. Assault Source: Nationmaster.com

13. Fraud Source: Nationmaster.com

15. Enterprise Security Risk Assessment (ESRA) Defensible, systematic and robust basis for decision making and planning Provide senior management with an assessment of current and emerging risks Inform the development and application of ongoing budgets and security measures

16. Enterprise Security Risk Assessment (ESRA) Whole of organisation/enterprise Inform budget and systems planning Known & emerging threats to the ‘business’ – Not location, activity or function specific ‘Enterprise Security Standards’ – Based on location, activities and functions

17. Enterprise Security Standards

18. Results… Austrade: – 5 year $60 million security plan – Robust, well documented analysis – Business case - AUD$18.4 billion exports with Austrade assistance (vs $12M p.a. on security) Defence – 5 year $300 million security plan – Included - $120 million existing treatments Finance – 3 year $2 million security plan – Proportional - to the agency

19. Last points… 1.All SR Managers 2.Something free? 3.Business card? 4.Been robbed? 5.Been a robber? 6.Illegal drugs? 7.Been to Africa? 8.Papua New Guinea? 9.Motorcycle license?

20. Last points… 1.All SR Managers 2.Be prepared 3.Time critical 4.Emotional decisions 5.Red teaming 6.15% of the economy 7.It’s personal! 8.Big risk taker! 9.HUGE risk taker!

21. THANK YOU Contact me at: julian.talbot@jakeman.com.au Download this presentation from: www.jakeman.com.au