Why Enterprise Security Risk Management should incorporate mental health and wellbeing processes

As a long-time advocate for Enterprise Security Risk Management and mental health for several years, Mike Hurst explains why the two may be more closely linked than previously considered.

To me, aligning security resources and capabilities with strategic and operational needs, to enhance and support an organisation’s purpose, makes perfect sense. This is why I have been an active proponent of Enterprise Security Risk Management (ESRM) for many years, since my introduction to it through my involvement with ASIS international (including being on the ESRM Steering Committee).

ESRM is now very much an accepted discipline thanks to the leadership of people like John Petruzzi, Tim McCreight, Rachelle Loyear, Brian Allen and others; the latter two having published books on the subject.

Applied correctly, ESRM can support and protect most, if not all, business functions.

Much of my volunteer activity over the last few years has been around mental health and wellbeing in the security sector. This has been via involvement with the International Foundation for Protection Officers (IFPO) and with the Security Minds Matter project, an industry-led initiative which is supported by the Security Industry Authority.

Alongside education and awareness, we are trying to help breakdown stigma and get more support for those suffering with mental ill health and wellbeing issues.

For me there are three main reasons for supporting mental health and wellbeing.

• Looking after people – we support people with physical health issues, so why not mental health?
• Good business practice
• Better Security

Looking after people

An easy one! I hope people would agree that supporting sufferers in the same way we support those suffering from physical health issues is the ‘right thing to do’.

It is worth remembering that according to the World Health Organisation, one in four people will suffer from mental or neurological disorders at some point in their lives. This does not take into account family, friends and colleagues of sufferers.

Good business practice

Again, quite an easy one. I think it is clear that mental ill health can have a huge impact on the overall wellbeing and hence productivity of employees.

In May 2021, the World Economic Forum said: “mental wellbeing of a population is essential for a country’s sustainability, growth and development.” It estimates: “Globally, an estimated 12 billion working days are lost every year to depression and anxiety at a cost of $1 trillion per year in lost productivity.” It is estimated that poor mental health costs the UK economy £45bn per year.

Better security

In making the case for better mental health provision, I have been considering if support for mental health and wellbeing could produce better security, as well as whether it could be considered within an enterprise security risk management framework.

Most good security practices start with a risk assessment, so why should this be different for the risks of mental ill health?

Some aspects that may warrant consideration include:

• Could including mental health provision within an ESRM framework help foster a healthy and productive work environment?
• Could supporting wellbeing and mental health reduce and mitigate the security risks associated with issues, such as
  • staff turnover
  • presenteeism, absenteeism
  • health and safety and taking unnecessary risks?
• Could it help guard against potential legal liabilities?
• Can supporting mental health reduce the risk of insider threat?

If the answers to the some or all of these questions are ‘Yes’, what are some options that could be considered that ensure security is fit for purpose and aligns and supports business operations?

• Design and implement policies and procedures that address mental health concerns
• Introduce stress management programmes
• Training for managers and supervisors on how to identify and support employees who may be struggling with mental health issues
• Ensure that there are effective programmes around workplace bullying, harassment, and discrimination, all of which can negatively impact mental health
• Have policies and procedures to support employees returning to the business after mental health related absences:
  • Reduced workload
  • Flexible hours
  • Remote working
• Appoint suitably trained Mental Health Champions
• Employee Assistance Programs
• Ensuring people feel they and their work is valued
• Have a good, positive security culture (including safety and resilience)

Circling back to the original question, supporting mental health and wellbeing is not only the right thing to do from a people-centred and business standpoint, but by applying an ESRM approach it can also improve security.

Prioritising mental health and wellbeing in the workplace can help organisations create a safer, more resilient, and more productive environment for all employees.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today