Enterprise risk management: all systems go
ERM might seem a lofty concept, but Georgetown University provides an example of turning that concept into specific systems and projects that reduce risk
By Joan Goodchild , Senior Editor
May 31, 2010 — CSO —
When Bill Badertscher arrived at Georgetown University three years ago, campuswide security was handled in several departments with little coordination among teams. It was time for a change. Badertscher is Georgetown's senior engineer for facility and safety control systems and leader of a new IT team that focuses on the same areas. The goal is to address enterprise risk management (ERM) by redefining it to include nontraditional systems. Understanding that security is mission-critical has led the University Safety and Information Services departments to work together in unprecedented ways.
Badertscher spoke with CSO about the program, as well as the challenges and changes he's encountered in helping bring Georgetown's ERM strategy up to speed.
CSO: Let's start with an overview of where Georgetown's ERM program was before you came on board. What were some of your first steps when you started in your current role?
Bill Badertscher: Georgetown had experienced several significant security project failures and data security breaches. So at a high level, it was recognized that a strategy was needed to address systems in the facilities and security spaces. That strategy was led by our CIO Dave Lambert and resulted in the formation of several new groups within IT.
When I first came on board, a budget was established to immediately replace some legacy systems, including access control and video surveillance. However, early assessments identified a much wider range of needs; initial wish lists totaled more than $60 million in new spending. That level of funding isn't available, so it's been key to do risk assessments to prioritize our needs. These have focused our efforts on access control, video surveillance, emergency response and fire-protection systems.
What are some changes you've made?
Georgetown recognized early on the need for IT to take a leadership role in the replacement of departmental systems and independent cabling networks. Our data network has sufficiently matured to accommodate the power and communication needs of security and other systems. This is important because nearly all new systems today interface with the data network. Our philosophy is to leverage the data network as much as possible and closely manage data security along the way.
Our ERM program is not just about facility and security control systems. Along with my group, we have new groups responsible for scholarly information systems; research and regulatory administration; data security and policy; and advancement. So it's not just my group. It's actually a collection of new initiatives that are reaching out across the university to address enterprise risk. That includes facility and security control systems, but a lot of others as well.