Abstract
Enterprise Security Risk Management (ESRM) is gaining popularity in industry circles, especially after the American Society of Industrial Security (ASIS International) elevated it as its strategic priority in 2016. However, research on its adoption has attracted little attention, especially in universities which are often characterized by outstanding variations in culture, structure, and more. In this paper, we conduct a self-assessment of ESRM maturity in Kenya’s accredited universities using process metrics of the 2019 ASIS ESRM Maturity Model and insights from university security executives. The findings reveal that more than 35% of accredited universities have achieved advanced levels of ESRM adoption, with over 57% at average or middle levels, predominantly at Level 3. Public accredited universities exhibit higher ESRM adoption levels compared to their private counterparts. The study also identifies variations in the terminology used, with 60% using “Security Risk Management (SRM),” 35% using “University Risk Management,” and a minority adopting ESRM. The discomfort with the “enterprise” term indicates a need for awareness and sensitization programs. We argue that benchmarking with optimized ESRM adopters and increasing awareness and integration of ESRM in strategic planning and institutional governance are crucial for comprehensive security risk management in higher education.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Allen, Brian J., and Rachelle Loyear. 2016. The manager’s guide to enterprise security risk management: Essentials of risk-based security. Brookfield: Rothstein Publishing.
Allen, Brian J., and Rachelle Loyear. 2017. Enterprise security risk management: Concepts and applications. Brookfield: Rothstein Publishing.
American Society of Industrial Security (ASIS International). 2010. Enterprise security risk management: how great risks lead to great deeds (a benchmarking survey and white paper). Alexandria: The CSO Roundtable of ASIS International.
American Society of Industrial Security (ASIS International). 2017. “ESRM: An Enduring Security Risk Model. https://www.asisonline.org/publications--resources/news/blog/esrm-an-enduring-security-risk-model/. Accessed 17 Apr 2022.
American Society of Industrial Security [ASIS International]. 2019a. Enterprise security risk management guideline. Alexandria: American Society of Industrial Security.
American Society of Industrial Security [ASIS International]. 2019b. ESRM maturity assessment. ASIS Online. Alexandria: American Society of Industrial Security.
Amuya, L.O., and P.M. Kariuki. 2024. Organizational characteristics as antecedents of enterprise security risk management adoption in Kenya’s accredited universities. Journal of Higher Education Policy and Management 45 (3): 1–17.
Ariff, Mohd Shoki Bin Md., Norhayati Zakuan, Muhammad Naquib Mohd. Tajudin, Azira Ahmad, Nawawi Ishak, and Khalid Ismail. 2014. A framework for risk management practices and organizational performance in higher education. Review of Integrative Business and Economics Research 3 (2): 422–432.
Association of Governing Boards of Universities [AGB] and Colleges and United Educators [CUE]. 2014. A wake-up call: Enterprise risk management at colleges and universities today. https://www.mass.edu/foradmin/trustees/documents/2019-03-28%20RiskSurvey2014.pdf. Accessed 17 Apr 2022.
Barac, Zoran. 2015. Effective direction and control of higher education institutions; An empirical case study of the Croatian private business school. PhD diss., University of St. Gallen, Switzerland.
Braun, Virginia, and Victoria Clarke. 2006. Using thematic analysis in psychology. Qualitative Research in Psychology 3: 77–101. https://doi.org/10.1191/1478088706qp063oa.
Calderon, Thomas G., and Kristen Pero. 2013. Examining the maturity of enterprise risk management initiatives in colleges and universities. Internal Auditing 28 (4): 19–28.
Centko, John David. 2017. A report card for risk management in higher education for two-year colleges in Minnesota, Wisconsin, and Michigan: A study to assess gaps regarding risk management in higher education. PhD diss., North Dakota State University.
Christopher, Joe, and Gerrit Sarens. 2015. Risk management: Its adoption in Australian public universities within an environment of change management—a management perspective. Australian Accounting Review 25 (1): 2–12. https://doi.org/10.1111/auar.12057.
Coetzee, G.P., and D. Lubbe. 2013. The risk maturity of South African private and public sector organizations. Southern African Journal of Accountability and Auditing Research 14 (1): 45–56.
Commission for University Education [CUE]. 2018. Approved academic programs offered in chartered universities in Kenya in accordance with the Universities Act. https://www.cue.or.ke/index.php?option=com_phocadownload&view=category&download=11:approved-academic-programmes-offered-universities-in-kenya-november-2018&id=12:general&Itemid=192. Accessed 17 June 2022.
Commission for University Education [CUE]. 2020. “University statistics, (2017/2018). https://www.cue.or.ke/index.php?option=com_phocadownload&view=category&download=205:2017-2018-university-statistics-report-approved-doc&id=18:universities-data-0-3&Itemid=187. Accessed 24 June 2022.
Damanpour, F., and M. Schneider. 2006. Phases of the adoption of innovation in organizations: Effects of environment, organization and top managers 1. British Journal of Management 17 (3): 215–236.
Deck, Steven Christopher. 2015. Enterprise risk management at higher education institutions: How management concepts support its implementation. PhD diss., University of Maryland University College.
Edwards, Fleur. 2012. The evidence for a risk-based approach to Australian higher education regulation and quality assurance. Journal of Higher Education Policy and Management 34 (3): 295–307. https://doi.org/10.1080/1360080X.2012.678725.
Erima, Juliet A., and Justus Wamukoya. 2012. Aligning records management and risk management with business processes: A case study of Moi University in Kenya. Journal of the South African Society of Archivists 45: 24–38.
Farrell, M., and R. Gallagher. 2015. The valuation implications of enterprise risk management maturity. Journal of Risk and Insurance 82 (3): 625–657.
Feeney, David. 2019. A brief guide to ESRM implementation. ASIS Online. https://www.asisonline.org/security-management-magazine/articles/2019/11/a-brief-guide-to-esrm-implementation/. Accessed 28 July 2022.
Figueroa, Francisco Armando. 2016. Improved institutional risk reduction at universities through better states of preparation. PhD diss., Texas Tech University.
Fraser, J.R., R. Quail, and B. Simkins (eds.). 2021. Enterprise risk management: Today's leading research and best practices for tomorrow's executives. Hoboken: Wiley.
Graham, C., and J.A. Regan. 2016. Exploring the contribution of professional staff to student outcomes: A comparative study of Australian and UK case studies. Journal of Higher Education Policy and Management 38 (6): 595–609.
Greenwood, R., and C.R. Hinings. 1996. Understanding radical organizational change: Bringing together the old and the new institutionalism. Academy of Management Review 21 (4): 1022–1054.
Helsloot, Ira, and Wouter Jong. 2006. Risk management in higher education and research in the Netherlands. Journal of Contingencies and Crisis Management 14 (3): 142–159. https://doi.org/10.1111/j.1468-5973.2006.00490.x.
Hommel, Ulrich, and Roger King. 2013. The emergence of risk-based regulation in higher education: Relevance for entrepreneurial risk taking by business schools. Journal of Management Development 32 (5): 537–547. https://doi.org/10.1108/02621711311328309.
Huber, Michael. 2011. The Risk University: Risk identification at higher education institutions in England. London: Centre for Analysis of Risk and Regulation, London School of Economics and Political Science.
Institute of Criminology, Forensics, and Security Studies. 2022. Programmes. https://cfoss.dkut.ac.ke/programmes/. Accessed 18 June 2022.
Kageyama, Aiko. 2014. The implementation process of enterprise risk management in higher education institutions. International Review of Business 14: 61–80.
Kiura, Salesio M., and Doreen M. Mango. 2017. Information Systems Security Risk Management (ISSRM) model in Kenyan private chartered universities. European Journal of Computer Science and Information Technology 5 (2): 1–15.
Lacković, Dvorski, Nataša Kurnoga. Ivana, and Danijela Miloš Sprčić. 2022. Three-factor model of Enterprise Risk Management implementation: Exploratory study of non-financial companies. Risk Management 24 (2): 101–122. https://doi.org/10.1057/s41283-021-00086-3.
Liebenberg, A.P., and R.E. Hoyt. 2003. The determinants of enterprise risk management: Evidence from the appointment of chief risk officers. Risk Management and Insurance Review 6 (1): 37–52.
Lundquist, Anne. 2013. Enterprise risk management in higher education: There’s still a lot to learn. In Risk Management Today, April-May 29: 145–149.
Lundquist, Anne E. 2015. Enterprise Risk Management (ERM) at US colleges and universities: Administration processes regarding the adoption, implementation, and integration of ERM. Kalamazoo: Western Michigan University.
Malki, Said, and Naif Khalid Aldwais. 2019. Enterprise risk management at the State University of New York: A benchmark for Saudi universities. The Journal of Applied Business and Economics 21 (9): 54–74. https://doi.org/10.33423/jabe.v21i9.2684.
Mantra, I.G.N., Aedah Abd Rahman, and Hoga Saragih. 2020. Maturity framework analysis ISO 27001: 2013 on Indonesian higher education. International Journal of Engineering & Technology 9 (2): 429–436.
Maranga, Mayieka Jared, and Masese Nelson. 2019. Emerging issues in cyber security for institutions of higher education. International Journal of Computer Science and Network 8 (4): 371–379.
Moloi, Tankiso. 2016. Exploring risks identified, managed and disclosed by South Africa’s Public Higher Education Institutions (HEIS). Journal of Accounting and Management 6 (2): 55–70.
Ndiege, Joseph O. 2020. Enhanced security equipment and its effects on crime in selected higher learning institutions in Kenya. Master’s thesis. Kenyatta University.
Njoroge, Patrick Macharia. 2021. An examination of threats facing assets in use in Kenyan public universities. International Journal of Scientific and Research Publications (IJSRP) 11 (5): 687–695.
Njoroge, Patrick Macharia, James Ogalo, and Cyprian Makiya Ratemo. 2019. A framework for effective information security risk management in Kenyan public universities. International Journal of Social Sciences and Information Technology 4 (10): 1–19.
Odhiambo, Elijah Onyango Standslause., Stella Wasike, and S.N. Kimokoti. 2015. Learning institutions’ vulnerability to terrorism. An overview of issue coverage in nowadays’ media and specialized literature & a case study of Garissa University College, Kenya. Journal of Defense Resources Management 6 (2): 21–31.
Paape, L., and R.F. Speklé. 2012. The adoption and design of enterprise risk management practices: An empirical study. European Accounting Review 21 (3): 533–564.
Perera, A.A.S., Abdul Khabir Rahmat, Ali Khatibi, and S.M. Ferdous Azam. 2020. Review of literature: Implementation of enterprise risk management into higher education. International Journal of Education and Research 8 (10): 155–172.
Raanan, Yossi. 2009. Risk management in higher education—do we need it? Sinergie Journal 78: 43–56.
Ramirez, Francisco O., and Tom Christensen. 2013. The formalization of the university: Rules, roots, and routes. Higher Education 65 (6): 695–708. https://doi.org/10.1007/s10734-012-9571-y.
Ruzic-Dimitrijevic, Ljiljana, and Jelena Dakic. 2014. The risk management in higher education institutions. Online Journal of Applied Knowledge Management 2 (1): 137–152.
Setapa, Mariam, Norhayati Zakuan, Muhamad Zameri Mat Saman, Mohd Shoki Md Ariff, Norzaidahwati Zaidin, and Zuraidah Sulaiman. 2015. The impact of enterprise risk management practices on Malaysian public higher educational institution performance: A literature review. In 2015 International conference on industrial engineering and operations management (IEOM), 1–7. IEEE. https://doi.org/10.1109/IEOM.2015.7093782.
Simanungkalit, D., and A.N.L. Tobing. 2022. A Study on the maturity of risk management using the RIMS Risk Maturity Model® approach in investigating activities at law enforcement agencies for corruption. Budapest International Research and Critics Institute-Journal (BIRCI-Journal) 5 (2): 15009–15023.
Sims, Brian. 2019. Enterprise security risk management: A security programme maturity model. Riskxtra. http://www.risk-uk.com/enterprise-security-risk-management-a-security-programme-maturity-model/. Accessed 28 July 2022.
Sityata, Inga, Lise Botha, and Job Dubihlela. 2021. Risk management practices by South African Universities: An annual report disclosure analysis. Journal of Risk and Financial Management 14 (5): 195. https://doi.org/10.3390/jrfm14050195.
Sum, Rabihah Md, and Zurina Md Saad. 2017. Risk management in universities. In 3rd International conference on Qalb-Guided Leadership in Higher Education Institutions (iQALB 2017), 128–142.
Tamrat, Wondwosen, and Damtew Teferra. 2020. Private higher education in Ethiopia: Risks, stakes and stocks. Studies in Higher Education 45 (3): 677–691. https://doi.org/10.1080/03075079.2019.1582010.
Toma, Simona-Valeria., Ioana Veronica Alexa, and Daniela Ancuţa Şarpe. 2014. Identifying the risk in higher education institutions. Procedia Economics and Finance 15: 342–349.
Universities Act, No. 42 of 2012. http://kenyalaw.org:8181/exist/kenyalex/actview.xql?actid=No.%2042%20of%202012.
Wairange, L.R. 2019. The link between corporate governance failure and the collapse of major private companies in Kenya. Master’s thesis. University of Nairobi.
Wilkinson, N. 2014. A framework for organizational governance maturity: an internal audit perspective. PhD diss., University of Pretoria, South Africa.
Willson, Carol, Roxana Negoi, and Anu S. Bhatnagar. 2010. University risk management. The Internal Auditor 67 (4): 65.
Yamane, Taro. 1967. Statistics, an introductory analysis, 2nd ed. New York: Horper and Row.
Zapkau, Florian B., Christian Schwens, and Rüdiger. Kabst. 2014. Foreign direct investments and domestic employment of German SMEs: The moderating effect of owner management. Journal of Small Business Management 52 (3): 451–476. https://doi.org/10.1111/jsbm.12044.
Acknowledgements
This article is part of the Master of Forensics and Security Management thesis at the Institute of Criminology, Forensics, and Security Management, Dedan Kimathi University, Kenya. Special thanks to all the thesis advisors from the institute for helpful feedback and guidance. Thanks also to the security executives that agreed to participate in this study.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Amuya, L.O., Kariuki, P.M. Measuring the adoption of Enterprise Security Risk Management in Kenya’s higher education using the ASIS ESRM Maturity Model. Secur J (2024). https://doi.org/10.1057/s41284-024-00418-4
Accepted:
Published:
DOI: https://doi.org/10.1057/s41284-024-00418-4