Making business means taking risks. Risk management deals with exposures to specific threats that can take advantage of existing vulnerabilities and affect organisations. Enterprise risk management (ERM) consists of the processes used to manage risks in the enterprise.
Strategic (not defining and meeting objectives), market (negative interactions with the market), credit (exposure to non-payments) and operational risk (exposure to loss from internal processes, people, systems and external events) constitute ERM.
An ERM umbrella that is aligned with the business strategy helps the organisation achieve its objective.
Information is an essential asset for most organisations: it connects all risk management disciplines and, more broadly, most business processes use it. Information risk management, also called information security, is an element of operational risk.
There is a current tendency towards linking the information security activity (infosec) with the operational risk management (ORM) practice and, more generally, with the enterprise risk management activity.
The link between infosec and ORM disciplines can eventually play a positive role in constructing sustainable and superior benefits for organisations.
An overarching model is proposed to understand and manage the complexity of infosec and ORM in organisations: the ‘risk house’ model.
This model explains how to link the infosec practice with the ORM strategy and practice. It locates ORM within ERM and signals the pervasiveness of information and the need to develop information security and to link it with ORM.
The infosec-ORM link should always happen in accordance to the risk appetite of the organisation. ORM objectives can be significantly facilitated if both risk disciplines are aligned with the strategy of the organisation to achieve its objective.
A survey of 82 experts provides two main conclusions: First, management commitment, the degree of development of information security and the alignment of risk management with the business strategy (i.e. its strategic alignment) are strongly related to superior benefits achieved in organisations.
Second, the three most probable superior benefits achieved are stakeholder value, new business opportunities and better compliance. These three benefits ultimately contribute to the responsible image of the organisation.