Doing business is taking risks to achieve an objective while following a strategy.

All activities in an organisation should be aligned with the business strategy so that the organisation achieves its objective. However, nowadays it is frequent to find big companies, let alone small and medium ones, handling risks in a very archaic and fragmented way, not aligned with the organisation’s strategy.

It is usual that unrelated groups deal with related dimensions of enterprise risk: credit, market, strategic, operational and also reputational risk. This is a very ineffective and inefficient way to manage risk.

Credit and market risk management models are well established and developed (e.g. VaR). They fall outside the scope of this study. This study investigates the level of development of infosec and operational risk management practices within organisations and justifies why enterprise risk management needs to be aligned with the organisation’s strategy.

On one hand, the recent succession of corporate and government scandals happening in the First World (Enron, Arthur Andersen, Shell, Worldcom to mention only a few of an endless list of well known names) has created a myriad of corporate governance regulations that organisations have to comply with. This new corporate governance scenario includes better ways to deal with risk in organisations.

On the other hand, the increasing dependence on information and on information systems for most organisations makes the role of information security increasingly pivotal. The Internet revolution and open systems architectures bring an extraordinary level of connectivity and interaction but also the great challenge to guarantee information security in organisations.

This study looks at both hot topics from a linking and reconciling angle: operational risk management (ORM) and information security (infosec). Based on the fact that both information and operational risk spread throughout the whole organisation, this study defends that the systematic link of the infosec practice with the ORM strategy and practice bring superior benefits to the organisation.

Furthermore, it presents a way to carry out this linkage between infosec and ORM, which is anchored in a proposed model, the ‘risk house’: a comprehensive model to understand and manage risks in organisations.

A survey was launched to research the relationship between the level of evolution in infosec and risk management within organisations and potential benefits that organisations enjoy. These benefits will help organisations to better achieve their objectives, managing risks while following their strategy.

The survey in turn follows the spirit of the ‘risk house’ model.

82 risk management professionals from the 5 continents have answered it in a valid way. The results of the quantitative research prove the applicability of the proposed ‘risk house’ model. They serve to confirm which requirements to link infosec with ORM actually contribute to provide organisations with superior benefits. Simultaneously, they hint the pace companies nowadays follow to implement them.