The risk house model. Copyright (C) 2006, Alberto Partida
The conclusion of the literature review is the proposal of an overarching enterprise risk management model: the ‘risk house’.
This model helps answering how companies can link their information security practice with their operational risk management strategy and practice to achieve superior benefits and helps understanding the results of the survey.
Copyright (c) 2006 Alberto Partida.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is available at the GNU
Free Documentation License site.
The ‘risk house’ model connects all subjects visited in the literature review. It is a comprehensive way to explain what risk means for an organisation. The core of the house is the business idea.
Every business idea brings intrinsically the need to address risks. The ideas of doing business and taking risks both are actions that constitute the core of the ‘risk house’. Managing risks is strongly coupled with the strategy of the business to achieve its objective. This is the reason why these three elements share a different background colour (yellow).
The remaining building blocks of the ‘risk house’ (sharing the blue colour) are related to risk. Surrounding the core of the ‘risk house’ (the business), there is an upper element consisting of all possible enterprise risks (i.e. strategic, market, credit and operational risks).
All of them form part of the enterprise risk block.
Reputational risks are written with a different font but they are located in the same enterprise risk block. The subtle difference is that reputational risk can be present in all four types of risks.
Information is the lower complementary block surrounding the business core. As identified in the literature review, information acts as a risk connector for all these risks. Information is pervasive. Based on the findings of the literature review, all risk practices should use a common language.
These days information resides in information systems. This is the reason why the information block lays upon several information systems. These are drawn as definite circles because organisations still struggle to integrate their information systems. It is frequent to find unlinked information systems for different business processes, bringing sometimes even more complexity to the business.
On the top of the house, corporate governance is the roof aiming at safeguarding the future of the organisation, taking care of the overall steering principles and governance processes of the organisation and its compliance with current regulations.
On the right hand side, the model refers to risk management processes related to the adjacent house element. Following a top-down approach and starting from the corporate governance umbrella, the first process related to corporate governance and business strategy is compliance and control.
The process dealing with all the risks affecting the business is enterprise risk management. Similarly, the process guaranteeing the effectiveness of information as a pervasive element that connect risks is information security.
Information systems security guarantees the confidentiality, integrity and availability of information residing in information systems.
Every process relies on the one located just below, in such a way that their seamless integration provides a unique way for the organisation to achieve its objective in the form of superior benefits.
The remaining elements of the ‘risk house’ model bring actions: Risks, as threats taking advantage of vulnerabilities, are always menacing the business. Consequently, enterprise risk management and information security provide required input to assess the current risk exposure and to compare it with the organisation’s risk tolerance (risk appetite).
This is the reason why it is so important to integrate ERM with infosec (and within ERM, especially ORM). This way, the ERM and the information blocks can determine which risks can be accepted and which risks need to be mitigated.
The last element to mention is management commitment. This is the fluid glue that links business strategy with ERM. Management commitment is essential to keep the house protected and governed.
The application of the ‘risk house’ model to different industrial sectors would show very different levels of block strength e.g. the financial world is currently one of the most advanced in terms of risk management.
The final objective of the ‘risk house’ model is to show graphically the need to protect the business by integrating risk management practices under the ERM umbrella and linking them with information security to adjust the organisation’s risk exposure with its risk tolerance.
This way, the organisation will enjoy superior benefits that will leverage achieving its objective. This is the message of the ‘risk house’ model.
The answer to the research question pops out by feeding the ‘risk house’ model, created out of the literature review, with the results obtained in the survey.
First, the indispensable glue among all blocks is management commitment, without it the ‘risk house’ would collapse.
Second, the information block and the information security process need to be assembled and maintained.
Third, the enterprise risk block and, consequently, all blocks in the house, need alignment with the business strategy.