The Convergence of Physical and Information Security in the Context of Enterprise Risk Management

This report was commissioned by the Alliance for Enterprise Security Risk Management (AESRM) and was researched and written by Deloitte and Touche LLP. The report was commissioned to address the value of integrating an enterprise’s various security management functions with the enterprise’s ERM efforts and to describe the benefits of a converged view of security in managing ERM. The report includes surveys and interviews of security executives and other senior-level executives.

This report gives insight into the:

• General state of security convergence
• Integration of converged security as part of ERM
• Role of Risk Councils
• Benefits of a strategy for converged risk management
• Opens communication between security disciplines
• Promotes better risk management enterprise-wide

Convergence is the identification of security risks and interdependencies between business functions and processes within the enterprise and development of managed business process solutions to address those risks and interdependencies.

Enterprise Risk Management (ERM) is, according to the Alliance for Enterprise Security Risk Management, a process to manage risk as it affects not only existing assets but also future growth, and to manage that risk from an enterprise-wide view. In practice, ERM is typically the approach an organization uses to harmonize, synchronize, and rationalize its governance, risk and compliance activities.

State of Risk Management Convergence Today

The surveys conducted for this report reveal that organizations think they are already managing risk on an enterprise-wide basis. These are not, however, coordinated or integrated efforts. There is a need for a common, unifying framework for policies, processes, practices, etc. The value of convergence must be articulated in “C-suite level” conversation. Internal champions need to underline the impact of risk on such things as share price and earnings. Senior management still sees security as tactical, rather than strategic, and they still see information security and traditional security as separate. Information security is the preservation of the confidentiality, integrity and availability of information; traditional security relates to the measures used to provide physical protection of resources against deliberate and accidental threats. A true convergence of traditional and information security involves disciplined cooperation between previously separate security functions. Organizations need to understand and measure and mitigate their significant security related risks as part of their overall risk management approach.

There is no one model for the convergence of traditional and information security; it is based currently on the vision of specific people. The current trend for enterprise risk management is moving away from a functional, technical orientation for risk management toward a business-based, adaptive approach to risk management. There was no significant emphasis on Enterprise Risk Management or convergence a decade ago. Even now, convergence is still in its infancy and ERM is still developing and evolving. 

Reasons for the new emphasis on enterprise risk:

• Regulatory pressures for better risk management practices
• Business Complexity that increases an enterprise’s risk profile
• Connectedness of many risk drivers
• Market Forces that create external risks for an enterprise

This report contains case summaries of organizations that have adopted some model of convergence of their risk management practices. The report also contains survey results on the imminence and role of convergence of risk practices.

Report Charts that Summarize Survey Results

The report includes charts that provide these survey results:

• How executives and CEOs define security
• Areas of functions that participate in security risk management
• Examples of security breaches and the scope of their impact across functions and assets
• External attacks over the last 12 months
• Budget trends for security risk management
• Convergence models

The convergence of security functions would connect people, data, and diverse systems. Convergence is a necessary part of risk management, but not sufficient on its own – organizations need to combine it with ERM.

Risk Councils

Many companies are starting ERM, but most are not establishing a risk committee or risk council to oversee the management of key risks. Two-thirds of those surveyed for this report said their company does not define the kind of risk it is willing to tolerate and another two-thirds do not have a process for correcting or escalating risks when they exceed certain limits.

Risk councils help organizations address convergence of security risks, rather than only focusing on ERM. The risk council should consist of senior employees from each of the organization’s business units, internal audit, C-level executives, finance, legal, and public relations. The council should discuss risks, identify potential exposures, and develop a program to control or mitigate significant risk from all sources.

This report has tips for organizational aspects of convergence, such as three ways to achieve convergence. (The graphic below is not included in the report, but may help illustrate the points in the text).  In Method #1, the convergence of traditional and information related risks occurs at the risk manager level.  In Method #2, the convergence occurs at the Risk Council level, with separate risk managers reporting specific risk types to the Risk Council.  In Method #3, the convergence happens at the business unit or department level and the integrated security risk analysis is submitted to the Risk Manager for oversight.

Original Article Source: “The Convergence of Physical and Information Security in the Context of ERM”, Deloitte and Touche LLP., 2007