From Information Security Management to Enterprise Risk Management
Organizations are faced with increasing complexity, uncertainty and enhanced threats from a wide range of forces. Depending on how this situation is handled, it can become risk or opportunity to erode or enhance business value. In addition, organizations have to meet most different stakeholders’, legal and regulatory risk management requirements. Thus, comprehensive enterprise risk management has become key challenge and core competence for organizations’ sustainable success. Given the central role of information security management and the common goals with enterprise risk management, organizations need guidance how to extend information security management in order to fulfill enterprise risk management requirements. Yet, interdisciplinary security research at the organizational level is still missing. Accordingly, we propose a systemic framework, which guides organizations to promote enterprise risk management starting from information security management. The results of our case studies in different small and medium-sized organizations suggest that the framework was useful to promote enterprise risk management in an effective, efficient, cost-effective and sustainable way. New insights for practice and future research are offered.
KeywordsInformation security management Risk management Enterprise risk management Framework ISO 27000 ISO 31000 COSO
The research leading to these results was partially funded by the Tyrolean business development agency through the Stiftungsassistenz QE—Lab.
- 1.N. Taleb, The Black Swan, The Impact of the Highly Improbable, Random House, New York, 2007.Google Scholar
- 2.M. Power, Organized Uncertainty. Oxford University Press, New York, NY 2007.Google Scholar
- 3.International Standard Organization (ISO). ISO Survey of Certifications 2010, http://www.iso.org/iso/iso-survey2010.pdf.
- 5.B. Windram and J. Song, “Non-executive directors and the changing nature of audit committees”, Corporate Ownership and Control, vol. 1, pp. 108–115, 2004.Google Scholar
- 6.European Commission. “Company laws”, http://ec.europa.eu/internal_market/company/official/index_en.html.
- 7.Corporate Law and Governance, “Corporate Law and Governance”, http://corporatelawandgovernance.blogspot.it/.
- 8.S. Gates, J. Nicolas and P.L. Walker, “Enterprise risk management: A process for enhanced management and improved performance,” Management Accounting Quarterly, vol. 13, no. 3, pp. 28-38 2012.Google Scholar
- 10.V. Arnold, T.S. Benford, C. Hampton and S.G. Sutton, “Enterprise risk management as a strategic governance mechanism in B2B-enabled transnational supply chains,” J.Inf.Syst., vol. 26, no. 1, pp. 51–76 2012.Google Scholar
- 11.International Standard Organization (ISO), ISO 31000:2009, Risk management - Principles and Guidelines, 2009.Google Scholar
- 12.N. Taleb, D. Goldstein and M. Spitznagel, “The Six Mistakes Executives Make in Risk Management”, Harvard Business Review, vol. 87, pp. 78–81, Oct2009.Google Scholar
- 13.S.G. Sutton, V. Arnold, T. Benford and J. Canada, Why Enterprise Risk Management is Vital: Learning from Company Experiences with Sarbanes-Oxley Section 404 Compliance, Altamonte Springs, FL: Institute of Internal Auditors Research Foundation, 2009.Google Scholar
- 14.L.K. Meulbroek “Integrated Risk Management for the Firm “, Journal of Applied Corporate Finance, vol. 14, pp. 56–70, 2002.Google Scholar
- 15.P.M. Collier, Fundamentals of Risk Management for Accountants and Managers, Elsevier, 2009.Google Scholar
- 17.D. Espersen, “Trends in enterprise risk management, Risk management. Bank Accounting and Finance, December: 45–50, 2002Google Scholar
- 18.C. McDonald, “Few firms see themselves as ‘advanced’ on use of enterprise risk management,” National Underwriter / P&C, vol. 114, no. 15, pp. 25–25 2010.Google Scholar
- 19.Ernst & Young. “Into the cloud, out of the fog, Ernst & Young’s 2011 Global Information Security Survey” http://www.ey.com/Publication.
- 21.F. Bélanger and R.E. Crossler, “Privacy in the digital age,” MIS Quarterly, vol. 35, no. 4, pp. 1017–A36 2011.Google Scholar
- 22.P.A. Pavlou, “State of the information privacy literature : Where are we now and where should we go?” MIS Quarterly, vol. 35, no. 4, pp. 977-988 2011.Google Scholar
- 25.J. Sherwood, A. Clark and D. Lynas, Enterprise security architecture : a business-driven approach. San Francisco: CMP Books, 2005.Google Scholar
- 26.D. Trèek, “An integral framework for information systems security management,” Comput.Secur., vol. 22, no. 4, pp. 337-360 2003.Google Scholar
- 27.A. Da Veiga and J.H.P. Eloff, “An information security governance framework,” Inf.Syst.Manage., vol. 24, no. 4, pp. 361–372 2007.Google Scholar
- 29.S.H. von Solms and R.v. Solms , Information security governance. New York, NY: Springer, 2009.Google Scholar
- 30.Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management - Integrated Framework, AICPA, New York, NY, 2009.Google Scholar
- 31.J. Rosenoer and W. Scherlis,” Risk Gone Wild”, Harvard Business Review, vol. 87, pp. 26, May2009.Google Scholar
- 32.G. Campbell, R. Lefler, Security Alert, Harvard Business Review, vol. 87, pp. 104-105, Jul/Aug2009Google Scholar
- 33.T. Bishop and F. Hydoski, “Mapping your fraud risks”, Harvard Business Review, vol. 87, pp. 76, Oct2009.Google Scholar
- 34.R. Kaplan, A. Mikes, R. Simons, P. Tufano and M. Hofmann, “Managing risk in the new world”, Harvard Business Review, vol. 87, pp. 69–75, Oct2009.Google Scholar
- 35.ISO/IEC27001, ISO/IEC 27001:2005, Information Technology, Security techniques, Information security management systems requirements. Geneva: International Standard Organization, 2005.Google Scholar
- 36.Y. Akao, Quality Function Deployment, integrating customer requirements into product design, Productivity Press, Portland, 1990.Google Scholar
- 37.R. Kaplan and D. Norton, The balanced scorecard, translating strategy into action, Harvard Business School Press, Boston, 2008.Google Scholar
- 38.T.H. Davenport, Process innovation. Boston, Mass: Harvard Business School Press, 1993.Google Scholar
- 39.B. Bulgurcu, H. Cavusoglu and I. Benbasat, “Information security policy compliance” MIS Quarterly, vol. 34, no. 3, pp. 523–A7 2010.Google Scholar
- 42.DelS. Delarosa, Cultivating the best board, Internal Auditor, August, pp. 69–75, 2006Google Scholar