Enterprises Lack Effective Risk Management According to New AESRM Report

From ISACA:

Rolling Meadows, Illinois, USA (5 September 2007)—The currently popular silo approach to managing enterprise risk is inadequate because it leaves too many gaps and provides no reliable way to evaluate an enterprise’s risk position, according to a new research report issued by The Alliance for Enterprise Security Risk Management (AESRM), a partnership of leading international security associations ISACA and ASIS International. The report is available as a free download at www.aesrm.org.
The Convergence of Physical and Information Security in the Context of Enterprise Risk Management shows that while risk management is fundamental to most enterprise managers, many risk reduction initiatives are not coordinated or integrated across all risk areas. Only 19 percent of executives surveyed said their company has a robust process in place for identifying when risk tolerance approached or exceeded defined limits.
To address these risk challenges, organizations are investigating more inclusive enterprise risk management (ERM) programs and converging traditional and information security functions. Although this convergence is intuitive and logical, it is still in its early stages, according to the research conducted by Deloitte.
“The need for enterprises to understand, measure and mitigate their risk is a leading factor driving the increase in security convergence,” said Ray O’Hara, CPP, chairman of AESRM. “Globalization and high-profile security breaches have gained the attention of boards and management, who increasingly realize how effective risk management protects their assets and supports growth.”
When asked to identify the major drivers of their companies’ security integration efforts, 73 percent of the executives cited “reducing risk of combined information and physical security threats,” 58 percent said “increased information sharing,” and 50 percent noted “better protection of the organization’s people, intellectual property and corporate assets.” The survey shows that security integration and ERM, when aligned, add value throughout an organization.
“Even though our study found that convergence is in its infancy, it is clearly a concept that is not going away,” said Adel Melek, global leader of the security and privacy practice at Deloitte Touche Tohmatsu. “But like any new idea, it takes pioneers or ‘visionaries’ to propel it forward. The visionaries of our report’s case studies, typically executives, have a strong belief in the benefits of convergence and have the personal commitment to see their ideas to completion despite the uncharted territory in which they may find themselves.”
The report also includes case studies of successful ERM programs from SAP; Constellation Energy Group; the City of Vancouver, BC, Canada; and other organizations that achieved cost reductions, increased risk intelligence and mitigation, and reduced duplication. More information and examples of convergence are at http://www.aesrm.org/.
Media contact:For ISACA: Kristen Kessinger, kkessinger@isaca.org, 847.590.7455For ASIS: Eileen Smith, esmith@asisonline.org, 703.518.1404
About AESRM—The Alliance for Enterprise Security Risk Management (AESRM) (http://www.aesrm.org/) was formed in February 2005 to encourage board and senior executive attention to critical security-related issues and the need for a comprehensive approach to protect the enterprise. The alliance—consisting of ASIS International and ISACA—brings together more than 90,000 global security professionals with broad security backgrounds and skills to address the significant increase and complexity of security-related risks to international commerce from terrorism, cyber attacks, Internet viruses, theft, fraud, extortion and other threats.
About ISACA—With more than 65,000 members who live and work in more than 140 countries, ISACA (http://www.isaca.org/) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal®, develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 50,000 professionals since inception, and the Certified Information Security Manager (CISM) designation, a groundbreaking credential earned by more than 6,500 professionals since it was established in 2002.
About ASIS—ASIS International (ASIS) (http://www.asisonline.org/) is the preeminent organization for security professionals, with more than 35,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s number one magazine—Security Management—ASIS leads the way for advanced and improved security performance.
About Deloitte—Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 140 countries. With access to the deep intellectual capital of approximately 150,000 people worldwide, Deloitte delivers services in four professional areas—audit, tax, consulting and financial advisory services—and serves more than 80 percent of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” “Deloitte & Touche,” “Deloitte Touche Tohmatsu,” or other related names.