The Integration of Risk Management - Essay Example

Tittle: The intersection between security and risk management Name Institution Date of submission Introduction The main security objective of organizations is to protect organization’s assets especially the information asset. Information is fundamental in meeting core objectives of the organization and misuse or mismanagement perhaps may lead to damage of the roadway to success (Woods, 2007). The integration of risk management approach in organizations holds huge potential when it comes to transforming organizations, enabling agility as well as adapting to new technologies. Organizations currently need to manage security risks like incorrect usage of data or corporate data loss and subsequent legal inferences such as crimes. Information security has emerged as one of the delicate assets of the organization which needs to be protected (Mythen & Walklate, 2006). Michael (2012) defined security management as the process involving identification of organization’s assets (information asset inclusive), documentation and implementing policies and procedures to protect these assets. In most cases, organizations decode these assets into information which has been considered easy and cheap when it comes to protecting them. This has resulted to integration of risk management approach which entails three main stages: classification of information, risk assessment and analysis of risk. The use of risks management approach enables the organization to recognize potential threats, categorize them and reflect on the vulnerabilities in order to apply appropriate and effective controls. The whole procedure of risk management ends up to upholding the security of assets within the organization (Woods, 2011). Organizations are experiencing a new workplace brought by events in the 21st century in which everyone in the organization have to adapt to the demands and opportunities which are constantly changing. It is apparent that the economies are globalizing and are constantly driven by new advancement in technology. According to Caldwell (2008) these changing aspects in organizations’ environment has called for transformation of employees in order to serve new customer demands. Launching an effective governance system to ensure security can be challenging when embracing risk management approaches. Advances in technology both at the production level and consumption level bring in heterogeneity thus creating complexities which are undoubtedly a nightmare to organizations (Béringuer, Grall & Soares, 2011). The account of risk management and security Late in 20th century, organizations were dashing to adapt to the trend in which workers were using non-corporate devices to ease workload (Camarinha-Matos, Xu & Afsarmanesh, 2012). The use of personal gadgets led to mishandling of information and sometimes, if not often, loss. Many of the organization between 1980s and 1990s were perceived to be off IT radar especially those that were using un-portable devices (Whitman & Mattord, 2003). The 21st generation devices puzzled many organizations especially when they recognized the device utility and could not have the capabilities to embrace. However, the willingness and competiveness in production pushed organizations to integrating information management systems. Currently, organizations are expected to have both the IT security and IT risk management within its executive level planning for it to become competitive in the global market. According to Jones & Ashenden (2005) the security objectives of the organization should be defined within five categories which include integrity, accessibility, confidentiality, control and accountability. The categorization provides an appropriate platform for identifying an appropriate risk management approach which focuses on people (employees and customers), processes and technology. When risk is integrated to organizational strategy, then it makes risk be a factor during decision making process and therefore enabling the intersection of risks management with security of information and other organizational assets. Slay & Koronios, (2006) regarded this idea of intersection as it provide an prospect to informed leaders within the organization with the objective of protecting organizational assets by coming up with appropriate systems. Most organizations that thrived towards the end on 20th century and are performing well in management of the assets are those that recognized the changing nature of the environment and adapt appropriately to these prospects. For example, a lot of paper work often causes data loss of fraudulence when it comes to finances of the organization. Therefore, employees could use this to exposé the financial statements of an organization especially the cash flow (Bansal, Kauffman, Mark & Peters, 1993). Areas of concern Wood (1995) realized that it was very important to determine the essential soft spots and inconsistencies that could largely impact the docket of security which is directly linked to organizational performance. For example, according to Slay & Koronios (2006), budgeting and forecasting processes must be effectively managed to avoid the liquidity risks of a business. Risk management capabilities are integrated to enable high level strategy achievability and accountability of the employees within the system. Putting security strategy as a priority enables a roadmap that will establish security practices which can be adapted to mitigate future challenges associated with information security (Choque, Agüero & Muñoz, 2011). Risk management approaches takes different forms depending on the asset value of an organization and it is normally installed in regard to the future security posture of the organization. In this case, Gelenbe & Wu (2013) overlooks an asset as data or system plus resources invested and understanding what exactly it is being protected relative to its value. It is difficult to establish the value of an asset especially when it comes to information. However, assets value can be determined by looking at the pillars of an organization. For instance, information asset value is determined by the checking how crucial the data is important to the organization, cost of obtaining and maintaining this data. Knowing the asset value of the organization would mean that the asset needs to be protected and not used inappropriately since it will affect the performance. Du, (2013) Recommended this as the first step of risk management since it gives a clarity of organization’s asset and its worth in the organization. Risk management approach is developed form this point after realizing what needs to be protected and for what reason it is being protected. According to Hutter (2010) it is without doubt that the proliferation in the use of mobile devices in today’s organizations in increasing the exposure of the identified asset value. Organizations are facing challenges on protecting these assets, enabling support and meeting the regulations of advanced risk management approaches. When it comes to protecting data for example, loss of sensitive data of an organization through the loss of mobile devices like phones is a challenge many organizations experience. Also, the heterogeneity of the devices sometimes may give a posture which may not allow implementation of appropriate risk management measure. In this case, and especially where employees are not accountable to their tasks, there is high possibility that the information asset of the organization would be exposed to malicious attacks which is a serious risk (Gelenbe & Wu, 2013). Determining the current security state of an organization is very important. Wong & Ma, (2013) realized this as a complicated process since the security capabilities within various organizations are have no fixed locations. Therefore, collecting security data both internally and externally helps in assessing the situation of security and the extent of exposure to the risks. Risk management and security docket meet at this point during identification of exposure/potential exposure. Organizations have integrated risk management approach to develop long-term strategy to address security issues and uphold sustainable security strategy within the organization. Humphreys (2008) found the following as the ways risk management approaches use in obtaining security information in the organization: a) Uncovering exposure of risk through survey where both internal and external parties are allowed to give their opinions on the assets of an organization, b) Interviewing people within the organization in order to derive the posture of security. c) Documentation: These include all the information relevant to security docket like assets, current security plans and operational statistics. From a small study conducted by Abu‐Musa (2010), it is evident that risk management approach in security ensures that there is correct placement of resources which will define the benefits achievable when security strategy is achieved successfully. Risk management has become helpful since it identifies technologies present which support security in the organization, looks at the regulations present that upholds the standards of security and provide an architect necessary to sustain security strategy for a long term (Akaichi, 2012). To be practical and clear, Vellani (2007) stated that it is not easily to accept the subjective nature of risk. Therefore, it is important to engage in the process of risk assessment in order to understand the level of safety of an organizational asset. Zhang (2012) found this opinion to be a meeting point of security and risk management. Since security entails ensuring that organizational assets are protected for the purpose of availability and integrity, risk management on the other side looks on the environment in which the assets are placed. The two concepts holistically ensure that the provision of governance service in compliance to the set standards is offered effectively. While is important to ensure that the dockets placed are managing risk right, it is equally important to uphold the security standards derived from the risk management approach. According to Michael (2012) top level management have the role of oversight over the three levels-strategic, corporate and operation activities to ensure that the effective decisions form risk management approach reaches the expected threshold to ensure the security of assets within the organization. Risk management also plays a crucial in the whole organization structure. Once the decision is agreed on how to mitigate risk, of which in the long run the organization needs to uphold security, employees are assigned the responsibility of owning the risk. In this case, employees often ensure that the security level of an asset or the probability of a risk to happen is within a tolerable level. Therefore, this will not threaten the security measures within the organization. For example, most of the organizations in the 21st century have auditors both internally and externally who monitors and checks whether controls are in place to manage the security concerns or the risks magnitude an asset is exposed to (Reid & Reid, 2014). Consistency is a submission of risk management approaches which is fundamental to security strategy (Woods, 2011). Woods implied that in order to achieve security objectives, there should be a common training and standardize documentation to ensure that any framework implemented provides consistent security at all level of management. Clemente (2014) found from his observation that though security may be narrower that risk management, still security is part of risk management. Risk management cannot be reduced to security specialists, however, it requires teamwork. For example, executives, managers, casual workers and the whole administration of an organization are called to work out a collaborative risk management plan which is acceptable and reliable. According to Herbane (2005), ‘the decisions in risk management approach are all made for the purpose of ensuring the assets of the organization are safe and secure.’ Apparently, the research by Choque, Agüero & Muñoz (2011) found that all the activities within an organization can be described from risk management viewpoint. Security is just but one facet of risk and it applies everywhere within the organization. Basically, an environment that is safe and secure provides an effective condition to implement a suitable program one of which can be risk management program. For all organizations, security should be perceived as a stand-alone thing. However, security is a major part of risk management which an essential topic to operational tasks as well as operational thinking. In conclusion, if risks are not appropriately assessed and analyzed, then the security of organizational assets will not be properly managed. This paper maintains that security and risk management approaches has an intersection at the point of decision making. Organizations should consider a secure and safe environment as an enabler for a favorable environment that facilitates various programs implementation one of which is risk management framework. A further argument in this paper is that, information in the 21st century is most valuable assert within the organization. With the present of mobile devices, this has subjected information to a risk environment where can seriously harm the organization. Risk management approaches when it comes to information security seem to be a challenge in the advanced society. References Abu‐Musa, A. (2010). Information security governance in Saudi organizations: an empirical study. Information Management & Computer Security, 18(4), 226-276. doi:10.1108/09685221011079180 Akaichi, J. (2012). A new approach towards the self-adaptability of Service-Oriented Architectures to the context based on workflow. IJACSA, 3(12). doi:10.14569/ijacsa.2012.031201 Bansal, A., Kauffman, R., Mark, R., & Peters, E. (1993). Financial risk and financial risk management technology (RMT). Information & Management, 24(5), 267-281. doi:10.1016/0378-7206(93)90004-d BeÌringuer, C., Grall, A., & Soares, C. (2011). Advances in safety, reliability and risk management. Boca Raton, FL: CRC Press. Caldwell, F. (2008). Risk intelligence: applying KM to information risk management. VINE, 38(2), 163-166. doi:10.1108/03055720810889798 Camarinha-Matos, L., Xu, L., & Afsarmanesh, H. (2012). Collaborative networks in the internet of services. Heidelberg: Springer. Choque, J., Agüero, R., & Muñoz, L. (2011). Optimum Selection of Access Networks Within Heterogeneous Wireless Environments Based on Linear Programming Techniques. Mobile Networks And Applications, 16(4), 412-423. doi:10.1007/s11036-011-0318-2 Clemente, D. (2014). Cyber security and global interdependence. Du, W. (2013). Informatics and management science II. London: Springer. Gelenbe, E., & Wu, F. (2013). Future Research on Cyber-Physical Emergency Management Systems. Future Internet, 5(3), 336-354. doi:10.3390/fi5030336 Herbane, B. (2005). Risk Management on the Internet. Risk Manag (Bas), 7(1), 71-72. doi:10.1057/palgrave.rm.8240206 Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4), 247-255. doi:10.1016/j.istr.2008.10.010 Hutter, B. (2010). Anticipating risks and organising risk regulation. Cambridge: Cambridge University Press. Jones, A., & Ashenden, D. (2005). Risk management for computer security. Amsterdam, Netherlands: Elsevier Butterworth-Heinemann. Michael, K. (2012). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Computers & Security, 31(2), 249-250. doi:10.1016/j.cose.2011.12.011 Mythen, G., & Walklate, S. (2006). Beyond the risk society. Maidenhead, England: Open University Press. Reid, D., & Reid, W. (2014). Managing Facility Risk: External Threats and Health Care Organizations. Behav. Sci. Law, 32(3), 366-376. doi:10.1002/bsl.2107 Slay, J., & Koronios, A. (2006). Information technology security & risk management. Milton, Qld: Wiley Australia. Vellani, K. (2007). Strategic security management. Amsterdam: Butterworth-Heinemann. Whitman, M., & Mattord, H. (2003). Principles of information security. Boston, Mass.: Thomson Course Technology. Wong, W., & Ma, T. (2013). Emerging technologies for information systems, computing, and management. New York, NY: Springer. Wood, C. (1995). Shifting information systems security responsibility from user organizations to vendor/publisher organizations. Computers & Security, 14(4), 283-284. doi:10.1016/0167-4048(95)97068-l Woods, M. (2007). Linking risk management to strategic controls: a case study of Tesco plc. International Journal Of Risk Assessment And Management, 7(8), 1074. doi:10.1504/ijram.2007.015295 Woods, M. (2011). Risk management in organizations. New York, NY: Routledge. Zhang, J. (2012). ICLEM 2012. Reston, Va.: American Society of Civil Engineers. Read More