Australian Information Security Management Conference

Document Type

Conference Proceeding


secau Security Research Centre, Edith Cowan University, Perth, Western Australia


Originally published in the Proceedings of the 9th Australian Information Security Management Conference, Edith Cowan University, Perth Western Australia, 5th -7th December, 2011


Enterprise Risk management is a process vital to enterprise governance which has gained tremendous momentum in modern business due to the dynamic nature of threats, vulnerability and stringent regulatory requirements. The business owners have realized that, risk creates opportunity which in turn creates value. Identifying and mitigating risk proactively across the enterprise is the purview of Enterprise Risk Management (ERM).However, key errors in the ERM process such as misinterpretation of statistical data, overlooking change management, inadequate attention to supply chain interdependencies, excessive trust of insiders and business partners, ambiguous grouping of risks and poor documentation has contributed significantly to the failure of ERM. To examine the ERM perception in Oman, the authors have conducted a survey among various risk management practitioners. Based on the findings, the authors have broadly classified risk into three types namely business risks, technical risks and regulatory risks and threat vs. consequence mapping is defined to provide direction to moderately group risks. Further, this article defines various ERM approaches including due diligence, probabilistic risk analysis, scenario-based analysis and system analysis which offers a wide range of decision-support tools to the management.