The theme of the 2008 Executive Women's Forum on Information Security, Risk Management & Privacy is "risk convergence is inevitable." The risks associated with information security, privacy, physical security and so forth are converging such that an integrated management approach is required from within the firm.

Interestingly enough, business continuity management was not a key risk area mentioned by all panelists of the session titled "Convergence: The Good, The Bad & The Ugly." There were two pieces of strategic program management advice from the panelists. The first point is that you have to partner with all of your lines of business and corporate support areas. Since risk is related to the delivery of the business, no one department can address all of the issues. And, you might find that there are good practices already in place within your firm, so that you are not reinventing the wheel - leverage the good stuff throughout the firm. The second point is to focus on the budget issue - how many risk-related activities are already in place in your organization that could be combined, and possibly duplicated, so that more work gets done with less money spent? Pooling of already limited budgets can go a long way toward developing a program that is more mature, delivers more benefit to the organization and eliminates a lot of duplicative work.

But all of this convergence comes at a price - mainly in fear, uncertainty and doubt of the workforce. Some feel that they will lose authority (especially in siloed risk approaches); others might lose their jobs as a result of the convergence. This human aspect was mentioned as the key challenge of an integrated approach. Therefore, communicating not only up within the firm but down to the workforce is critical to achieving a well-run and integrated program.

And finally, for those areas that just don't want to "play the game," use your internal audit department as the "stick" that can get them to act. When I was an IT risk manager, I always said that I was management's best friend - let me tell you the gaps in your risk program rather than having them come from the audit department, which then become part of the records of the firm.