To integrate security with enterprise risk management, which action is appropriate?

Integrating security with enterprise risk management means security is treated as part of the organization’s overall risk picture, not as a separate silo. The best approach is to align security objectives with the organization's risk appetite, participate in risk assessments, and report security risks at the ERM level so leaders can weigh security concerns alongside other risks and allocate resources accordingly. This ensures that security controls and risk responses reflect the level of risk the organization is willing to tolerate and supports consistent governance across the enterprise. Keeping security outside ERM creates silos and blind spots; skipping risk assessments leaves threats unquantified; and routing reports only to HR bypasses the formal risk governance channel and undermines enterprise-wide oversight.