Risk Management Broken in Many Organizations, says Gartner

Many enterprises continue to take a narrow "siloed" approach to risk assessment and management, often developing risk practices that are not effective or appropriate to their specific needs, according to Gartner.

"The increased visibility of risk management in many enterprises has resulted in inconsistencies in the use and application of the term," said Paul Proctor, vice president and distinguished analyst at Gartner. "The term 'risk' has been appended to many traditional IT functions, such as security, business continuity, management and privacy, without the accompanying changes in the processes and methodologies used for understanding and managing the risk associated with these areas. This, in turn, has led to poor implementation of risk management as a discipline, limiting its effectiveness for many organizations."

Gartner said that in many enterprises, specialists with functional areas of responsibility for risk management operate independently from one another, use different definitions of risk, record information inconsistently and fail to share information beyond the boundaries of their specific business or support areas. As a result, there is little transparency across processes and no holistic view of risk, which is necessary for enterprise-level analysis of exposure and mitigation decisions.

"An enterprise that wishes to better understand and manage the risks to which it is exposed should begin with enterprise-specific risk definitions and an organizational risk hierarchy to which all risk-related specialists can align," said Proctor. "Although no single definition will work for all enterprises, it is important to start from a common, overarching framework to eliminate overlap, avoid gaps in coverage and ensure good governance."

Gartner has identified seven key steps to enable IT managers to understand and manage the risks facing them and allow them to quickly contribute to an enterprise-level risk management effort as their enterprises evolve in that direction:

• Implement a framework for risk assessment and mapping.

• Establish the responsibilities of risk managers with their areas of responsibility.

• Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.

• Determine the threat level, and focus on those risks with the highest impact on performance.

• Establish levels of controls for processes commensurate with the perceived threat.

• Record and retain risk incident and near-miss information.

• Conduct periodic risk assessments to determine changes in the operation's risk profile and assess control performance.