Risk Management Broken in Many Organizations, says Gartner
May 20, 2008, News Report
Found in: Security
Many enterprises continue to take a narrow "siloed" approach to risk assessment and management, often developing risk practices that are not effective or appropriate to their specific needs, according to Gartner.
"The increased visibility of risk management in many enterprises has resulted in inconsistencies in the use and application of the term," said Paul Proctor, vice president and distinguished analyst at Gartner. "The term 'risk' has been appended to many traditional IT functions, such as security, business continuity, management and privacy, without the accompanying changes in the processes and methodologies used for understanding and managing the risk associated with these areas. This, in turn, has led to poor implementation of risk management as a discipline, limiting its effectiveness for many organizations."
Gartner said that in many enterprises, specialists with functional areas of responsibility for risk management operate independently from one another, use different definitions of risk, record information inconsistently and fail to share information beyond the boundaries of their specific business or support areas. As a result, there is little transparency across processes and no holistic view of risk, which is necessary for enterprise-level analysis of exposure and mitigation decisions.
"An enterprise that wishes to better understand and manage the risks to which it is exposed should begin with enterprise-specific risk definitions and an organizational risk hierarchy to which all risk-related specialists can align," said Proctor. "Although no single definition will work for all enterprises, it is important to start from a common, overarching framework to eliminate overlap, avoid gaps in coverage and ensure good governance."
Gartner has identified seven key steps to enable IT managers to understand and manage the risks facing them and allow them to quickly contribute to an enterprise-level risk management effort as their enterprises evolve in that direction:
- Implement a framework for risk assessment and mapping.
- Establish the responsibilities of risk managers with their areas of responsibility.
- Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.
- Determine the threat level, and focus on those risks with the highest impact on performance.
- Establish levels of controls for processes commensurate with the perceived threat.
- Record and retain risk incident and near-miss information.
- Conduct periodic risk assessments to determine changes in the operation's risk profile and assess control performance.
Comments
By Ric GISP Skinner, Ric on May 21, 2008
This article is right on point and supports what we found in a survey healthcare preparedness at US hospitals and healthcare facilities sponsored by the Business Continutiy Planning Workgroup for Healthcare Organizations. A recurring theme we heard was that top-down support for emergency management/disaster preparedness was lacking and the majority of the nearly 1500 healthcare facilities in the survey have less than 1 FTE assigned this responsibility. The presentation of our results at the National Emergency Mangement Summit is available at http://www.bcpwho.org/presentations/downloads/Track1SkinnerR024008@1pmEM.ppt A follow-up survey focused on Hazard Vulnerabiilty Assessement methods and processes further supports the need for standardization with the added dimension of location-based hazards for each facility rather than broad regional risks. Results of that survye are at http://www.surveymonkey.com/sr.aspx?sm=0VHlLI5wJwfBbqFybMfDKf2sOPGaZdfZoZhyx7opnm0_3d.
Respond to this comment.If You Liked This Article, You May Also Like...
- With Increased Internet Confidence Comes Riskier Behavior, Survey Finds
- Study Reveals Positive Impact of Training in Mitigating IT Risks
Related Products and Services
Latest News in Security
- Security Hole in Citibank ATMs Underscores Larger Security Flaws
- Michigan Registry Protects Children from Spam
- ACLU Urges Senate to Reject Surveillance Bill
- MySpace Agrees to Delete Profiles of Registered Sex Offenders
- New Type of Social Networking Provides a Safe, Creative Place for Teens
- High Ranking Web Site Administrator Convicted in Piracy Crackdown
- E-Vote: Bangladesh Biometric Voter Identification Project Nearing Completion
- Missouri Governor Blunt Takes Actions to Protect Missourians from Identity Theft
- Ohio School District Selects E-Mail Archiving Solution to Ease Compliance with FRCP Updates
- Full E-mail Archiving Strategy Needed in K-12
Latest Government Technology News
- System Estimates Geographic Location of Photos - Jul 3
- Ten States to Reimburse Drug Screenings of Medicaid-Eligible Patients - Jul 3
- Offshore Call Centers Improve But Fall Short, As Language Barriers Affect Problem Solving - Jul 3
- California Establishes Five-Year IT Capital Planning Process - Jul 2
- American Internet Connectivity Grows, But Some Groups Not Interested - Jul 2
Industry Solutions for Government
Read real world deployments of technology in government from our sponsors.
View All Industry SolutionsMarketplace
Video, Security Podcasts, Slide Shows, Case Studies, Privacy Policy, News Feeds (RSS), MyGT
Government Technology Magazine
Government Technology Magazine provides information technology (IT) case studies, applications, news and best practices for state, city and county government.
Get FREE SubscriptionEmergency Management Magazine
Emergency Management Magazine provides technology news and solutions to the local government authorities that help protect our communities.
Get FREE SubscriptionPublic CIO Magazine
Public CIO Magazine provides technology news and solutions to public sector C-level technology executives.
Get FREE SubscriptionDigital Communities Magazine
Digital Communities Magazine is the premier information source for cities, counties and regions to explore and share experiences and best practices beyond just infrastructure and mobile innovations.
Get FREE SubscriptionTexas Technology Magazine
Texas Technology Magazine provides technology news and solutions to the Texas public sector community.
Get FREE Subscription
By Scott Smith Scott on May 29, 2008
There's sure safety in those silos! Most IT groups point to the technology they've purchased as evidence that they're doing their jobs. I've spoken to countless IT personnel who ignorantly defend themselves by saying "we bought a device that does that!" Meanwhile, they continue to react to and respond to alarms, help desk calls and the daily fire fight, completely unaware whether the "silo" they bought is working, configured properly or causing more problems than it solves! We've seen one too many instances where there's rampant abuse going on where the Web filtering solution absolutely DO NOT REPORT ON WHAT THEY MISSED. Live by the silo. Die by the silo.
Respond to this comment.