The latest enterprise risk management news from around the world

Security leaders should start any initiative from an enterprise-wide risk perspective

During the opening keynote address at the US Gartner Security and Risk Management Summit, Gartner analysts explained why security leaders should start any initiative from an enterprise-wide risk perspective.

Gartner analysts provided guidance to an audience of more than 3,400 security and risk leaders and practitioners on how to be empowered to adapt their people, processes and technologies to address the old and the new; empowered to transform their approach to risk governance to be more continuous and inclusive; and empowered to scale their security capabilities in other ways than by hiring more people.

Much of this empowerment can come from addressing three simple questions: What’s important? What’s dangerous? What’s real? Gartner analysts took the attendees through a series of scenarios to show how these questions can provide clarity, and in each scenario, the intersection of the questions changed a perception and led to action (see Table 1).

What’s Important

What’s Dangerous

What’s Real

Innovating for Value

Start from an Enterprise-Wide Risk perspective

Adopt Integrated Risk Management (IRM) Practices

Build a strong foundation of communication

Urgent Crisis and Threat

Create visibility into assets and ecosystems

Design for resilience at Multiple Levels

Use analytics and automation as a force multiplier

Technology Transformation

Empower others to be part of risk management

Challenge conventional wisdom on risks and controls

Select adaptable and adaptive risk controls

Table 1, source: Gartner (June 2018)

Taking an enterprise-wide risk perspective

Historically, risks have been viewed through a narrow lens, typically that of the risk owner:

"A few key practices will greatly help you overcome this obstacle," said Katell Thielmann, research vice president at Gartner. "First, create and support a culture of accountability with well-established risk ownership and responsibilities. "Next, build an enterprise-wide risk register that accounts for the top risks across all risk domains. Finally, map risk directly, clearly, and defensibly to business goals and objectives."

The danger can come from cyber risk, which represents an increasingly critical part of the risk puzzle. This is where integrated risk management (IRM) becomes so important. "IRM allows for easy and simple risk prioritization and linkages to risk treatment plans. We recommend you integrate cybersecurity and technology risks with broader operational risk to ensure that risk oversight is forward thinking," Ms. Thielmann said. "Define and measure risk indicators and identify those that serve as early warnings."

When responding to security threats, often the focus is on fixing a trust-related issue. However, in doing so, security leaders must make sure they do not violate their resilience goals. They have to design for resilience at multiple levels, from organizational to technical.

"Take an enterprise-wide view of resilience, and work with business and IT partners to set resilience goals," Craig Lawson, research vice president at Gartner, said. "Second, create crisis management and communication plans to reduce the risk of conditioned or habitual responses. Third, design technologies and processes that don’t just plan for high availability, but also for recovery and continuity. Lastly, ensure that these recovery and continuity plans are tested often enough to prove that they work."

Upcoming dates and locations for the Gartner Security & Risk Management Summit include:

July 24-26, 2018, Tokyo
August 14-15, Sao Paulo
August 20-21, Sydney
August 30-31, Mumbai
September 10-11, London
October 22-23, Dubai.

www.gartner.com/events



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.