Gartner has published a new report ‘A Risk Hierarchy for Enterprise and IT Risk Managers’ in which it claims that risk management practices in many enterprises are in a poor state. Many enterprises continue to take a narrow ‘siloed’ approach to risk assessment and management, often developing risk practices that are not effective or appropriate to their specific needs.
Gartner says that in many enterprises, specialists with functional areas of responsibility for risk management operate independently from one another, use different definitions of risk, record information inconsistently and fail to share information beyond the boundaries of their specific business or support areas. As a result, there is little transparency across processes and no holistic view of risk, which is necessary for enterprise-level analysis of exposure and mitigation decisions.
"An enterprise that wishes to better understand and manage the risks to which it is exposed should begin with enterprise-specific risk definitions and an organizational risk hierarchy to which all risk-related specialists can align," said Paul Proctor, vice president and distinguished analyst at Gartner. "Although no single definition will work for all enterprises, it is important to start from a common, overarching framework to eliminate overlap, avoid gaps in coverage and ensure good governance."
In the report Gartner details seven key steps which enable IT managers to understand and manage the risks facing them and allow them to quickly contribute to an enterprise-level risk management effort as their enterprises evolve in that direction:
* Implement a framework for risk assessment and mapping.
* Establish the responsibilities of risk managers with their areas of responsibility.
* Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.
* Determine the threat level, and focus on those risks with the highest impact on performance.
* Establish levels of controls for processes commensurate with the perceived threat.
* Record and retain risk incident and near-miss information.
* Conduct periodic risk assessments to determine changes in the operation’s risk profile and assess control performance.
The report is available here (payment required).