Over the past decade, the business environment has transformed significantly. Events such as the USA 9/11 terrorist attacks, London 7/7 bombings, 2008 Global Financial Crisis, Japanese 2011 earthquake and the increasingly dangerous cyber threat landscape have all changed the way organizations need to manage enterprise risks.
Organizations need to develop new strategies capable of dealing with these evolving risks and survive in an ever-increasing uncertain and volatile economic environment.
In order to achieve continuous improvement and drive business performance, an integrated approach to managing risks is needed; one that integrates governance risk management and security risk management. Governance risk management is normally conducted by business policy and compliance teams whereas security risk management is administered by IT operations and information security.
Most organizations fail to realize the upside of risk management because of their isolated approach to risk management. They firmly believe that having security risk management alone is adequate for measuring and managing IT and business risks the organization is exposed to.
The truth of the matter is that neither security risk management not governance risk management alone is enough for mitigating today’s enterprise risks. Compared to integrated risk management, an isolated approach has the disadvantages of duplicate data collection, redundant processes and high costs. The problem with the isolated approach is that each team tasked with risk management operates with different information and resources and as a result, it becomes increasingly difficult to make decisions and take actions that are in the best interest of the entire organization. There is conflict of interest.
On the other hand, having an integrated risk management platform creates common tools, data structures, processes and metrics for all risk management needs. In other words, an integrated risk management approach provides a single panel of information and comprehensive platform for the entire organization. This makes it easier for the organization to be able to collect and organize information from numerous security tools and revealing meaningful relationships among the data collected from these tools. Additionally, an integrated risk management platform has the advantages of holding large volumes of data and performing faster risk analysis. This reduces the organization’s dependence on manual processes or the need to hire more staff.
Integrated risk management can positively happen only if governance risk management and security risk management are independently sound. Building an integrated risk management platform on problematic foundations of governance and security risk management tools and processes will only worsen the existing issues.
It is therefore imperative that prior to building the integrated risk management platform, the business risk owner(s) clearly understand the difference between governance risk management and security risk management. This is so because risk management problems often arise because business operations and IT have access to different information needs. The result is usually redundant data collection, overlapping processes and higher costs.
Most organizations who use security risk management as their only risk management tool are failing to reap benefits from their efforts for the following reasons:
- They are using a multitude of different systems/tools (more than two) to collect, consolidate and analyze data to support their risk management program. This process is very time consuming and error-prone as there is need to piece together data, metrics and reports to calculate IT risks across the organization.
- They are relying too much on manual processes/spread sheets to model and manage enterprise risks. Because of the decentralized nature of most of these reports, it becomes increasingly difficult to gain complete visibility of enterprise risks. Effective security risk management requires complete visibility of end-to-end processes from the business units to security and IT operations.
- Most of these isolated tools have not adopted to change, for example, big data. With the explosion of big data and its increasingly impact on business performance, the organization’s tools and processes must be able to manage such big data which is alertly growing in volume, variety and velocity.
The way forward for most organizations is that they should be able to identify the gaps between the set of security and risk management products and processes that are already installed within the organization. The next step requires creating awareness of enterprise risks. How are you creating awareness of risks? Is it through manual process and best guesses or through automation? If it involves the later, there is need to define all the risk management tasks to be automated and the time frame for completing their automation and integration.
Closing Thoughts: To effectively manage enterprise risks, organizations must integrate the top-down (governance) and the bottom-up (security) risk perspective. The integrated risk management platform has the benefits of aligning the organization’s business risks and IT operations and addresses all areas of risks.
It is also important to note that when implementing integrated risk management, the organization must consider all the implementation models carefully as well as the number and frequency of future modifications to the platform. In today’s environment of rapidly evolving threats, an integrated risk management platform must be able to accommodate constant change.