As we begin the new year, many of our clients are searching for ways to turn their failures with Governance, Risk and Compliance (GRC) technology into successful Integrated Risk Management (IRM) solution deployments. I talk to organizations from across the globe on a daily basis about their struggles to manage risks more effectively – particularly as it relates to the convergence of digital and physical environments. Past GRC approaches and technology solutions are ill-equipped to address these new and increasingly pervasive digital risks because they are rigid and compliance-driven. IRM offers flexibility and risk-based insight needed to manage the expanding digital business landscape.
Here are three new year’s resolutions to avoid GRC failures of the past and deploy a successful IRM solution set.
1) Do not lead with technology
Most GRC failures are typically a result of organizations first seeking the answer to their risk management challenges via technology. Unfortunately, risk management technology is simply an enabler of mature risk management programs. It is imperative to develop a solid risk framework first that will help define and facilitate communication at all levels, from the strategic to the tactical.
2) Break down the silos
Too many organizations do not have a comprehensive risk view, particularly as it relates to the intersections of cybersecurity, IT, operational and enterprise risk. The primary reason is the lack of clear vision and leadership across these risk management domains. Executive management must take the lead in breaking down the organizational silos and establishing key metrics to promote the management of risks that will have the greatest impact on the most important enterprise-wide objectives. While many of our clients will say they have an enterprise risk management (ERM) program, it typically is only a broad, horizontal view of risk categories. What it lacks is tight, vertical integration of risk management domains down through the organization (see figure below).
3) Focus on content and usability
The ultimate keys to successful use of risk management technology are found in the content and usability of the solution. Content is end-user driven and takes the form of robust risk assessments, metrics, policies, standards and controls. Without continuous end-user input, the content quickly becomes stale and ineffective. One of the primary reasons for weak content is the difficulty end-users face in using risk management technology. The difficulty is not only rooted in poor user interface design, but also in the multitude of stand-alone GRC applications that are compliance-driven and single-purpose. A common compliant is the need for maintaining and reconciling multiple risk assessments across different technology platforms. An integrated approach will greatly reduce effort and improve quality of risk management practices.
To learn more about IRM and the use of these technology solutions, read our recently published research: “Market Trends: GRC Era Is Over as Customers Adopt Integrated Risk Management” (Gartner subscription required).
Read Complimentary Relevant Research
How to Evaluate Cloud Service Provider Security
Security and risk management leaders continue to experience challenges to efficiently and reliably determine whether cloud service providers...
View Relevant Webinars
Securing the Internet of Things: An Architectural and Risk-Driven Approach
Security is a top concern and significant inhibitor to Internet of Things (IoT) adoption. In this Webinar, Erik T. Heidt will identify...
Category: cyber-risk cyber-security enterprise-risk-management grc integrated-risk-management irm operational-risk-management risk-management security strategic-risk trends-predictions
Tags: grc irm risk-management
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.