Over the past month, I’ve been speaking to various groups to help them prepare for the onslaught of digital risks in their organizations. A common theme is the need for greater risk quantification beyond the realm of traditional, qualitative governance, risk and compliance (GRC) approaches. A balanced view of digital risk through integrated risk management (IRM) is required to reach what Gartner calls the new “techquilibrium”.
You might ask, what is techquilibrium? Techquilibrium is the balance point where the enterprise has the right mix of traditional and digital capabilities and assets, to power the business model needed to compete most effectively, in an industry that is being digitally revolutionized. This new state of techquilibrium demands an understanding of both the quantitative and qualitative elements of digital risk to support decisions related to both digital optimization and transformation strategies – see figure below.
Legacy GRC approaches typically focus only on the qualitative elements of risk through highly subjective risk scoring methods that support a tactical view of risk (high vs. low). As I discussed in my keynote address to FAIRCON19 several weeks ago, IRM solutions can help improve the qualitative tactical view through risk quantification based on data analysis methods like Factor Analysis of Information Risk (FAIR). Many organizations are now utilizing IRM and FAIR to create risk treatment plans for potential data breach events as they optimize their business. These plans help inform the decision to purchase cyber insurance and determine the amount of coverage needed.
However, in the pursuit of techquilibrium, organizations must take their risk analysis a step further to the strategic view. This strategic view of risk (good vs. bad) supports the decision making behind digital transformation – creating new digital products and services to deliver greater results. As I shared with executives during my guest lecture to the Carnegie Mellon Chief Risk Officer Certificate Program, a greater understanding of the quantitative aspects of digital risk are required to develop a successful business case for digital transformation. Rather than simply looking at a cost/benefit analysis to determine the potential for loss minimization, CROs need to understand the technological risks behind a digital product or service in quantitative terms. Doing so will allow for a proper ROI analysis detailing the potential for profit maximization.
IRM fully supports these two important and complementary views of risk (tactical and strategic) across the two important and complementary types of risk evaluation (qualitative and quantitative). As reinforced in today’s Gartner 2019 Symposium Keynote, achieving techquilibrium is all about the “AND”. The same goes for IRM! Learn more about IRM and digital risk by reading “How to Get Your CEO to Embrace Digital Risk Management” as well as my upcoming research “Emerging Technology Analysis: Digital Risk Management” (Gartner subscription required).