Gartner Blog Network

Digital Risk “Techquilibrium” Requires IRM

by John A. Wheeler  |  October 21, 2019  |  Submit a Comment

Over the past month, I’ve been speaking to various groups to help them prepare for the onslaught of digital risks in their organizations. A common theme is the need for greater risk quantification beyond the realm of traditional, qualitative governance, risk and compliance (GRC) approaches. A balanced view of digital risk through integrated risk management (IRM) is required to reach what Gartner calls the new “techquilibrium”.

You might ask, what is techquilibrium? Techquilibrium is the balance point where the enterprise has the right mix of traditional and digital capabilities and assets, to power the business model needed to compete most effectively, in an industry that is being digitally revolutionized. This new state of techquilibrium demands an understanding of both the quantitative and qualitative elements of digital risk to support decisions related to both digital optimization and transformation strategies – see figure below.

Digital Risk Management - Gartner

Digital Risk Management – Gartner

Legacy GRC approaches typically focus only on the qualitative elements of risk through highly subjective risk scoring methods that support a tactical view of risk (high vs. low). As I discussed in my keynote address to FAIRCON19 several weeks ago, IRM solutions can help improve the qualitative tactical view through risk quantification based on data analysis methods like Factor Analysis of Information Risk (FAIR). Many organizations are now utilizing IRM and FAIR to create risk treatment plans for potential data breach events as they optimize their business. These plans help inform the decision to purchase cyber insurance and determine the amount of coverage needed.

However, in the pursuit of techquilibrium, organizations must take their risk analysis a step further to the strategic view. This strategic view of risk (good vs. bad) supports the decision making behind digital transformation – creating new digital products and services to deliver greater results. As I shared with executives during my guest lecture to the Carnegie Mellon Chief Risk Officer Certificate Program, a greater understanding of the quantitative aspects of digital risk are required to develop a successful business case for digital transformation. Rather than simply looking at a cost/benefit analysis to determine the potential for loss minimization, CROs need to understand the technological risks behind a digital product or service in quantitative terms. Doing so will allow for a proper ROI analysis detailing the potential for profit maximization.

IRM fully supports these two important and complementary views of risk (tactical and strategic) across the two important and complementary types of risk evaluation (qualitative and quantitative). As reinforced in today’s Gartner 2019 Symposium Keynote, achieving techquilibrium is all about the “AND”. The same goes for IRM! Learn more about IRM and digital risk by reading “How to Get Your CEO to Embrace Digital Risk Management” as well as my upcoming research “Emerging Technology Analysis: Digital Risk Management” (Gartner subscription required).

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: audit-and-risk  digital-disruption-and-innovation  

Tags: cybersecurity  digital-risk-2  digital-risk-management  integrated-risk-management  irm  risk-management  

John A. Wheeler
Global Research Leader - Risk Management Technology
9 years at Gartner
30 years IT Industry

John A. Wheeler is global research leader for risk management technology solutions and professional services. His areas of specialty include integrated risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.