With all the hype and hysteria around the mounting cyber-security threats, companies are seeking to strengthen their management of IT risk. The Wall Street Journal reported last week that some of the largest U.S. based companies are establishing technology committees at the board level to meet the need for greater governance. However, only 15 of the Fortune 100 and 5.2% of over 1,000 U.S. based companies surveyed recently by the National Association of Corporate Directors currently have a technology committee. So, for those companies that have not formalized their IT risk governance and oversight, what should they do?
Based on research I completed at Gartner several years ago, the following seven critical elements exist within the most successful IT risk management programs.
No. 1: Speak substantively about risk at every board meeting. It is problematic for a company to undertake a substantive risk review annually only, given today’s market volatility and shifting regulatory landscape. Instead, boards and senior management should review risk conditions, warnings and outcomes at every meeting. In addition, opportunities for identifying newer risks from changing market conditions and compliance requirements should also be discussed with the respective business owners from the management perspective.
No. 2: Define and deploy leading risk indicators. Large-scale, catastrophic events such as the explosion of the Deepwater Horizon oil platform in the Gulf of Mexico suggest the perils of depending too heavily on lagging measures of outcomes, and, perhaps, underestimating potential risk factors. On the day of the explosion, a team of senior leaders had traveled to the platform to celebrate its safety record, which many companies in high-hazard industries define in terms of prior outcomes. However, outcomes can be deceptive indications of likely future developments, and measures that are well-upstream of risk results are essential to risk management.
No. 3: Explicitly link major risk areas to elements of strategy. Many companies consider their careful articulation of risks in their annual public disclosures to be a substantive examination of risks and their mitigation. However, the discussion cannot end there. Companies must develop a thorough understanding of their risk profile as it relates to their long-term strategic plan. By doing so, the board and senior management can then begin to adopt a more proactive, forward-looking approach to addressing the company’s risks.
No. 4: Align risk management and performance management. Without a full understanding of the implications of how risks impact the performance of business units and individuals in meeting their goals, the entire company will have difficulty meeting its long-term strategic objectives. Companies must explicitly identify how risk influences the behavior and ability of individuals in achieving their goals. For example, during the years leading up to the financial crisis of 2008, many mortgage banking companies based performance goals for loan originators solely on the quantity of loans issued without regard to the quality of supporting loan documentation or the underlying risk of the mortgage itself. Lacking this risk awareness, these companies unwittingly increased their overall risk exposure.
No. 5: Clearly articulate risks encountered versus authorized risk appetite. Many boards and senior leaders have argued vehemently over the tolerance for risks associated with strategic opportunities. With the risk linkages firmly and concretely articulated, the next logical action at the board level is the review of senior leadership’s assessment of how the risks actually encountered correlate with the risk appetite of the company. The board should create simple, straightforward risk appetite statements that provide clear guardrails for the company’s senior leadership. Then, senior leadership has the responsibility to articulate how their strategic initiatives fall within the established risk appetite. Any areas of ambiguity should be the primary focus of joint discussions to develop greater clarity around the risks to be taken to achieve the desired business outcome.
No. 6: Organize for enterprise-wide risk identification and accountability. The deep delegation of risk-related performance management goes hand in hand with the organizational understanding and assignment of risk responsibilities, from the boardroom to the shop floor. The clear allocation of risk-related decision rights and responsibilities gives the board and senior leadership a means of understanding who in the organization owns the various risks of the company.
No. 7: Use technology as an enabler of risk oversight activities. While technology is often viewed as a panacea for risk oversight challenges, it is most useful and cost-effective when deployed as an enabler of well-defined risk oversight activities. Too often, companies will over-engineer the supporting risk oversight processes based on a particular technology solution, resulting in greater bureaucracy and wasted investment.
Incorporating these elements into your risk management program will improve not only the quality of business outcomes, but will also ensure the sustainability of the program itself. With an ongoing, disciplined approach, senior IT and business leaders can drive their companies not only to improve their risk oversight practices, but also to gain added insight into how to achieve their strategic objectives.
Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer
As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.Read Free Gartner Research
Category: cyber-risk cyber-security enterprise-risk-management grc information-technology operational-risk-management risk-management security security-of-applications-and-data strategic-risk
Tags: big-data cyber-risk-2 cyber-security cybersecurity grc grc-software information-security information-technology-2 it-risk it-risk-management-2 risk-indicators
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.