Gartner Blog Network

The Top 3 Investment Challenges for Operational Risk Management

by John A. Wheeler  |  January 5, 2015  |  1 Comment

In my travels as a risk management research analyst and advisor, I am consistently faced with the resistance toward making real, substantial investments in operational risk management (ORM) programs and technologies. Depending on the industry or the individual company’s unique risk profile, executives will note a number of challenges they face to secure the necessary funding for a mature ORM program. However, the real ORM investment challenges can be boiled down to three barriers that must be overcome.

  1. ORM is a long term investment and companies desire short term results.
  2. Most risk professionals emphasize risk avoidance, while the real opportunity in ORM lies in taking the right risks to achieve a desired business outcome.
  3. Once material operational risks are actually realized, the resulting expenditures are not investments in future capabilities – they are remediation costs for risk events that were not proactively addressed.

In some cases, as highlighted in Gartner’s recent Global Risk Management Survey, companies may try to make the right investments, only to allocate funds to the risk mitigation “strategy du jour”. This approach is typically a reaction to a regulatory mandate or peer related risk event that does not necessarily lead to more effective ORM.

A great example of the ORM “strategy du jour” is the growing interest in cyberinsurance policies. While cyberinsurance may be a good way to transfer some risk associated with a data breach or security attack, it is highly dependent on the health of the company’s security and IT risk management program. A weak or immature risk management program will result in high insurance premiums and, in many cases, preclude claim payments.

When a breach occurs, the company that did not invest in a mature risk management program will discover that policy exclusions resulting from poor security controls render the insurance worthless. As a result, costs associated with customer notification, forensic investigation, legal defense and regulatory penalties/fines must be paid by the company. So, the funds that could have been devoted to improving the risk management program instead go towards addressing prior weaknesses.

To learn more about Gartner’s view on ORM and cyberinsurance, read our latest research on the topics including the Magic Quadrant for Operational Risk Management and Understanding When and How to Use Cyberinsurance Effectively at


Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: cyberinsurance  enterprise-risk-management  grc  it-risk-management  operational-risk-management  

Tags: cyberinsurance-2  data-breach  governance  grc  operational-risk-management  risk-and-compliance  

John A. Wheeler
Global Research Leader - Risk Management Technology
9 years at Gartner
30 years IT Industry

John A. Wheeler is global research leader for risk management technology solutions and professional services. His areas of specialty include integrated risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio

Thoughts on The Top 3 Investment Challenges for Operational Risk Management

  1. VM does not integrate well with cyber exercises or intelligence-led cyber risk programs. The scoring systems and databases do not lead well towards the patterns and practices used by power analysts in the cyber intelligence space.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.