In my travels as a risk management research analyst and advisor, I am consistently faced with the resistance toward making real, substantial investments in operational risk management (ORM) programs and technologies. Depending on the industry or the individual company’s unique risk profile, executives will note a number of challenges they face to secure the necessary funding for a mature ORM program. However, the real ORM investment challenges can be boiled down to three barriers that must be overcome.
- ORM is a long term investment and companies desire short term results.
- Most risk professionals emphasize risk avoidance, while the real opportunity in ORM lies in taking the right risks to achieve a desired business outcome.
- Once material operational risks are actually realized, the resulting expenditures are not investments in future capabilities – they are remediation costs for risk events that were not proactively addressed.
In some cases, as highlighted in Gartner’s recent Global Risk Management Survey, companies may try to make the right investments, only to allocate funds to the risk mitigation “strategy du jour”. This approach is typically a reaction to a regulatory mandate or peer related risk event that does not necessarily lead to more effective ORM.
A great example of the ORM “strategy du jour” is the growing interest in cyberinsurance policies. While cyberinsurance may be a good way to transfer some risk associated with a data breach or security attack, it is highly dependent on the health of the company’s security and IT risk management program. A weak or immature risk management program will result in high insurance premiums and, in many cases, preclude claim payments.
When a breach occurs, the company that did not invest in a mature risk management program will discover that policy exclusions resulting from poor security controls render the insurance worthless. As a result, costs associated with customer notification, forensic investigation, legal defense and regulatory penalties/fines must be paid by the company. So, the funds that could have been devoted to improving the risk management program instead go towards addressing prior weaknesses.
To learn more about Gartner’s view on ORM and cyberinsurance, read our latest research on the topics including the Magic Quadrant for Operational Risk Management and Understanding When and How to Use Cyberinsurance Effectively at gartner.com.
Category: cyberinsurance enterprise-risk-management grc it-risk-management operational-risk-management
Tags: cyberinsurance-2 data-breach governance grc operational-risk-management risk-and-compliance
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.