Gartner Blog Network

Please Stop Asking Me for a List of Your Top Risks (aka, Everyone Wants a Pony)

by Paul Proctor  |  October 15, 2013  |  1 Comment

There is no list of risks that is relevant to every organization, but there is a list of risks that is relevant to you.

I always get the question “what are my top risks?” This comes in different flavors like top BYOD risks, top risks in my industry, cloud, social media, data security, etc. but it all amounts to me handing out a simple answer to a question that does not have a simple answer.

I understand why you ask. It would be nice to have a third party confirm the “most important” risks so you have a starting point and a basis around a standard of due care which all aids in defensibility. The problem is, I can give you a list of high level things that you should be worried about, but I haven’t delivered anything of value. Trust me, our clients sense lack of value before I’m even done answering the question.

I’m in a tough situation here (cue the violins). One of the most horrible things I can say to a client is “you’re asking the wrong question.” But you are. No one can tell you your risks, because each organization is unique. This is NOT a cop out by me! Asking the question is a cop out by YOU! You want me to tell you, so you don’t have to do the work to understand your organization. There, I said it.

It all comes back to why we do risk management. Good risk management should influence better business decision making. If it doesn’t, why are you bothering? A generic list of risks, disconnected from your organization, will not influence anything.

How to determine your list of top risks:

Start by identifying your desired business outcomes and the supporting business processes. Then identify supporting operational dependencies and risks that may impact the dependent business processes. Use a formal process and engage business stakeholders because they will better understand impacts on desired business outcomes. The most likely risks with the most impact on desired business outcomes are your top risks. There. Simple.

Example: Saying that sensitive information on a mobile device is a top risk is devoid of value until you integrate it with the business processes that involves both mobile and sensitive information. A hospital that deploys mobile devices with protected health information to manage patient care in select departments is an example of a top risk for this organization.

One way to look at this is that your top risk is that you have no way to identify your top risks.

Here’s the bottom line, I can teach you how to find a pony, but everyone wants me to just give them a pony. When I show clients a picture of a pony, they get upset because they already found that picture on the internet. Plus they already drew a picture of one that wasn’t half bad.


I get it, everyone wants a pony, but this is just one you’re going to have find on your own.

Follow me on Twitter (@peproctor)


Paul Proctor
VP Distinguished Analyst
10 years at Gartner
28 years IT Industry

Paul Proctor is a vice president, distinguished analyst, and the chief of research for security and risk management. He helps organizations build mature risk and security programs that are aligned with business need. Read Full Bio

Thoughts on Please Stop Asking Me for a List of Your Top Risks (aka, Everyone Wants a Pony)

  1. Alan Proctor says:

    Whole heartedly agree, but, then again, without first estimating annual losses to defined assets from likely (frequent) threats, “risks” are just what the security hardware/software vendors are currently clamoring. Never spend a dollar to protect a dime..

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.