As Integrated Risk Management Initiatives Mature, Business Patterns and Models Which Capture Compelling Metrics and Demonstrate Business Impact are Emerging…
Many organizations are grappling to find the best way to leverage their knowledge of risk to optimize business investments and performance. Cyber-attacks, insider threats, monetary fraud, and data breaches – affecting some of the world’s most renowned organizations – make headlines every day. At the same time, the worst economic downturn since the 1930s has focused intense scrutiny on inadequate risk management and governance practices.
In the past, organizations had two options to address this complex, interlocking problem. The first involved hiring a legion of staffers to tackle governance and security risks using a silo-based approach, often leveraging antiquated tools such as spreadsheets to document their findings. The other was to implement Governance, Risk, and Compliance (GRC) processes using outside consultants and traditional GRC solutions that require high levels of customization.
A recent white paper written by global advisory firm Enterprise Strategy Group (ESG) entitled, “Beyond GRC: SRM and the Move to Integrated Risk Management” found that a majority of respondents view the traditional mix of GRC systems as inflexible, slow, and incapable of delivering on the promise of automating governance and security risk management processes. In fact, a whopping 78 percent of the enterprises surveyed are in the process or planning to replace them with advanced Integrated Risk Management (IRM) platforms in order to increase operational efficiency and audit accuracy, streamline remediation, gain improved visibility into enterprise risk posture, and ultimately make better investment decisions. What’s going on?
The bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack. In light of this fact, many organizations have concluded that to gain insight into their risk posture, they must go beyond assessing compliance by taking threats and vulnerabilities, as well as business impact, into account. Only a combination of these three factors assures a holistic view of risk.
Compliance posture is typically not tied to the business criticality of assets. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents to an organization, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.
Based on these benefits, organizations have started to transition from a core compliance-driven approach, whereby they adopted a check-box mentality to implement minimum requirements to fulfill their governance risk mandates, to a risk-based approach, streamlining governance processes, continuously monitoring compliance and security posture, and correlating it to business criticality. By doing so, businesses are moving to a closed-loop process that encompasses the definition, evaluation, remediation, and analysis of an organization’s risk posture on an ongoing basis.
As mentioned earlier, risk is influenced by three key factors: compliance posture, threats and vulnerabilities, and business impact. As a result, it is essential to aggregate critical intelligence about risk and compliance postures with current, new, and emerging threat information to calculate impacts on business operations and prioritize remediation actions.
To gain an integrated view of risk, organizations are starting to leverage Integrated Risk Management solutions. These are designed to harmonize multiple frameworks and marry top-down risk modeling for enterprise domains and regulatory audit compliance (Governance Risk Management) with bottom-up controls automation for closed-loop threat, vulnerability, and incident remediation (Security Risk Management).
Governance Risk Management (GRM) supports oversight functions that typically bridge information to support IT and non-IT leadership for decision making. Typical use cases include enterprise risk management, outsourced risk management, policy management, and business continuity management. Meanwhile, Security Risk Management (SRM) supports information security operations requirements through a closed-loop, data automation process driving intelligence, business unit criticality assessment and IT operations remediation. Example use cases are threat and vulnerability management, continuous monitoring, as well as IT compliance and incident management.
According to ESG, organizations are moving beyond traditional GRC framework toolkits and deploying modern commercial Integrated Risk Management products that provide the following benefits:
• Single, context-aware platform that manages both governance and security risks.
• Higher scalability as it relates to users, data, processes, and multi-geographic availability.
• More flexibility as it relates to customization, context-awareness, and expandability.
• Faster time-to-value.
• Lower total cost of ownership.
While companies are placing big bets on Integrated Risk Management, the payoff, so far, has been difficult to measure. The fact is, given its ad hoc nature, organizations have long struggled with measuring the impact of Integrated Risk Management. However, as risk management technologies become increasingly pervasive and early pilots mature to enterprise-wide deployments, this is changing. The gut feeling that, “we need to do this to optimize investment and streamline operational efficiency” is giving way to a growing body of evidence that measurable business value can be achieved from Integrated Risk Management investments. More importantly, as Integrated Risk Management initiatives mature, business patterns and models which capture compelling metrics and demonstrate business impact are emerging.
Companies can overcome their governance and security risk management challenges by implementing an Integrated Risk Management approach, which can substantially reduce the time needed to review policy controls and produce risk profiles. The payback has the potential to be millions of dollars in overhead savings, as well as increased credibility with management, regulators, and board members.