Maksim Kabakou - Fotolia

Security Think Tank: Consider risk holistically, not just from an IT angle

How can security professionals help their organisations move from traditional governance, risk and compliance to integrated risk management that integrates risk activities from across an organisation to enable better strategic decision making?

Integrated risk management aims to move from a more siloed approached – such as supply chain, corporate compliance, business continuity risks – to an enterprise-wide approach focusing on how all these different risks impact the operational risk to the business, and then managing them at an enterprise level.

This approach gives a much better view of risk to the enterprise, helping to identify gaps in risk coverage, and allows for common mitigation strategies that can help reduce costs and increase efficiency by focusing on the operational risk.

The traditional approach of separate siloed risk management can lead to tick box compliance at one extreme, being compliant, but with none of the benefits compliance should bring; to risk avoidance at the other, doing everything possible to remove all risk, with no regard for the businesses operational need.

Integrating all these different aspects of risk into a single framework therefore gives a better view of the overall operational risk to the business and allows the development of mitigation strategies that work for the business as a whole.

The focus on compliance at all costs can be a particular problem where there are strong financial pressures, and in heavily regulated industries such as nuclear and defence, where compliance with customer-imposed security policies is a prerequisite to doing business. These factors can lead to locked down systems and onerous procedural solutions to minimise cost where other solutions may be more cost-effective overall.

Security professionals have a key role to play in moving to an integrated risk management approach, first by considering IT risks and mitigations in the context of the enterprise rather than purely in the context of IT, and second by helping to bring together the IT risk and related risks such as the IT security contribution to business continuity management and General Data Protection Regulation compliance into a central integrated risk management strategy.

The need for integrated risk management is brought into sharp focus by the changing business environment using more internet and cloud services to deliver and enable business and the need for a more open and sharing approach with customers and suppliers, all of which bring their own security challenges.

Read more about integrated risk management

  • Turnkey Consulting's Simon Persin considers the operational approach to integrated risk management.
  • To be sufficiently effective and efficient, the ability of organisations to discover, manage and mitigate digital risk requires greater integration between internal functions, says Ovum’s Maxine Holt.

These challenges must be addressed while realising the expected business benefits from transition to integrated risk management. To achieve this, IT professionals and other risk owners must have, or gain, an understanding of the business drivers so they can see the risks in the right context and make appropriate risk mitigation trade-offs, and not focus solely on their own area, while creating new risks elsewhere.

Setting up an integrated risk management approach for an enterprise is not trivial and will result in new processes and procedures, which in most cases will need some level of tool support.

IT and IT security therefore have a central part to play in moving from traditional risk governance to integrated risk management, but as is often the case, leadership needs to come from the centre if the process is to be successful.

Read more on IT risk management

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

What’s the difference between GRC and IRM though? I don’t see one. It just seems like a ploy for Gartner to buy more market share and collect more billable’s. Even if you look at their magic quadrant, the companies have remained the same throughout the switch. Has something changed in the technology? No. Is there even really a major discrepancy in the definitions of GRC and IRM? No. This is just stupid and is a cheap money-making scheme that offers no real unique value.
Cancel
Our IT systems are inherently vulnerable. We create the vulnerabilities and build them in. We depend on passwords and credentials that are hard to break or guess, but easy to steal. The threat surface and primary threat vector has the majority of risk associated with the user, not the technology. The attackers are easily able to leverage the user to turn the technology against us. 
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close