Gartner, the influential technology consulting firm, has named “risk quantification and analytics” to its list of “critical capabilities” for integrated risk management (IRM), the latest endorsement for a FAIR-style approach to managing cyber risk based on financial analysis.
The background: Gartner had been an advocate of what’s become the standard approach to cyber risk management, Governance, Risk and Compliance (GRC). The GRC movement took off in the early 2000s, as big companies looked to comply with the requirements of the Sarbanes Oxley Act of 2002, then spread to other compliance initiatives, such as enforcing cybersecurity frameworks. Risk register software automated GRC tracking.
But GRC had a downside: As Jack Jones, creator of the FAIR model for operational and cyber risk quantification warned in an eBook, An Executive's Guide to Cyber Risk Economics, “you can be compliant and still be in the dark” regarding your real risk exposure if you’re just checking off boxes on a list of requirements. The logical flaw, Jack wrote, is in thinking that more boxes checked equals less risk. In fact, this “maturity” approach doesn’t support the prioritization or cost-benefit analyses that risk managers should be able to present to decision-makers.
Gartner came to the same conclusion in late 2016 and announced it was shifting focus from GRC to IRM, “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks,” as analyst John A. Wheeler wrote in announcing the switch.
The IRM movement is spreading, Gartner says. Wheeler wrote earlier this year that “we see 2018 as a defining moment for the IRM solutions market." Thirty per cent of large enterprises now use IRM solutions, according to the research firm, heading toward 50 per cent by 2021.
Gartner identified six elements of IRM (Strategy Assessment, Response, Communication/Reporting, Monitoring, Technology) necessary for a “comprehensive view” of risk across functions, from digital operations to vendor management, business continuity management, audit, corporate compliance, and legal.
Gartner named four critical capabilities to fulfill IRM: incident management, risk mitigation action planning, risk and control documentation and assessment, and leading risk indicators monitoring and reporting
And now Gartner has added "risk quantification and analytics" to the critical capabilities. It’s a recognition that quantification, or assessing cyber risk in the same financial terms that all business units operate on, is necessary to a truly integrated approach to risk.
Gartner is the latest heavyweight in the world of risk management to recognize the revolution in thinking about risk – this year, the US Securities and Exchange Commission (SEC) used language that followed FAIR cyber risk quantification principles to tell public companies to proactively disclose their cyber risks and the government's Office of Management and Budget (OMB) announced it would institute a "risk-based budgeting process" for federal agencies later in the year. And, in our own best indicator of change in the risk profession, membership in the FAIR Institute, the leading professional group for information-sharing on risk quantification, recently passed the 3,000 mark.