Risk management is undergoing major changes in process and technology, Gartner Research Director Khushbu Pratap told the 2020 FAIR Conference, and risk and security leaders need to recognize and get out ahead of the key drivers at work.
The good news for FAIR practitioners: “business outcomes must drive security,” Pratap said, and risk analysis that’s aligned with the business will increasingly be in demand, particularly risk quantification.
Watch the video: Closing Keynote: Drivers for IRM, Digital Transformation & Cost Optimization, with Khushbu Pratap, Gartner Research Director. FAIR Institute membership required – join the FAIR Institute now.
Risk Teams and Senior Management – Still a Disconnect
Pratap presented results of Gartner customer surveys that showed some serious communication gaps between risk teams and business management.
“Most business leaders do not have a lot of clarity on risk analytics at a business unit level. They do not know who’s accountable for creating those analytics and they do not necessarily know also how to set risk tolerance levels for their business unit,” she said, adding “37% said they had no visibility on the day-to-day risks they were accepting and the day-to-day risks coming up.” Another basic disconnect: While risk managers surveyed typically said their organizations were structured around the three lines of defense, that wasn’t known to most business leaders.
Positive Signs: Business Management Is Looking for “Defensible” Risk Analysis – and Open to Spending on IT Risk Management
In surveys, business leadership wasn’t much interested in quantification per se. “Business leaders are more interested in defensible decisions and assurance leaders need to report something defensible to them” – which is, of course, what FAIR quantitative analysis delivers. More good news: Gartner customer surveys find spending on risk and compliance solutions in the lead on planned technology purchases for the next 18 months.
Best news: Senior management is all ears for security and risk teams. “You can get to them immediately because everyone is now in the pseudo panic mode…Whatever is going wrong they are all yours to know about it and all yours to act on it…You might call it a crisis to start, but we are going to get used to the access that we have with senior executives.”
The Future of Risk Management and Risk Management Solutions
Pratap says that risk and security managers should see themselves on an upward evolutionary movement along the lines of the chart below – starting from a controls-focus to a focus on business outcomes, with risk analysis getting ever close to decision-making, even into real time.
That requires a risk quantification solution that starts with a model, applied mathematically, expressing risk in ranges, with a loss events database.
She further predicted that risk management solutions will:
- Automate risk analysis
- Be decision support engines – no longer just systems of record. “Programs should be able to serve up risk treatment options.”
- Move at the speed of business. “Decision windows are going to collapse to less than half the time that you are seeing right now.”
Khushbu Pratap had many more insights: Watch her session from FAIRCON2020: Closing Keynote: Drivers for IRM, Digital Transformation & Cost Optimization. FAIR Institute membership required – join the FAIR Institute now.