Product Brief

A Prudent Approach to Risk Management

Date: February 2011 Author: Jon Oltsik, Senior Principal Analyst Abstract: Business and IT executives now realize that they need more comprehensive and continuous risk management programs, but many organizations dont have the appropriate processes, skills, or technology underpinnings to accomplish this goal. What should they do? This brief recommends a prudent approach to risk management that amalgamates organizational groups, phases in a formal risk management program over time, and anchors risk management with the right tools and technologies.

Overview
Over the past few years, ESG has noticed a distinctive trend: many large organizations are now eschewing reactive information security and regulatory compliance activities in favor of structured and documented risk management. In fact, many enterprises are moving away from external risk management services and establishing their own internal groups as an alternative. Why are so many companies bolstering their focus on risk management? In order to improve risk measurement accuracy, implement more granular policies, carefully measure controls, and strive for continuous improvement. Formal risk management can help accomplish these objectives while simultaneously lowering costs. Risk management initiatives are also being driven by a number of external factors such as: Rapid financial cycles. Since the dawn of the 21st century, the global economy has been a rollercoaster ride of booms and busts in industries such as technology, housing, financial services, and energy. Improved risk management can help large organizations cope with this ongoing volatility. Increasing government and industry regulations. In the past, many regulations were weak, poorly enforced, or focused on audits rather than tight controls and corporate governance. This situation, however, is changing rapidly. In health care, HIPAA has been reinforced with the HITECH Act of 2009. The checkbox orientation of the Federal Information Security Act of 2002 is being replaced by a focus on risk identification and reduction in FISMA 2.0. The Payment Card Industry Data Security Standard (PCI DSS) was recently enhanced and updated. ESG anticipates more rigid regulations in the future, especially in areas such as federal IT procurement, defense/intelligence, and critical infrastructure industries such as electric utilities, financial services, health care, and telecommunications. IT complexity. Many large organizations are consolidating data centers, deploying server virtualization, and developing new web applications. As more and more business processes are tied to centralized IT assets, the impact of a service interruption grows exponentially. The increasingly dangerous cyber threat landscape. Global cybercrime is now a multi-billion dollar, highly specialized industry that is very good at what it does. For example, security researchers estimate that a new piece of malware was introduced every 1.5 seconds in 2010. Some of these variants, like Stuxnet and Zeus, were especially virulent. Even the most hardened security professionals are frightenedlittle wonder, then, that ESG research found that a majority of IT professionals working at critical infrastructure organizations believe that the threat landscape is worse today than it was two to three years ago (see Figure 1). 1

All of these trends lead to growing day-to-day risk areas such as capital, market, liquidity, and credit risks. This is driving CEOs and corporate boards to demand more focus on risk management throughout the organization.

Source: ESG Research Report, Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure, November 2010.

2011 Enterprise Strategy Group, Inc. All Rights Reserved.

Product Brief: A Prudent Approach to Risk Management

Figure 1. IT Professionals Believe That the Threat Landscape is Getting Worse How would you rate the current cyber security threat landscape compared to the threat landscape 24-36 months ago? (Percent of respondents, N=285)
The threat landscape is much better today than it was 24-36 months ago, 2% The threat landscape is somewhat better today than it was 2436 months ago, 6% The threat landscape is about the same today as it was 24-36 months ago, 20% The threat landscape is somewhat worse today than it was 2436 months ago, 40%
Source: Enterprise Strategy Group, 2010.

Dont know/no opinion, 4%

The threat landscape is much worse today than it was 24-36 months ago, 28%

Large Organizations Must Overcome Risk Management Challenges

Clearly, there are many factors motivating large organizations to improve risk management across the enterprise. As companies begin these risk management efforts, however, they must overcome several common challenges including: Mis-aligned executive and operational risk management activities. When risk officers examine ongoing risk management activities, they often find two disparate camps. On the one hand, many risk management programs adhere to a top-down model at the executive level, focused on big picture business, compliance, or strategy risks. Other organizations focus on a bottom-up model and concentrate on handson day-to-day operational risk. While these two approaches do identify and track risks, they are rarely connected and make it difficult for executive management to understand if they are focused on the right risks or how well the organization is doing as a whole with risk identification and mitigation. Immature risk management skills. In the past, many organizations hired third party risk management experts and service providers to do scheduled assessments, but this is no longer enough. Yes, external risk management consultants can supplement employee skills, but they lack internal operations depth and specific business process knowledge. As a result, risk management recommendations are often based upon point-in-time assessments and dont align with strategic plans. To address this shortcoming, many firms want to build internal skills over time in order to marry risk management best practices with organizational business proficiency. Choosing the right risk management tools. Just as organizations have various disconnected risk management activities, they also tend to rely on a multitude of toolsfrom security systems and management frameworks to spreadsheets and PowerPoint presentations. Relying on these tools simply wont scale to support more rigorous enterprise risk management.

2011 Enterprise Strategy Group, Inc. All Rights Reserved.

Product Brief: A Prudent Approach to Risk Management

A Prudent Approach to Risk Management

Addressing the challenges described above cant be done overnightlarge enterprises will need time to establish risk management people, processes, and technologies. In the meantime, business and operational risks continue to grow. This begs the question: How can large organizations build in-house risk management expertise over time while simultaneously addressing todays growing risks? To address challenges and begin a formal risk management program, large organizations should (see Table 1): Unify top-down and bottom-up risk management organizations and processes. Aggregating these efforts is important as it helps align strategic risk management theories with real world operational data. Smart executives will merge these groups around a common risk register for risk documentation, regular risk reviews, documented processes, and standard risk metrics. By bringing these functions together, large organizations can improve risk identification and respond rapidly with the right controls. Start small and grow through phases. Risk management should begin with the basics like identifying and quantifying risks, monitoring controls, and capturing sound metrics. As organizations gain experience, they can move on to more advanced risk management processes and eventually adopt risk management practices that include the best aspects of industry standard models like COSOs Enterprise Risk Management (ERM), ISO: 31000, or NIST-800 risk management. By growing through phases, large organizations can gain basic risk management know-how and develop a risk management program that synchronizes with business operations and objectives over time. Anchor enterprise efforts with real risk management tools. In todays risk climate, it is impossible to create a proper risk management program with a foundation of tactical point tools. It is worthwhile to invest in an enterprise-class risk management system providing risk management templates for simple and advanced projects, a centralized risk register to record and manage risk events, applications to capture key performance indicator (KPI), and key risk indicator (KRI) metrics, standard assessment templates, and centralized reporting. Leading tools will support established risk management models while allowing organizations flexible options so they can fine tune risk management to meet corporate, industry, or regulatory needs.

Table 1. A Prudent Approach To Risk Management

Risk Management Challenge

Large organizations undertake disparate top-down and bottom-up risk management activities Immature risk management skills

Recommendation
Unify top-down and bottom-up risk management through common organizations and processes

Detail
Unify the two groups around a common risk register, risk reviews, documented processes, and risk metrics. Begin with basic risk management templates that unite the organization and address the most important business and operational risks. Look for a risk register repository along with risk assessment tools, KPI/KRI metrics, and centralized reporting. Risk management systems should also support industry-standard risk management models.

Start small and grow

Risk management is often based upon tactical point tools, spreadsheets, and presentations

Anchor risk management with an enterprise-class risk management system

2011 Enterprise Strategy Group, Inc. All Rights Reserved.

Product Brief: A Prudent Approach to Risk Management

RSA Archer Risk Management

While many IT vendors use the term risk management to describe their products, most systems offer little more than a few templates or reports. One exception to this rule is RSA Archer and its Risk Management solution. RSA Archer Risk Management was designed as a unifying platform for all enterprise activities. As such, it supports basic and advanced risk management projects and provides a common risk register, applications, and reporting for both top-down and bottom-up risk management activities. Furthermore, RSA Archer offers elementary risk management templates combined with key attributes of standard risk management. In this way, large organizations can focus on risk management requirements as they develop the expertise for more formal risk management programs. With these characteristics, enterprises can establish RSA Archer as part of a foundation for consistent risk management improvement.

The Bigger Truth

Risk management is often viewed as a bit of a Catch-22: CEOs and other executives know that they need to improve their risk management activities, but they dont know where or how to start. As decisions languish, risk increases each day. ESG believes that its prudent approach toward risk management provides three simple steps that can help advance the risk management cause. Risk management must be an enterprise-wide function with common tools, skills, and processes, but large organizations should approach risk management in phases based on measurable goals and incremental improvement. In this way, they can begin immediately, address their most important risks, and improve and integrate these risk management processes into the organizations overarching enterprise governance, risk, and compliance programs.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at (508) 482-0188.

2011 Enterprise Strategy Group, Inc. All Rights Reserved.