Gartner: Coronavirus Exposes Outdated Risk Management Practices

Enterprise governance, risk, and compliance programs are designed, in important part, to ensure that companies stay on track and manage risk and uncertainty. Many organizations, due to the COVID-19 pandemic, are now finding whether their risk management and cybersecurity plans will work as intended.

DevOps Connect:DevSecOps @ RSAC 2022

In many ways, the move to cloud over the past decade and the rush to digitally transform their organizations, prepared businesses for this rapid shift to remote work more than they had ever been. Of course, it won’t have been enough to be ready for the economic shutdown, shelter-in-place orders, and social distancing. That’s were risk management comes in, or should come in, and help guide organizations forward.

In a recent statement from Gartner, the research firm argues many organizations don’t have the right risk management practices in place to manage their way through the pandemic. If true, that’s unfortunate as the entire point of GRC efforts are to help guide an organization better through any situation.

According to Gartner’s research, 87% of audit departments report that their organization relies on three lines of defense for risk governance, with the first line of defense being business line management (they will theoretically spot risks and put controls in place. The second line of defense being legal, compliance, and enterprise risk management, and the third line internal audit department, which would comprehensively review overall control and risk management effectiveness.

Gartner contends that older, so called “Three Lines of Defense” risk governance don’t work well in such a rapidly moving risk environment, such as this current pandemic.

 “Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks. Pandemic is a rapidly developing type of risk that needs a dynamic risk governance (DRG) set-up,” said Malcolm Murray, an analyst for Gartner’s audit and risk practice. 

Gartner recently surveyed 200 organizations and examined whether traditional or dynamic risk management proved better at governing risk. Their survey found that the presence of each of the three pillars of DRG increased high-quality risk management behaviors:

Risk-tailored governance (18% increase)

The governance model should depend on the risk’s speed, the organization’s risk tolerance and internal constraints rather than relying on a one-size-fits-all level of scrutiny, such as centralized oversight for all risks or models based on industry norms. Corporate leaders should have the final say here, because the governance model should be determined based on the company strategy. A benefit of placing this authority with senior management rather with than the board and the assurance functions is more rapid response. These top executives can take faster action.

Activity-based risk governance (22% increase)

This means dispensing with the idea that only the first line owns all risk activities, and assigns accountability for risk management tasks without regard for the borders between first/second/third line. Senior management – not assurance functions – should determine who will decide the task owners for a particular risk. For some risks, it will not matter which exact function is accountable for each activity – as long as there is specific accountability assigned.

Digital-first risk governance (18% increase)

This means considering digital solutions during creation of the governance framework for the risk, not as an afterthought. For instance, if large parts of the risk management can be automated, then fewer functions need to be involved.

I’m not surprised by these findings. Being familiar with the concept of dynamic risk management as it pertains to stock portfolio management, as risk changes – whether geopolitical, economic, or market volatility – risk assets are adjusted to mitigate potential losses.

With dynamic risk governance, enterprises can more proactively adjust their risk because the strategy is determined in advance, the executives and line of business managers can rapidly adjust. The more digitized these processes the more swiftly these managers can get information and the more informed their responses.

“This isn’t just about risk managers, this is about the board of directors and senior management making risk governance a key consideration so that organizations become more resilient against fast-emerging risks, such as coronavirus,” Murray said. “The DRG methodology applies equally to the many fast-emerging risks presented by digitalization.”

I agree, and in the weeks and months ahead expect to hear quite a bit about how different organization’s governance, risk, and compliance efforts served them well — or, unfortunately for some, not so well.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by George V. Hulme. Read the original post at: