Gartner Reprint Página 1 de 9

(https://www.gartner.com/home) LICENSED FOR

DISTRIBUTION

Top 10 Factors for Integrated Risk Management Success

Published: 28 March 2017 ID: G00318003
Analyst(s): John A. Wheeler

Summary
Risk management programs mitigate the impact of uncertainty on business performance.
Gartner recommends that security and risk management leaders focus on 10 success
factors when adopting an integrated risk management approach to build and sustain their
program.

Overview
Key Challenges
To assess and mitigate the widening array of risks within an organization, security and
risk management leaders need the right framework.

Security and risk management leaders also need the right metrics to make better
business decisions by linking risk and performance.

To support the management of strategic, operational and IT risk across the entire
organization, security and risk management leaders need the right systems.

Recommendations
When implementing an integrated approach for a risk management program:

Reference framework standards and Gartner research to leverage best practices for
developing an effective framework that is unique to your organization's risk profile.

Use Gartner's definition of integrated risk management (IRM) solutions and pace-
layering methodology to design, implement and integrate risk management systems.

Identify how risk influences the behavior and ability of individuals to achieve the
organization's goals.

Strategic Planning Assumption

By 2021, more than 50% of large enterprises will use an IRM solution set to provide better

https://www.gartner.com/doc/reprints?id=1-415QDFY&ct=170525&st=sb 16/06/2017
Gartner Reprint Página 2 de 9

decision-making capabilities, up from approximately 30% today.

Introduction
With ongoing regulatory and business uncertainty, enterprises are searching for ways to
improve their risk management programs. According to a recent survey of more than 800
audit committee and board members conducted by KPMG, the top challenge the company
faces is the effectiveness of the risk management program. Yet, 42% of survey
respondents report that their risk management program and processes still require
"substantial work." 1 KPMG notes that the board members surveyed are increasingly
focused on "key operational risks across the extended global organization — e.g., supply
chain and outsourcing risks, information technology (IT) and data security risks, etc." To
manage the diversity of these extended risks, organizations require an integrated
approach to risk management.

When crafting this new integrated approach, companies may look to employ a variety of
different risk management methods. Some companies may look to utilize a "top-down"
approach that will link their strategic planning efforts to the company's broader
operational risk profile. Others may choose to focus on developing a "bottom-up"
approach that is supported by processes and data in individual segments of the business.
However, just as any building requires a solid foundation and a strong infrastructure,
effective risk oversight requires an integrated view that combines top-down and bottom-up
approaches. This research explores the top 10 factors that Gartner views as critical to the
success of an integrated risk management program.

Gartner defines IRM as a set of practices and processes supported by a risk-aware culture
and enabling technologies that improve decision making and performance through an
integrated view of how well an organization manages its unique set of risks. Using
Gartner's three dimensions of IRM — framework, metrics and systems (see Figure 1) — you
can increase the maturity of your risk management disciplines to mitigate the digital
business risks of the future.
Figure 1. Gartner's Three Dimensions of IRM

https://www.gartner.com/doc/reprints?id=1-415QDFY&ct=170525&st=sb 16/06/2017
Gartner Reprint Página 3 de 9

Source: Gartner (March 2017)

Analysis
Over the past decade, companies have invested great amounts of money, time and
resources in a variety of risk management initiatives. Much of that investment has been
focused in specific areas, depending on a company's most pressing need at the time.
Perhaps the company must comply with a particular compliance mandate, such as the
Sarbanes-Oxley Act of 2002, or remediate a given control weakness due to a major data
breach or IT security failure. Now, this patchwork of risk management solutions lacks the
ability to provide a comprehensive understanding of a company's risk profile, and more
importantly, it prevents organizational leaders from making informed business decisions.

In April 2015, Gartner published survey results of senior business leaders and CEOs
regarding their perceptions of the key business issues facing their organizations. 2 A major
finding centered on the fact that the digital world is creating new and higher levels of risk
to their firms, and risk management programs are not keeping up (see Figure 2). Also, with
the increasing focus on digital transformation to extend into new markets to exploit
growth opportunities, CEOs are concerned about the need for agility in their risk
management practices. Security and risk management leaders can no longer be viewed as
an impediment to innovation through highly fragmented and disjointed approaches to
mitigating digital risk.

https://www.gartner.com/doc/reprints?id=1-415QDFY&ct=170525&st=sb 16/06/2017
Gartner Reprint Página 4 de 9

Figure 2. CEO Level of Agreement on Risk-Related Issues

Source: Gartner (March 2017)

To create a truly effective risk management program, companies must focus on

developing an integrated framework across a widening array of strategic, operational and
IT risks (see "Definition: Integrated Risk Management Solutions" ). In addition, an
integrated set of metrics is required to link the expanding portfolio of assets, processes
and performance objectives that drive the business operations of the organization.
Ultimately, companies will also need a set of enabling systems to streamline and
coordinate risk management activities across the enterprise. The glue that binds together
these three dimensions of IRM — framework, metrics and systems — are Gartner's top 10
factors for IRM success (see Figure 3).
Figure 3. Top 10 Factors for IRM Success

https://www.gartner.com/doc/reprints?id=1-415QDFY&ct=170525&st=sb 16/06/2017
Gartner Reprint Página 5 de 9

Source: Gartner (March 2017)

Reference Framework Standards and Gartner Research to Leverage Best Practices for
Developing an Effective Framework That Is Unique to Your Organization's Risk Profile
Successful organizations look to security and risk management leaders to design a
framework that seamlessly ties together risks at a strategic, operational and IT level. The
framework will include policies, processes and organizational structures unique to each
enterprise. However, to leverage best practices for designing an effective framework,
security and risk management leaders should look to Gartner research (see "Best
Practices in Implementing the NIST Cybersecurity Framework" ) as well as framework
standards such as:

International Organization for Standardization (ISO) 22317

ISO 31000

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Enterprise Risk Management (ERM) Framework

COBIT

National Institute of Standards and Technology (NIST) Cybersecurity Framework

https://www.gartner.com/doc/reprints?id=1-415QDFY&ct=170525&st=sb 16/06/2017
Gartner Reprint Página 6 de 9

To guide the development of a framework that is effective and unique to your

organization's risk profile, security and risk management leaders must seek the answers
to the following questions related to each factor:

1. Risk Appetite:

How much risk are we willing to accept to achieve our strategic goals?

2. Risk Assessment:

What is our current level of inherent and residual risk related to our strategic
goals?

How are residual risks and control effectiveness monitored?

How is the need for and effectiveness of remediation determined and assessed?

3. Risk Aggregation:

How do we view our risks in relation to our strategic goals?

How do we understand and articulate our total risk exposure in relation to a given
strategic objective?

Use Gartner's Definition of IRM Solutions and Pace-Layering Methodology to Design,

Implement and Integrate Risk Management Systems
While technology is often viewed as a panacea for risk management challenges, it is most
useful and cost-effective when deployed as an enabler of a well-defined program. Too
often, companies will overengineer the supporting risk management processes based on a
particular IRM solution, resulting in greater bureaucracy and wasted investment. Using
Gartner's definition of IRM solutions and pace-layering methodology (see "How to Use
Pace Layering to Build an Integrated Risk Management Solution Strategy" ), security and
risk management leaders can identify and implement the right systems to address the
following questions:

4. Risk Analytics:

How do our key risk indicators impact our key performance indicators?

How can we model risk events that will have a material impact on our business
operations?

What risk tolerance limits are required to maintain our stated risk appetite?

5. Risk Applications:

https://www.gartner.com/doc/reprints?id=1-415QDFY&ct=170525&st=sb 16/06/2017
Gartner Reprint Página 7 de 9

What technology is required to enable collaboration and communication of risk-

and compliance-related information to support business performance and
decision making?

What technology enables the automation of risk management processes and

reporting?

What technology enables automation of controls and risk monitoring?

6. Risk Architecture:

Are risk management projects and initiatives aligned with governance objectives?

How are automated and manual controls, risk monitoring processes, and risk
reporting incorporated into enterprise architecture?

7. Risk Assurance:

What policies, processes and controls are required to meet strategic objectives, as
well as legal and regulatory mandates?

How do we know that the risk management program is effective and remains
aligned with business objectives?

Are the risk controls functioning consistently over time?

Do these controls need to be revised or redesigned based on a changing risk

landscape?

Identify How Risk Influences the Behavior and Ability of Individuals to Achieve the
Organization's Goals
Without a full understanding of the implications of how risks impact the performance of
business units and individuals in meeting their goals, the entire company will have
difficulty meeting its long-term strategic objectives. Companies must explicitly identify
how risk influences the behavior and ability of individuals in achieving their goals. Gartner
developed its business risk model to help companies define leading risk indicators as a
way to focus efforts on high-value activities (see "The Gartner Business Risk Model: A
Framework for Integrating Risk and Performance" ). This model provides a mechanism for
companies to answer the following questions:

8. Risk Accountability:

How do we reinforce the ownership of risk and control within the enterprise?

9. Risk Action:

How can we ensure that employees act in the best interests of the company and

https://www.gartner.com/doc/reprints?id=1-415QDFY&ct=170525&st=sb 16/06/2017
Gartner Reprint Página 8 de 9

within established risk tolerances?

10. Risk Achievement:

What risk metrics are required, and how are they linked to performance metrics, to
ensure the desired business outcome?

How can we quantify the amount of risk, its impact on business operations and the
successful mitigation to bring the risk within the organization's appetite?

Evidence
1
"Is Everything Under Control? — Audit Committee Challenges and
Priorities." (https://home.kpmg.com/content/dam/kpmg/xx/pdf/2017/01/2017-global-audit-
committee-pulse-survey-global-non-interactive.pdf) 2017 Global Audit Committee Pulse
Survey, KPMG Audit Committee Institute.
2 "2015 CEO Survey: Committing to Digital" (https://www.gartner.com/document/code/274031?
ref=grbody&refval=3210020)

© 2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of
Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without
Gartner's prior written permission. If you are authorized to access this publication, your use of it is
subject to the Usage Guidelines for Gartner Services
(/technology/about/policies/usage_guidelines.jsp) posted on gartner.com. The information
contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims
all warranties as to the accuracy, completeness or adequacy of such information and shall have no
liability for errors, omissions or inadequacies in such information. This publication consists of the
opinions of Gartner's research organization and should not be construed as statements of fact. The
opinions expressed herein are subject to change without notice. Gartner provides information
technology research and advisory services to a wide range of technology consumers, manufacturers
and sellers, and may have client relationships with, and derive revenues from, companies discussed
herein. Although Gartner research may include a discussion of related legal issues, Gartner does not
provide legal advice or services and its research should not be construed or used as such. Gartner is a
public company, and its shareholders may include firms and funds that have financial interests in
entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these
firms or funds. Gartner research is produced independently by its research organization without input or
influence from these firms, funds or their managers. For further information on the independence and
integrity of Gartner research, see "Guiding Principles on Independence and Objectivity.
(/technology/about/ombudsman/omb_guide2.jsp)"

About (http://www.gartner.com/technology/about.jsp)
Careers (http://www.gartner.com/technology/careers/)

https://www.gartner.com/doc/reprints?id=1-415QDFY&ct=170525&st=sb 16/06/2017
Gartner Reprint Página 9 de 9

Newsroom (http://www.gartner.com/newsroom/)
Policies (http://www.gartner.com/technology/about/policies/guidelines_ov.jsp)
Privacy (https://www.gartner.com/privacy)
Site Index (http://www.gartner.com/technology/site-index.jsp)
IT Glossary (http://www.gartner.com/it-glossary/)
Contact Gartner (http://www.gartner.com/technology/contact/contact_gartner.jsp)

https://www.gartner.com/doc/reprints?id=1-415QDFY&ct=170525&st=sb 16/06/2017