- Developing a "risk-aware" culture means deciphering the difference between digital business risk and cyber risk, said John Wheeler, senior director analyst at Gartner, while speaking at the FAIR Conference in National Harbor, Maryland Wednesday.
- From a technology perspective, taking certain cyber risks help businesses set out for new markets and new regions. Digital business risk, however, is focused on processes, products and services, and what will prompt growth.
- Integrated risk management (IRM) is the next generation to risk management, building on governance, risk and compliance (GRC) principles. "While some may say GRC is dying, IRM is simply GRC in different clothing," said Wheeler.
Digital business is where CEOs want to move their companies, but they have to recognize, "if we're digital, it's not only huge risk, it's complex risk," said Wheeler.
About 82% of CEOs say they have some form of a management initiative or program in place for handling the digital business, according to Gartner. "What they don't get is associated risk," said Wheeler.
Digital business is supported by key drivers of risk, as it relates to CEOs' need to extend into new markets and new customers by introducing new products or services "on the backs of third parties," said Wheeler. It also takes internet of things to enhance services, existing legacy systems and data at risk of being compromised.
Additionally, third party risk, which exists beyond a company's core network and into the cloud, is "stuff that CEOs really do not understand."
The gap between the risk cases unreliably informs the C-suite and board of overall risk appetite. A true management initiative, like IRM, helps risk and/or CISOs more comfortably articulate risk in the language their C-suite speaks.
When risk and security organizations can quantify risk in terms of its impact on critical business outcomes, the breakthrough occurs. By 2021, half of companies will use an IRM solution for better calculating risk, according to Gartner.
The model allows for those presenting risk scenarios to their boards to take it out of the confines of IT or cyber risk and introduce it more broadly in a true business context.