The rise of risk management as both a discipline and a reference has led to confusion in terminology and applicability. The word "risk" has proliferated in titles for traditional roles and responsibilities such as security, business continuity, privacy and many operations functions. In some cases, this is nothing more than a title change with no fundamental shift in methodology. This proliferation has led organizations to struggle at the top with clearly defining what enterprise risk management (ERM) means to their organization, and at the bottom with defining what "risk" people do vs. their counterparts in traditional operational roles. Even within the various risk management groups, organizations must clearly define how responsibility is assigned.

The term "risk management" has grown in popularity to the point where it has been watered down, made irrelevant and considered a failure in many organizations. IT vendors have precipitated this by labeling many automation and management products with "Risk Management" or "GRC" in an attempt to take advantage of the popularity of the term. Many organizations have followed suit by mislabeling traditional, less mature approaches to addressing risks that typically involve isolated decisions in reaction to loss events or the indiscriminate application of technology without good governance, risk measurement or a transparent methodology. Organizations should use the label "risk management" only with efforts that apply a proactive approach to measuring reasonably anticipated risks and applying appropriate controls.

Organizations should start with a good internal risk hierarchy definition to which all risk-related groups can align. There is no single definition that works for all organizations, and differences will remain in the silos, but it is important to start from a common, overarching definition. This will help eliminate overlap in the silos, avoid gaps in coverage and facilitate good governance.

We have research on the way to help you.

Submit a Comment | Permalink

This is a topic that is being thought about extensively within my organization right now. "Risk Management" is a term that has been used with far too little rigor, to say the least. Much of what a security organization does is about providing appropriate governance and operations activity, but it has all been wrapped up in this title of risk management. Some research and insight into what is effective in other organizations would definitely help.