Risk Management Key Initiative Overview

Archived Published: 16 July 2013 ID: G00252373


  Free preview of Gartner research


This overview provides a high-level description of the Risk Management Key Initiative. CIOs, IT leaders and technical professionals can use this guide to understand what they need to do to prepare for this initiative.


Figure 1. Risk Management Key Initiative Overview
Research image courtesy of Gartner, Inc.

Source: Gartner (July 2013)

Risk management is the strategic discipline of assessing, prioritizing, monitoring and controlling the impact of uncertainty on objectives.

The line between IT risk and business risk is disappearing. Risk management increasingly plays a central role in business decision making, but many enterprises' commitment to operating this way exceeds their ability to execute on it. The enterprise must act now to formalize its risk program and facilitate a risk-aware culture. Risk management helps align IT with business strategy and supports the business in making better decisions. This is increasingly recognized as a mission-critical function for enterprises. Risk management's fast-growing visibility has, however, resulted in the inconsistent use of the term "risk," which has been added to the titles of roles responsible for many traditional IT functions without fundamental changes in how the risks associated with these functions are addressed. This failure leads to poor implementation of risk management as a discipline, and significantly limits its effectiveness.

Consider These Factors to Determine Your Readiness

What Risk Management Means to CIOs

Risk management is an integral part of every executive's responsibilities. Boards of directors increasingly recognize the contribution of IT to the success of the enterprise, and as this recognition rises, the CIO's handling and treatment of risk become a more critical part of their success. Risk management benefits from a business context, but there continues to be a cultural disconnect over IT risk between IT leaders and the business units they support. CIOs must recognize and address the following factors:

  • Risk management is an investment decision tool. Eliminating all risk is not possible or desirable. Risk treatment options include mitigation, contingency planning transfer and acceptance.

  • Risk decisions are more complex and impactful than in the past. With instant communication and processes, enterprises must act quickly and knowledgeably to both threats and opportunities.

  • Risk and the accountability for risk acceptance are — and should be — owned by the business units creating and managing those risks.

  • Transparency and defensibility of risky decisions are critical. Risk must be measured and addressed as part of the business process. All managers and leaders need basic risk management skills.

What Risk Management Means to IT Leaders

Good risk management influences business decision making, so risks should always be addressed in a business context. This can be a challenge for IT leaders grounded in the technology-centric aspects of IT risk. IT leaders need to recognize the difference between IT operational risks addressed at an IT operational level and business risks related to IT. This requires a formal risk program that addresses the following elements:

  • Risk and controls assessment. Organizations require a formal risk assessment process that measures and reports on residual risk.

  • Risk governance. Operational risks should be managed internally by the IT organization as part of ongoing operations, but IT risks that clearly impact the goals of the business necessarily involve non-IT decisions regarding residual risk.

  • Mapping key risk indicators into business key performance indicators. IT risk professionals must understand what drives corporate performance in their organizations and map the causal relationships between the risks they manage and the impacts they have on corporate performance.

Conduct Your Risk Management Initiative Using This Structured Approach

Gartner recommends that CIOs, IT leaders and technical professionals follow five major organizing principles in formalizing their enterprises' risk management practices. These organizing principles may vary, depending on enterprise-specific factors, including the extent of the existing risk management program:

  • Strategize and Plan: Draft a charter to gain agreement on the vision for the initiative, in alignment with business goals. Scope the initiative, and establish resources and budget. Integrate with strategic IT and business plans.

  • Develop Governance: Establish an optimal process for making decisions and assigning decision rights. Identify and engage stakeholders. Agree on authority and flow for decision making. Design and implement feedback mechanisms.

  • Drive Change Management: Set up a system to communicate and socialize ideas via multiple channels. Get buy-in from stakeholders at all levels. Assess progress, and drive stakeholder commitment to the change.

  • Execute: Optimally operate the initiative in accordance with business goals. Update and drive new elements of the initiative in response to changing business requirements.

  • Measure and Improve: Measure how the initiative has affected business outcomes. Seek feedback from stakeholders. Drive improvements through process changes and upgrades.

© 2013 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Why Gartner

Gartner delivers the technology-related insight you need to make the right decisions, every day.

Find out more

Call +1 855-515-4486 or contact us

to become a Gartner client.