Assessing Risk: How Big Risk Data can Paralyze ERM
Steven Minsky | July 24, 2013
A study published last week sponsored by Tripwire and conducted by the Ponemon Institute found that while over 80% of security and risk professionals consider their organization’s commitment to risk-based security management significant, less than 30% had formal risk management solutions in place.
Why does such a large gap continue to exist, even as the evidence piles up that organizations with a mature risk framework are better performing and more prepared for an uncertain future?
One hurdle that we see consistently challenge organizations with a growing ERM process can be best described as a paradox of big data. These organizations have recognized the need for a formal ERM process, have hired experienced professionals to lead the charge, and have collected data in risk assessments from across their organization. Now faced with tens or even hundreds of identified risks, the risk managers are in effect paralyzed by the abundance of options as they to aggregate risk assessments and report on findings.
Collecting as much risk intelligence as possible seems like a worthy best practice, but big data is only as useful as the tools in place to use it to its full advantage.
The solution to this problem is an objective Enterprise Risk Management framework that doesn’t rely only on intuition, but instead balances the assessments against the organization’s unique business structure. With this type of structure, or risk taxonomy, in place, an identified risk can be assessed by the effected party and categorically ranked. An effective taxonomy will provide organizations with the flexibility to prioritize risks not only by department, but also by geographic regions, strategic initiatives, or adherence to frameworks like COSO, COBIT, and RIMS.
This kind of flexibility allows organizations to easily analyze a large amount of enterprise risk information, but it can be difficult to achieve without formal risk management solutions and may not be obvious to organization facing a multitude of risks.