Reassess risk management, warns Gartner

Legislative, environmental, business and technology factors will force a sea change in strategies for enterprise risk management (ERM) over the next five years, analyst Gartner predicted Monday at its IT Security Summit.

Speaking at the conference held in London, Simon Mingay, research vice president at Gartner, said these factors will make companies "come out of the fog" and clearly identify the risks they face, rather than continue with a piecemeal approach to ERM.

"There is nothing new about managing risk but there is a quiet revolution in the way organisations manage risk," he said.

"Board-level agendas in the UK should set a consolidation strategy, as ERM drivers such as globalisation, extended supply chains, extended business process outsourcing and geo-political risks have gained substantial momentum over the last two years."

Mingay said that big questions surround corporate governance post-Enron and WorldCom, with auditors and accounting bodies making new legislation and regulations.

And he warned that different departments managing risk and developing strategies in their own area is not good enough.

"New processes, relationships and tools are required. It is a big opportunity for the IS department to better align with the business and manage its own risk in a broader context," he said.

Mingay stressed the need for a risk management framework with a consistent set of processes and an ERM reporting system, saying it should be integrated, consistent and strategic across all business units.

"Getting everyone to agree on a definition of ERM is crucial."

But, warned Mingay, over the next few years businesses will have to rely on a do-it-yourself approach to ERM.

"ERM is very immature. The models and methodologies are still work in progress and there are not the tools needed to cover the full spectrum of risk.

"That means a lot of cobbling together of spreadsheets and off-the-shelf tools, and requires a qualitative assessment of risk," he said.

Deciding on a group risk committee and a group risk director is one way forward, said Mingay, but he advised against waiting for a vendor-led approach.

"Don't commit to one vendor or technology as there will be huge changes over the next few years. Watch the tools market and invest tactfully. The ERM market won't mature until at least 2006."