A new approach to risk management

Legislation will be a major factor in how businesses manage risk over the next five years.

Gartner research vice president Simon Mingay told delegates at the analyst's IT Security Summit this week that companies will need to take a new approach to tackling risk management, rather than continue with a piecemeal approach.

'Post Enron and WorldCom there are big questions around corporate governance with auditors and accounting bodies making new legislation and regulations. Non-executive directors want assurances the organisation is in control to avoid nasty surprises,' he said.

The 'silo' approach to managing risk, where individual departments develop strategies for their own area, will not be good enough.

'New processes, relationships and tools are required. It is a big opportunity for the IT department to better align with the business and manage its own risk in a broader context,' said Mingay.

Companies need a risk management framework with a consistent set of processes and a reporting system. The new approach 'is not about breaking established patterns and capabilities, but building on these. It is about increasing visibility and preventing risks falling down the organisational cracks,' he said.

A best practice approach requires 'focusing on delivering a set of services, not just defining policies,' said Mingay. 'Services such as workshops, tools and training that business units can draw down when needed is the way forward.'