7 steps to effective risk management

When your organization talks about risk management, what does it mean? According to Gartner, many enterprises are inconsistent in the use and application of the term. So it's no surprise that risk management often ends up siloed into separate functional areas such as business continuity, security, management and privacy.

Gartner’s recent report, "A Risk Hierarchy for Enterprise and IT Risk Managers," emphasizes the need for a holistic view of risk. "An enterprise that wishes to better understand and manage the risks to which it is exposed should begin with enterprise-specific risk definitions and an organizational risk hierarchy to which all risk-related specialists can align," says Paul Proctor, vice president and distinguished analyst at the IT research firm. "Although no single definition will work for all enterprises, it is important to start from a common, overarching framework to eliminate overlap, avoid gaps in coverage and ensure good governance."

In order to make risk management more effective in your IT organization, Gartner offers 7 steps:

1. Implement a framework for risk assessment and mapping.
2. Outline the responsibilities of risk managers with their respective domains.
3. Identify and define the risks to which the business is exposed and how to map incidents.
4. Determine the threat level and focus on the risk that have the greatest potential to affect enterprise performance.
5. Establish levels of controls for processes commensurate with the perceived threat.
6. Record and retain risk incident and near-miss information.
7. Conduct periodic risk assessments to determine changes in your company’s risk profile and assess performance.