When I look at the world today it seems everything is about risk these days. Data breaches left and right (your private data is continually at risk).
Systemic risk and failed risk management is what caused the financial crisis. Earth quacks, tidal waves, forest fires, global warming, HIV, Mexican flue are threatening humanity.
The current state of the economy is threatening the IT budgets and as a result my job as an IT Consultant is at risk. There is a risk of a new wave of regulations in response to the world-wide need for governments to bail-out private enterprise. The resulting lack of IT risk and compliance expertise is a risk. Or am I just paranoid?
First, there is the saying; “the fact that I am paranoid does not mean that I am not being followed”.
Second, if you do a more objective assessment of the situation it does seem that the term risk is used more than before.
Google always offers a good opportunity for fast research so here goes: the term risk gave me 52.000.000 hits compared to governance which gave “only” 10.400.000 and compliance 22.200.000 hits. On the other hand, to give some perspective, security gave 102.000.000 hits and sex 98.100.000.
So what does that prove other than that security is more interesting than sex and the fact that you can statically prove anything with the right data set? Actually, very little. But it is not about hard fact but about perception.
I attended the ISACA Information Security and Risk Management conferences (both the North American edition in Las Vegas and the European conference in Amsterdam) and the general feeling I got from the presentations is that these days it is customary to translate our issues into risks.
Lack of expertise and tools in an organization is a risk for information security, lack of compliance is a risk for the license to operate. On the other hand compliance with the regulations has the risk of organizational complacency “if we comply with the rules we must have covered all risks”. If you believe that you might want to look outside on Christmas evening, maybe you will see Santa Claus fly by in his sled.
A second indicator: I am always scanning the job and assignments market and given my expertise I use search terms like Governance, Risk, Security, and Compliance. I have clearly noticed that in the last half year we are looking for IT Risk experts more than before compared to the other terms. So my conclusion: the age of governance and compliance is over, welcome in the era of Risk!
Those who have read my articles before will have probably guessed my real conclusion: Risk, the buzz-word for 2010 happy New Year!
So besides the fact that all GRC consultants, managers, experts, etc. will have to re-write their CV’s to give their Risk expertise a more prominent place, is this a bad thing?
Contrary to popular believe IT managers and corporate purchasers are not complete idiots so they will soon recognise the IT suppliers that try to sell last year’s products under the new “hype” label.
My prediction for 2010: A number of the products that were “must haves” to achieve governance and compliance nirvana in the last decade will become absolutely vital if you wish to achieve risk management bliss. The problem is that as a result organisations might totally disregard “risk” since it is just hype.
As usual, however, this hype is based on real challenges that require adequate attention. Failed risk management was one of the causes for the financial crisis and the subsequent economic down-turn so we might better do some of that “continues improvement stuff” and analyse what went wrong and see how we can improve it.
On the positive side the risk-hype could create a common language to compare our issues: If we translate all our issues (business and IT alike) into the risks they may pose for the organization it will become much easier for top management to compare and prioritize them. But then again, I spend every Christmas evening outside hoping to finally get a glimpse of Santa Claus.
By Arno Kapteyn