"The increased visibility of risk management in many enterprises has resulted in inconsistencies in the use and application of the term," said Paul Proctor, vice president and distinguished analyst at Gartner. "The term risk has been appended to many traditional IT functions, such as security, business continuity, management and privacy, without the accompanying changes in the processes and methodologies used for understanding and managing the risk associated with these areas. This, in turn, has led to poor implementation of risk management as a discipline, limiting its effectiveness for many organizations."

Gartner said that in many enterprises, specialists with functional areas of responsibility for risk management operate independently from one another, use different definitions of risk, record information inconsistently and fail to share information beyond the boundaries of their specific business or support areas. As a result, there is little transparency across processes and no holistic view of risk, which is necessary for enterprise-level analysis of exposure and mitigation decisions.

"An enterprise that wishes to better understand and manage the risks to which it is exposed should begin with enterprise-specific risk definitions and an organizational risk hierarchy to which all risk-related specialists can align," said Mr. Proctor. "Although no single definition will work for all enterprises, it is important to start from a common, overarching framework to eliminate overlap, avoid gaps in coverage and ensure good governance."

Gartner has identified seven key steps to enable IT managers to understand and manage the risks facing them and allow them to quickly contribute to an enterprise-level risk management effort as their enterprises evolve in that direction:>• Implement a framework for risk assessment and mapping.>• Establish the responsibilities of risk managers with their areas of responsibility.

• Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.

• Determine the threat level, and focus on those risks with the highest impact on performance.

• Establish levels of controls for processes commensurate with the perceived threat.
• Record and retain risk incident and near-miss information.

• Conduct periodic risk assessments to determine changes in the operations risk profile and assess control performance.

Additional information is available in the Gartner report "A Risk Hierarchy for Enterprise and IT Risk Managers." The report is available on Gartners Web site at http://www.gartner.com/DisplayDocument?ref=g_search&id=655907&subref=simplesearch.
Additional information and practical advice on all aspects of IT security will be presented at the Gartner IT Security Summit, taking place from June 2 to June 4 in Washington, D.C. The Summit hits the critical spot between strategic planning and tactical advice. Gartner analysts, industry experts and IT security practitioners deliver unbiased, realistic analysis of the current state of IT security, as well as an independent overview of the market during the next 12 to 18 months. For complete event details, please visit the Gartner IT Security Summit Web site at www.gartner.com/us/itsecurity.