By Paul Hemsley
A new report from Gartner has found that organisations have become so buried in risk and security compliance requirements that they can’t keep up with all of them, a situation that has led to managers neglecting more important in-depth risk assessments and instead just ticking boxes.
The analyst firm has cautioned that the compliance box-ticking mentality has become entrenched in organisational decision-making because managers feel bombarded by high volumes of of standards, regulations and best practice codes that organisations are obliged to obey.
The real issue for risk managers is that the pervasive practice of ticking boxes is happening without making a full and frank attempt to understand the real potential risks could lead to unintended consequences for organisations that are likely to be unnecessarily costly in the long run.
Mounting compliance requirements have become continuing headache for managers under pressure to set the ball rolling on government projects, particularly in the fast-paced IT field, that they begin treating risk assessments as a routine task of check listing rather than meticulously evaluating what could potentially go wrong.
The problem is the subject of the Gartner report titled Compliance Is No Longer a Primary Driver for IT Risk and Security, which affirms that government IT managers could do with a helping hand in balancing their compliance requirements and their risk assessments so that their decision making isn’t dominated by strict codes and regulations.
Rather than addressing the public sector directly, the Gartner report has cited the issue as a broad problem that potentially affects all organisations because everyone that engages in a project is put in the position to cover themselves with ticking off the list of requirements for the purpose of moving on.
The report concluded that this sort of rigid managerial behaviour has created a culture of “rule followers”, who focus on compliance as a way to “avoid negative outcomes” and are buried in “regulatory distraction” that impedes their ability to innovate, perform, optimise and adapt their programs.
Instead, the report propped up “risk leaders” as the exemplar of risk management because they focus on ways to adapt to ever-changing risks and achieve positive results by evaluating anticipated compliance risks by tracking key regulatory and business changes.
However the solutions to this issue are only a click away for government project managers, who will have the opportunity to learn more about how
they can become more risk-savvy at the Gartner Security and Risk Management Summit 2013 at the Hilton in Sydney on 19th to 20th August 2013, which will inform government managers and their teams about the need to identify and communicate emerging risks and manage them appropriately.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter