Risks need to be looked at process based. That's one of the clear statements made at the Gartner Risk & Security Summit I attended in National Harbor. But let's start with some background first.
The summit is a huge conference covering everything related to IT security, risk management and compliance, identity and access management and business continuity management- so it's a great place to look for connections between all those topics that somehow fit under the umbrella of GRC. Next to this the main themes driving discussions and speeches went along Cloud and Mobile as both pose completely new risk and compliance topics for companies embracing new technologies. You can find a lot of information on Gartners webpages, e.g. on http://www.gartner.com/technology/summits/na/security/ .
As last year the Summit was a great experience and there is a lot I took away with me to write/talk about. Mark Jeffries has new glasses to compensate for less hair (since last time I saw him), Michael Dell is still thinking across borders and Cyber security isn't understood any better than any other risk management practice by those who have to decide about it. I really enjoyed those sessions as they brought a lot of new ideas and thoughts to ponder about.
But coming back to my first statement - John Wheeler of Gartner talked about 'The missing link: How ignoring business risk can be fatal for ERM'. The title says a lot. His main statements were that BPM and ERM have a lot in common - both are about visibility, accountability and adaptability. He explained that increased BPM capabilities lead to higher risk awareness and resilience and predicts that in 5 years ERM best practice will be focused on performance! I couldn't agree more with that. As BPM needs to make that connection to mature from a 'distraction' to a approved business discipline the same goes for Risk Management. Only with such an tie to operational business and goals a company will be able to implement a sustainable ERM or GRC management.