When Carol Fox, the Vice President of Strategic Initiatives of RIMS, the risk management society™, presented at The Great Conversation in Security this year, she was addressing security program executives from multiple industries and disciplines. Each of these programs has implemented a process for identifying risk. But as Carol pointed out, identifying risks and identifying gaps in performance are two different things that achieve different outcomes.
We see Security Risk Management Services (SRMS) providers as a bridge between the risk assessment and the gap analysis. As Carol suggests, an SRMS provider would use risk assessments to identify, analyze and evaluate the uncertainties to objectives and outcomes of an organization. With this as a foundation, they can then begin to create a 360-degree view of the risk, which can include the line of business “risk owners” and the culture of risk inside the organization. But it would not stop there. SRMS vendors can then deploy their technology and business process expertise to truly understand the gaps in performance. How do people perform their roles within their core processes using technology? This is where breakthroughs and innovations occur.
Carol’s presentation is summarized in an article she wrote for the RIMS organization which we have provided by link below.
Recognizing the Gaps in Gap Analysis
By Carol Fox, Vice President of Strategic Initiatives of RIMS, the risk management society™,
When used in the right context and for the right reasons, gap analysis can do just what it is intended to: identify areas—usually from the perspective of process, abilities, competence, time and performance—where moving from a current state to a desired future state would be both beneficial and prudent. As noted in the ANSI/ASIS/RIMS risk assessment standard, “Gap analysis is intended to highlight the amount by which the need exceeds the resources that exist and what gaps may need to be filled to be successful.”