Do you have visibility into the risk of your strategic business priorities?
If not, a gap analysis can give you a clearer picture. In fact, as we underscored in our recent webinar, “5 Essential Steps to Meet Your Escalating Duty of Care,” identifying and mitigating the risks associated with new initiatives is vital to meeting regulations and avoiding penalties.
How can you perform a gap analysis for your company’s new ventures? Start with these 3 steps.
Step 1: Pinpoint Your Strategic Priorities
You know what’s hard to figure out the risk of? Something you don’t know about or haven’t identified. That’s why the first step to doing a gap analysis is pinpointing your strategic priorities, so you can determine the risk posture for them.
They can take many forms: increasing revenue by releasing a new product, moving into a new geographic region or expanding inorganically by buying or merging with another company.
Once these strategic priorities are identified, they need to be communicated in such a way that the entire organization aligns around them. It’s all well and good if senior management knows that the company is going to be buying competitor XYZ; however, if that information doesn’t get to the risk management team before the acquisition, then it’s impossible for them to prepare or report accurate risk information that may be critical for the board of directors to know.
OK, so the company has identified some strategic priorities, and they’ve been communicated out. Now comes the time to perform a gap analysis.
Step 2: Perform a Gap Analysis
How do you do a gap analysis? In a scenario like this – where the goal is to identify the risk around a particular business priority – we’re looking to assess the gaps between what we currently do from a regulatory/compliance perspective, and what we’ll need to do in the future to meet this strategic goal.
Let’s take the example of expanding into a new region. If we’re entering the European market for the first time, we may need to start worrying about GDPR.
Or, if we’re buying another organization, we should check if their market has specific regulatory requirements we’re not already meeting. For instance, will we have dipped our toes into the financial sector or suddenly acquired government contracts with entities we haven’t dealt with before?
Applying the controls and evidence you have to the new requirements will show where there are things that you may not be covering effectively. In other words, the gaps.
In the Reciprocity ROAR platform, this can be as easy as creating a new Cyber Assurance Program for the strategic priority with the necessary frameworks, or adding a framework or two to an existing program.
Step 3: Implement Controls for Risky Priorities
Now that you have an idea of what your compliance/hardening posture might be, you can see what that will do to your risk posture. As I expect most readers know, controls in place will reduce your inherent risk and yield some amount of residual risk, even after mitigation.
However, ineffective controls do nothing to reduce your residual risk. This is why identifying those things that are ineffective is a necessary step in determining what your risk posture is, and since there may be new requirements for a strategic priority, there may need to be new controls as well, or modifications to existing controls. Seeing those gaps in the gap analysis allows you to accurately take that into account in your risk assessment.
This is what we mean when we talk about getting early visibility into the risk of your strategic business priorities. You’ve identified the priorities, performed a gap analysis and used what you learned in the gap analysis to influence your risk assessments. You’re now prepared to go have an informed and frank conversation about the risk associated with that business priority.
Close Your Gaps – FASTER
What’s the quickest way to close the gaps your company’s strategic initiatives create?
Automate your gap analysis!
Gain the insights you need to drive business decisions with the Reciprocity ROAR platform. Sign up for your FREE demo today – so you can take your company further tomorrow (with LESS risk).
Why sign up for the Risk Insiders newsletter?
To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.
