Last year\u2019s sudden shift to a work-from-home (WFH) model changed a lot of things in enterprise IT. Companies accelerated their adoption of cloud services. Videoconferencing became an essential form of everyday communication. And IT teams were forced to change their ways of assessing risk \u2014 likely forever.\nHow risks and risk assessments changed in the pandemic\nTraditionally, risk assessment teams produced detailed annual reports that tried to sum up all the risks the organization was facing in areas such as IT security, disaster recovery, and compliance.\nMany companies hired consulting firms to help with this work. Because risk assessment was an expensive and time-consuming endeavor, it was treated as more of a \u201cspecial occasion\u201d than an ongoing practice.\nExecutives and boards of directors might have felt some satisfaction having a detailed risk assessment report to thumb through. But as an actual representation of risk, the report was more a stony monument than heart monitor.\nFor many organizations, the tenuousness of these risk assessments increased during the pandemic. Emailed questionnaires replaced in-person inspections. Stakeholders dutifully completed forms, even if no one could say with certainty which devices employees were using remotely or what software was running on them.\nMost organizations understood that their risks increased once employees started working from home. Employees were accessing data and applications over home Wi-Fi networks rather than the corporate network, where they had a firewall, a SIEM system, and other security tools to protect them from threats. And many employees were relying more on BYOD devices, which had never been screened and approved by the IT department, for official work. At the same time, security threats increased. Cybercriminals realized that employees were more vulnerable than ever before without the corporate network to protect them.\nWithout real-time access to all those remote endpoints, IT organizations did their best to characterize the risks that remote employees were facing. But inevitably, those annual risk assessments missed some details about threats facing the company.\nThose omissions were understandable during a year in which IT teams never stopped rushing. Now, though, IT teams can catch their collective breath and take stock of what\u2019s changed. Remote workforces are here to stay, and security threats continue to multiply and grow in sophistication.\nBringing risk assessment into the age of cloud computing and WFH\nWe all know that the pace of business is faster than ever. Data, devices, software, business relationships \u2014 all these things are continually in flux. Risk assessments need to reflect that flux. Therefore, the first thing to change about risk assessments is their timeliness.\nFortunately, IT departments have new tools that can help improve the accuracy of risk assessments. Real-time endpoint monitoring, for example, can report on the location, IT health, and activity of endpoints at any location, including in home offices. This monitoring works over standard internet connections without requiring VPNs.\nWith these modern tools, IT organizations can collect more comprehensive, up-to-date, and accurate endpoint data than they could when most endpoints were still on internal networks and being monitored only sporadically by traditional endpoint management tools.\nGauging the configuration status and security status of all the endpoints in the organization provides a wealth of insights for assessing risk in areas as varied as threat detection, compliance, and disaster recovery. It\u2019s an essential requirement for mitigating security threats from unpatched vulnerabilities, phishing attacks, and more.\nThe second thing to do is measure risk over time. Executives want to know if the risk mitigation measures that have been put in place are working. Risk teams should track the metrics that indicate whether or not the company is achieving its goals for managing risk. \nThe third thing is to have data-driven conversations with the executive team about risk. Here\u2019s where more timely and comprehensive data pays off. With improved visibility into endpoints and other IT assets, you can have a more meaningful discussion about which investments are working and which aren\u2019t, which new products and services to adopt, and which old products and services to retire.\nThe executive team is focused on the strategic goals of the organization overall. Ultimately, the data-driven conversations you have about risk should prioritize risks and risk mitigations in terms of those goals.\nFour key elements of risk management\nKeeping your organization's strategic goals in mind, here are four steps to follow for managing risk in a modern enterprise:\n\nData Collection: Collecting all the data necessary to measure risks related to your organization\u2019s strategic goals. That data will include endpoint data as well as environmental and user data.\nAnalysis: Analyze the data you\u2019ve collected using as much automation as possible. If you\u2019ve created scorecards for assessing risks, you can automate tabulations and make analysis an ongoing process rather than a once-a-year snapshot.\nReporting: This step involves synthesizing risk metrics and analysis for executive-level reports. These reports will guide your organization\u2019s discussions about risks, priorities, investment decisions, and more.\nRemediation: There are two types of risk remediation. First, there are the actions taken daily by IT security and operations personnel to respond to threats. These actions are in accordance with organizational policies and industry best practices, but they don\u2019t require executive approval instance by instance. Second, there are the actions taken by the IT and business leaders. For example, if a risk analysis report suggests that the company accelerates its patching schedule, then the decision to invest in new patch management software is a strategic response to remediating threats.\n\nA lot has changed in IT in the past couple of years. Many companies discovered they could be more agile and efficient than ever as they essentially reinvented their remote work policies and IT support overnight.\nNow, companies have the chance to reinvent their risk assessment processes as well. By taking advantage of real-time data and automation, companies can reduce risks and improve the security of their remote workforces at the same time.