Every organization is threatened by risk, but assessing that risk is harder than ever before. In this post, you\u2019ll learn what makes risk assessment so difficult and how a top-down approach to measuring risk can help organizations make better decisions.\nWhy is measuring risk so difficult these days? \nHere are four reasons.\n\nDisparate, varied IT assets\n\nNever has a company\u2019s data been so far-flung. IT architectures and endpoints are more varied and distributed than ever. Some systems are on-premises, some are in the cloud, and the latter are probably distributed across several cloud providers and likely hundreds of SaaS applications.\nWhen employees switched to a work-from-home (WFH) model last year, many began using BYOD for work. Companies are increasing their use of IoT devices, ranging from weather sensors to heart monitors to video cameras.\n\nIT complexity\n\nTwenty years ago, IT risk assessments mostly consisted of counting employees\u2019 PCs and the servers in data centers, looking at likely vulnerabilities for various models of hardware, and producing a report. Today, the IT assets to be cataloged and analyzed might be distributed over 50 offices, 500 data centers (most which belong to other companies), and 10,000 home networks.\nThe age of large, monolithic applications is over. For example, a mobile banking application might rely on 75 different IT components to work. To assess the application\u2019s risk, you need first to determine how all those components interoperate. Then you need to assess the risk associated with each of the components. Those risks need to account for everything from login activity to patch status.\nWhen you\u2019ve done all that work \u2014 hopefully using up-to-date data\u2014 you\u2019ve successfully assessed the risk of a single application. Chances are that your organization has other business-critical assets for you to assess as well.\n\nSophisticated security attacks\n\nBusinesses are under attack by a growing collection of cybercriminals, many of whom have access to highly sophisticated technologies.\nTwenty years ago, attackers were mostly computer programmers interested in finding ingenious ways to cause trouble. Today, attackers include nation states, criminal syndicates, and malicious \u201cscript kiddies\u201d willing to spend fifty bucks on the Dark Web to buy a malware or a credential-stuffing script and a list of corrupted credentials.\nAnd attackers are relentless, firing off both innovative and tried-and-true forms of attack, hoping for any lapse or breach in an organization\u2019s security. Any lapse in IT defenses or employee behavior can lead to a data breach, a ransomware attack, or some other form of attack is costly in terms of lost sales, imposed fines, and degraded reputation.\n\nShared responsibilities\n\nA recent trend in risk management calls for sharing risks more broadly with business units. Executive teams and boards of directors are asking business unit leaders to step up and take responsibility for the risk affecting their operations. This new shared responsibility forces business leaders to take a more active role in setting priorities for risk assessments and ensuring that the right risks are measured and duly weighted.\nThe importance of taking a top-down approach to measuring risks\nThe goal is to account for the complexity of today\u2019s IT environments, while reducing the scope of analysis to something practical for executive decision-making. When business leaders know their most significant risks, they can set goals and make decisions without getting lost in technical details.\nStart by asking, \u201cWhat does our company have to protect?\u201d Determine what\u2019s most important to your company\u2019s operations. Next, ask, \u201cWhere do these core assets live?\u201d A set of data centers? In specific facilities outside of the country? What are the risks associated with each of those locations?\nThird, ask, \u201cWhat else do these core assets depend on?\u201d For example, if you\u2019re a fintech company offering a mobile app for your consumers, that app\u2019s reliability and performance matter a great deal to your brand. What are all the interdependencies of that mobile app? Map all those interdependencies, then analyze the risk associated with each of those components.\nAssessing the risks of key components likely involves cloud services and services hosted by third parties like Amazon Web Services (AWS).\nIf your risk assessment tools can\u2019t access third-party services and cloud providers, can they at least monitor the endpoints connected to those services and cloud providers? That would begin to give you a sense of how your company\u2019s interactions with those third parties may be increasing overall risk.\nMeasuring risk is an ongoing strategic activity\nYou\u2019ll know if you have an effective practice in place for measuring risk if it provides ongoing guidance for making business decisions. To provide that guidance, your best practice for measuring risk should be:\n\nContinuous: When risk data is current, you can trust that you\u2019re basing decisions on the technology and vendors you\u2019re working with now, not a different set you were working with three months ago. To achieve continual updates to your risk analysis, you\u2019ll need real-time data about endpoints and other IT assets and automation to collect and organize the data in a centralized place.\nPrioritized: Risk-assessment practices should make it easier to prioritize risks and risk mitigations in your organization\u2019s strategic goals. Have risk scoring in place so that you can compare, for example, the risk of moving a data repository from on-premises to a trusted cloud provider to save money.\nAccessible: You can easily access risk assessment risks whenever necessary. You don\u2019t have to dig through 43 Excel spreadsheets to find the analysis you\u2019re looking for. You\u2019ve got risk reporting that you can access quickly as part of the company\u2019s ongoing decision-making.\n\nBusiness is moving faster than ever. IT environments are vast and complex. By adopting a top-down approach to measuring risk and taking advantage of real-time data collection and automation, you can build the risk measurement practice you need for guiding the organization through growth and transformation in the years ahead.