When used in the right context and for the right reasons, gap analysis can do just what it is intended to: identify areas—usually from the perspective of process, abilities, competence, time and performance—where moving from a current state to a desired future state would be both beneficial and prudent. As noted in the ANSI/ASIS/RIMS risk assessment standard, “Gap analysis is intended to highlight the amount by which the need exceeds the resources that exist and what gaps may need to be filled to be successful.”
From there, the logical next step of the gap analysis is to determine whether the future state is achievable given available resources, and if so, develop a plan to move from the current state to the future state. Risk assessments can be conducted in tandem with the gap analysis to 1) evaluate feasible alternatives, and 2) determine whether the future state places the risk within the organization’s risk tolerance.
But when gap analyses are used to take the place of a risk assessment, problems can emerge. For example, gap analyses generally do not answer questions related to other risk criteria (such as timing) or measurements (such as severity). As a consequence, gap analyses may not necessarily reflect the organization’s attitude toward risk-taking.
Risk Assessment vs. Gap Assessment
Risk assessments differ from gap assessments in their essential purposes. According to the ANSI/ASIS/RIMS risk assessment standard, risk assessments include the identification, analysis and evaluation of uncertainties to objectives and outcomes of an organization. Risk assessments provide a comparison between the desired and undesired outcomes and expected rewards and losses of organizational objectives. Risk assessments analyze whether an uncertainty is within acceptable boundaries and within the organization’s capacity to manage risk. The results inform decision-makers of the choices available to manage risk effectively to achieve the organization’s objectives, given its priorities.
Risk assessments take into account the dynamic nature of the organization’s external and internal environments. While considering and possibly evaluating the effectiveness of current controls, risk assessments generally focus on the future, at times using multiple scenarios in light of emerging issues.
Gap analyses, on the other hand, are intended to identify differences and considerations between “what is” and “what should be.” They tend to represent a point in time, focusing on specific controls or activities as they exist for the single purpose of improving the current environment. Gap analyses generally are not suitable for more complex issues that require a deeper understanding of risk and the use of more sophisticated risk assessment techniques. If used as a risk assessment, gap analyses may give a false impression that filling gaps will be enough to manage all potential future risk events and trends. Gap analyses may give equal weight to any type of control or activity, without regard to the respective impact that each control or activity may have, or on possible related upstream and downstream interdependencies.
When Gap Analyses Are Misapplied
The most troublesome instances of misapplication are when gap analyses masquerade as risk assessments, particularly when the gap being identified is between an organization’s current state and a standard. In the way they are developed, standards tend to be aspirational best practices. Even so, standards, particularly international standards, may lag behind evolving practices as they take a number of years to produce through the process of consensus-building.
Unless a standard is adopted as a regulatory requirement or is listed specifically as something for which the organization wishes to be certified, an organization is free to determine which parts of a standard apply in its environment, and the extent to which the practices are practical for implementation. For example, a standard may recommend that a policy be approved by an organization’s board of directors. The organization may instead choose to create a policy that is approved by its management team.
While one could interpret this difference as a “gap,” the actual effect on the risk under review may be immaterial. Compliance with this particular practice does not move the needle if those responsible for acting within the policy comply with it, regardless of who approves it. Judging “gaps” can be somewhat subjective from this perspective.
The figure at right illustrates a gap analysis using an international information security standard to identify gaps within various risk areas. The analysis makes the assumption that the organization either wants to take actions to be “highly compliant” with the standard or that the organization knows where along the continuum of progression it wants to be in each of the areas considered in the gap analysis. Without this understanding, the gap analysis may lead to false conclusions regarding the actual extent of the risk for the organization, or to unworkable recommendations for managing the risk. Without a companion risk assessment, the organization may be left with questions as to whether the risk is within acceptable boundaries in its current state, what steps the organization could take to reduce its exposure to the risk, and whether it has the will or the capacity to be “highly compliant” with the chosen standard.
In such situations, risk professionals and executives should ask:
- What is the complexity of the risk/issue under review?
- Is the proposed process a gap analysis or a risk assessment?
- If a gap analysis, what standard or comparative is being used in conducting the analysis?
- If based on a standard, what is the value of compliance with each of the elements of the standard?
- Are the identified gaps being measured for materiality?
- What assumptions are being used in judging the gaps?
- Are the identified gaps meaningful for achieving the organization’s objectives?
- How does closing the gaps improve the organization’s risk position?
- Are resources available to close the meaningful gaps?
Gap analyses can be useful in limited and relatively straightforward situations. Finding out where an organization stands in relation to where it wants to be has value and is worth the effort if the organization is willing to close meaningful gaps. If using a standard as the desired future state, organizations should agree on which components are to be included in the analysis, given the impact that such components may have (or not have) in modifying the risk under review.