Are you growing out of control?

Growth is part of any organization’s maturity lifecycle. As a business grows, business risk grows alongside it. Addressing organizational maturity during growth is important, as organizations are exposed to new threats and vulnerabilities to all asset types. These risks require actions to ensure that business risk does not exceed what the organization can tolerate or control.

Written by William White, Senior Consultant @ Watchcom


Growth is important for many organizations, and although organizations have different goals, growth is often a strategy used to achieve those goals.

For example:

  • Private companies grow to increase capacity. This can help increase market share to stave off competition.
  • Public organizations grow so they can serve the public more efficiently and effectively. This is achieved by providing more capacity to serve public interests.
  • Growth can help organizations take advantage of Economies of Scale; making it possible to lower the costs of goods and services.
  • Growth helps an organization to accomplish customer satisfaction goals.

While organizations do not grow at the same rate, to the same size, or by the same methods, growth is part of any organization’s maturity lifecycle. It is important to address the maturity of an organization during growth because, as a business grows, business risk grows.

Immature growth increases risk

During the growth process, organizations are exposed to new threats and vulnerabilities to all asset types. The risk to these assets requires steps be taken to ensure that business risk does not exceed what the organization can tolerate or control.

Risk management is based on the valuation of assets and subsequent prioritization of the treatment of risks to those assets. Secure growth is best achieved by ensuring that current risks are continuously managed and that new business risks are identified and managed.

Sadly, companies often conflate growth with maturity. Simply adding staff or assets makes a company grow, but it does not make a company mature. Maturity includes the ability to handle new business risks that are a result of such organizational growth.

Conducting a Maturity Assessment after significant growth initiatives can help a company find its maturity level. The company can then decide on actions to ensure maturity levels match growth levels. Problems like “Risk sprawl”, the propagation of risks due to growth, can be identified and addressed. Roles and responsibilities can be assigned for owning risk, selecting controls for risk and reporting risk so business risk can be managed.  Maturity is achieved when growth is aligned with changes to business risk and responsibility for managing those risks are assigned to the proper roles.

Training your risk management skills

The risk management process must be strategically planned and guided by top management. Top management involvement ensures that the organization matures by developing a risk strategy guiding it through the growth process. Business risk must be clearly communicated, and new processes must be supported, to ensure that risk-related tasks are performed. Support-function strategies must be aligned with top management’s strategy to ensure that all business risk is identified and analyzed. This will ensure business risk is addressed holistically across the organization, and through business processes each function will have a method to address the various risks.

Awareness and training are vital to the maturation process, and it is important to raise awareness of all business risks and how each organizational role is connected to those risks. The organization must also be explained the responsibilities connected to each new role, and through training the skills required to manage business risk are obtained. Training also teaches communication skills required to manage business risk.

Awareness and training lead to a change in organizational culture which is the key to increasing the maturity of the organization. It is the role of top management to ensure the organization has the support it requires to manage risk and achieve objectives.

Growth impacts security posture

With growth comes change. Organizational growth causes changes to an organization’s security posture and, without a strategy to mature during growth, introduces uncertainty. Uncertainty in the business environment changes the business risk environment and those changes must be addressed using a coordinated risk management strategy.

Out of control business risk can lead to consequences that negatively impact business objectives and hinder the development of value for stakeholders and customers. Further, new vulnerabilities can be exploited by threats to business assets, which negatively affect the organization’s asset value.

Organizational growth must be implemented in coordination with a Risk Management strategy that is developed, communicated, and supported by top management. This will ensure that the organization can mature at the same pace that it grows.