Most companies still manage risk in silos and don't have a clearly defined strategy, report finds
By Joseph McCafferty
February 6, 2017
A new report from the Ponemon Institute finds that many companies lack a cohesive approach to risk management.
According to the study, "The Imperative to Raise Enterprise Risk Intelligence," three-quarters of the risk management professionals surveyed said their organizations don't have a clearly defined risk management strategy that applies across the full company. Of those, a third (33 percent) said they didn't have a clearly defined strategy at all, and another 43 percent said that while the strategy was defined, it was not applied to the entire enterprise.
The survey of 641 risk management professionals examined organizations' overall approach to risk management and found that many still have a long way to go. For example, 53 percent of respondents said the finance, operations, compliance, legal, and IT functions still manage risk in silos. Meanwhile, 52 percent said their organizations didn't have a formal budget for enterprise risk management.
Such fractured and unsupported approaches to risk management across the organization are likely contributors to a less-than-effective risk management strategy: Just 14 percent of respondents said they thought that their organization's risk management processes were truly effective.
Survey respondents also cited their biggest fears of what could result from a poorly executed risk management strategy. The biggest concern was long-term damage to brand and reputation (63 percent), followed by security breaches (51 percent), business disruption (51 percent), and intellectual property loss (37 percent).
"In light of numerous large-scale and high-profile data breaches in the headlines throughout 2016, organizations are increasingly aware that they need to understand their risk exposure," said Larry Ponemon, chairman, and founder of the Ponemon Institute. "And the biggest fear for most organizations isn't security breaches, but long-term damage to brand and reputation." He said that while the costs of responding to a security breach were extensive, they are finite, compared to those associated with the resulting reputational damage that can extend for months or even years.
Other Survey Findings:
- Lack of resources (44 percent), complexity (44 percent) and inability to get started (43 percent) represent the top three barriers to risk management goals.
- On managing risk across the enterprise, 53 percent describe the working relationships between finance, operations, compliance, legal and IT as "operating in silos," with little collaboration between departments.
- 69 percent of organizations don't rate assets based on their criticality.
- Of the organizations that had a formal budget dedicated to enterprise risk management, 58 percent said they planned to spend between $1 million and $5 million on risk management solutions in the upcoming fiscal year.
"It's encouraging that organizations are increasingly becoming more aware about the importance of risk and the growing need to understand their risk environment," said Joe Fantuzzi, CEO of RiskVision, which sponsored the survey. "That said, there is a big disparity between awareness and implementation of risk management practices in the enterprise."
The survey also found that most companies don't do a good job of measuring their risk management efforts. Only 31 percent said they had specific metrics for determining the effectiveness of the program, while 60 percent said they did not and another 9 percent weren't sure. For companies that did have metrics, the most common were: time to contain threats and attacks (45 percent), time to identify and pinpoint high-risk areas (43 percent), reduction in unplanned system downtime (43 percent), and reduction in the number of policy violations (36 percent).
Joseph McCafferty is head of audit content for MIS Training Institute. He can be reached at firstname.lastname@example.org.