Many organizations’ enterprise risk management capabilities aren’t as integrated as they need to be, leaving them vulnerable to legal, financial, regulatory, and reputational risks.
This is just one of many key findings in a new governance, risk, and compliance benchmark report, conducted by Compliance Week in partnership with Riskonnect. The survey also revealed that:
- 44% of respondents have standardized some processes and technology, but not across the entire enterprise.
- 35% of respondents said their processes and technology remains largely siloed.
- 20% of respondents said their processes and technology are well integrated across the organization.
Knowing vs Doing
While risk professionals know that it’s better to manage risk holistically – and use technology to do that – knowing is not the same as doing. “In my experience, most organizations rely on localized and manual solutions for all kinds of risk management needs,” says Quin Rodriguez, vice president of strategy and innovation at Riskonnect. “This amounts to complex, confusing, tangled webs of IT systems and data sources that can’t support effective enterprise risk management.”
Less than one-third of respondents (28%) are “very confident” that they are able to identify threats that give rise to risks and compliance needs. Approximately 8% are not confident at all, and the remainder are “somewhat confident.”
Aiming for Integration
“If integrated risk management is the corporate goal, a key strategy to get risk management working effectively and efficiently throughout the enterprise is to adopt a unified framework and create a common risk vernacular,” he adds.
According to the survey, the top five key performance indicators tracked by respondents are:
- Number of substantiated allegations of misconduct (50.44%)
- Risk coverage (46.02%)
- Number of control violations (42.28%)
- Number of control-test failures (37.17%)
- Total cost of risk, compliance, and control activities (30.09%)
Only 21% of respondents, however, say they are “very confident” in their organization’s ability to map each control to a given risk or requirement. Some 14% are not confident at all, and the remainder fall somewhere in the middle.
Responsibility for leading strategy around integrating GRC processes falls most often to the chief compliance officer (29%), followed by the chief risk officer (21%). Nearly 1 in 5 respondents said they have no such role.
No matter who is leading the charge, it is essential to be able to map ownership of each risk, requirement, and control to a specific individual or role. However, just 24% of respondents are “very confident” in that ownership is mapped to a specific person. Another 61% are only somewhat confident, and 15% are not confident at all.
“This is concerning because if you don’t designate an owner of a risk, then how do you manage it? Who do you hold accountable?” says Rodriguez.
The majority of respondents (64%) also said they are only moderately confident in their organization’s ability to map risks to the risk drivers across functions, and 18% are not confident at all.
“Having the ability to integrate more points of the business allows organizations to really automate the risk controls process,” explains Rodriguez. “It allows people to see the risk landscape far better than they every had before and understand the impact it has on their organization.”
The survey was conducted by Compliance Week, in partnership with Riskonnect. A total of 113 compliance, risk, and audit executives from around the world were polled to get a read on their organizations’ risk management capabilities, how effective they are at mapping risks, what metrics they track, and more.
Download the survey
For more on the survey results, plus a real-world look at corporate compliance programs, please join our webinar, Keeping Up with the Speed of Risk in the Digital Age, on September 5 at 1 p.m. EDT. Quin Rodriguez and Jason Mefford will be discussing the digital revolution, its impact on risk and compliance, and how organizations are responding.