Global organizations ‘face significant gaps in enterprise risk management’
- Published: Wednesday, 28 August 2019 08:23
New GRC survey uncovers mixed levels of executive confidence in organizations’ ability to manage risks, map ownership and identify third-party vulnerabilities.
Riskonnect has released results from of its new governance, risk and compliance (GRC) benchmark report. Conducted with Compliance Week, the market survey found that while organizations value enterprise risk management, only 20 percent have fully integrated processes and technology, which means most companies are leaving themselves vulnerable to legal, financial, regulatory and reputational risks.
The study polled 113 compliance, audit and risk executives from around the world to get a better sense of the state of organizations’ risk management capabilities, how effective they are at mapping risks, the GRC metrics they track and more. Aside from a general lack of integration, the benchmark also uncovered that executives have fairly low confidence in their organizations’ ability to manage and map risk: 61 percent said they are only somewhat confident in their organization’s ability to map ownership to a specific individual or role – with another 15 percent saying they aren’t confident at all. Similarly, only 18 percent said they were very confident in their company’s ability to map risk drivers across all functions, and 21 percent said the same about being able to map each control to a specific risk or requirement.
When asked who leads GRC integration strategies within the organization, the most common answers were the Chief Compliance Officer (29 percent), Chief Risk Officer (21 percent), Chief Executive Officer (15 percent), or the Chief Audit Officer (8 percent), with 17 percent indicating their company has no designated role.
Other key findings include:
- Not surprisingly, organizations showed the least amount of confidence in being able to identify vendor and other third-party risks – including cyber, reputational, social media, financial, operational and supply chain - with 26 percent saying they’re not confident in this area at all and another 50 percent saying they’re only somewhat confident.
- Organizations generally feel the board is getting adequate information about risk and compliance, with 40 percent saying they are very confident oversight committees get this information to use in establishing objectives.
- The top six most common GRC metrics tracked amongst global organizations include: the number of substantiated allegations of misconduct (50 percent), risk coverage (46 percent), number of control violations (41 percent), number of control test failures (37 percent), requirement coverage (30 percent), and total cost of risk, compliance and control activities (30 percent).