The current state of risk management
The Ponemon Institute, which I have previously referred to in my posts as the publisher of reports on cyber, recently shared the results of their survey on risk management.
The Imperative to Raise Enterprise Risk Intelligence: Inside the Promise & Pitfalls of Enterprise Risk Management has some interesting content.
The results are disturbing, but unfortunately what I had anticipated.
It is important to note that the 641 who answered the survey were involved in risk management within their organization. So the results are skewed towards having some level of formalized risk management. In other words, they are better than the general population. It is also important to recognize that most of the respondents are IT folk and some of the questions reflect the author’s IT orientation as opposed to a general business one.
The report, as so many, has to define risk management in its own way. But, frankly, it’s not bad. They break it down into risk management and risk intelligence.
In the context of this research we define enterprise risk management as the application of rigorous and systematic analysis techniques to the evaluation of risks that impact the whole organization including information assets and IT infrastructure. Cyber risk management is considered a component of enterprise risk management.
We define enterprise risk intelligence as the insight necessary to drive actionable business decisions related to governance, risk and compliance. It is the organization’s ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use realtime information and forward-looking risk concepts and tools to maximize business performance.
Ponemon tells us that only 24% of respondents said they have a risk management strategy that is clearly defined and pertains to the entire enterprise. They don’t define what they mean by a risk management strategy, so I can’t comment further.
But this is key.
“…only 43 percent of respondents say enterprise risk intelligence integrates well with the way our business leaders make decisions.”
I have to wonder whether the business leaders would agree with that assessment by the risk practitioners!
This adds fuel to that fire.
“A lack of collaboration among organizational functions is a barrier to an effective enterprise risk management program. 53 percent of respondents say their finance, operations, compliance, legal and IT functions do not collaborate on enterprise risk management activities. Only 8 percent of respondents say these functions fully collaborate in enterprise risk management activities.”
A lack of resources and an inadequate budget are identified as barriers.
But here is the key question.
If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded?
This is demonstrable when “30 percent of respondents say no one person has overall responsibility to ensure the risk management program is well executed”.
The Appendix contains some valuable pieces of information. Here are two:
- Only 32% say their organization has a very significant commitment to enterprise risk management.
- On a scale or 1 (low) to 10 (high), just 14% of the respondents rated the effectiveness of their risk management activity as a 9 or 10.
So what do we make of this?
Let’s start with some unpleasant facts!
- Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
- If they saw risk management as helping them make better decisions, you can bet they would invest in it!
- They can be persuaded, not by words but by action.
- Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
- Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
- The traditional approach to risk management, a list of top risks, is not going to work. It hasn’t worked for decades so why should it now?
- Satisfying the board but not top management is not a recipe for long-term success.
- The risk practitioner has to think out of the box. Understand what the company’s leaders need to be successful and make intelligent and informed decisions, then deliver it.
I welcome your comments.