Riskonnect, the leader in integrated risk management solutions, today released the results of its governance, risk and compliance (GRC) benchmark report. Conducted with Compliance Week, the market survey found that while organizations value enterprise-wide risk management, only 20% have fully integrated processes and technology, which means most companies are leaving themselves vulnerable to legal, financial, regulatory and reputational risks.
The study polled 113 compliance, audit and risk executives from around the world to get a better sense of the state of organizations’ risk management capabilities, how effective they are at mapping risks, the GRC metrics they track and more. Aside from a general lack of integration, the benchmark also uncovered executives have fairly low confidence in their organizations’ ability to manage and map risk: 61% said they are only somewhat confident in their organization’s ability to map ownership to a specific individual or role – with another 15% saying they aren’t confident at all. Similarly, only 18% said they were very confident in their company’s ability to map risk drivers across all functions, and 21% said the same about being able to map each control to a specific risk or requirement.
“Managing organizational risk is becoming more difficult, complex and expensive. The best chance for companies to effectively identify and mitigate new vulnerabilities is to gain a deeper, more complete view of their entire threat landscape,” said Andrea Brody, chief marketing officer at Riskonnect. “This means integrating more points of the business and assigning clear ownership and accountability of risk, so all stakeholders can see where the organization is vulnerable, how those threats relate, their total impact, and the plan for moving forward.”
When asked who leads GRC integration strategies within the organization, the most common answers were the Chief Compliance Officer (29%), Chief Risk Officer (21%), Chief Executive Officer (15%), or the Chief Audit Officer (8%), with 17% indicating their company has no designated role. Other key findings include:
- Not surprisingly, organizations showed the least amount of confidence in being able to identify vendor and other third-party risks – including cyber, reputational, social media, financial, operational and supply chain — with 26% saying they’re not confident in this area at all and another 50% saying they’re only somewhat confident.
- Organizations generally feel the board is getting adequate information about risk and compliance, with 40% saying they are very confident oversight committees get this information to use in establishing objectives.
- The top six most common GRC metrics tracked amongst global organizations include: the number of substantiated allegations of misconduct (50%), risk coverage (46%), number of control violations (41%), number of control test failures (37%), requirement coverage (30%), and total cost of risk, compliance and control activities (30%).
To learn more about the state of organizations’ risk management and mapping capabilities, download the report.
Riskonnect is the leading integrated risk management software solution provider that empowers organizations to anticipate, manage, and respond in real-time to strategic and operational risks across the extended enterprise. Through its unique risk correlation technology, over 900 customers across six continents are benefitting from actionable insights that have not been previously attainable to deliver better business outcomes. To learn more, visit riskonnect.com.