Global organizations are facing significant gaps in enterprise risk management (ERM), according to the latest Riskonnect market survey.
Riskonnect’s “Governance, Risk, And Compliance (GRC) Benchmark Report,” which was conducted as part of Compliance Week, polled 113 compliance, audit, and risk executives from around the world to become more familiar with organizations’ risk management capabilities and how effective they are at mapping risks.
The report revealed that only 20% of organizations have fully integrated processes and technology – leaving them vulnerable to legal, financial, regulatory, and reputational risks.
It also found that a lot of executives are not that confident with their organization’s ability to manage and map risk – with 61% saying they’re only somewhat confident and 15% saying they aren’t confident at all.
When asked who leads GRC integration strategies within the organization, 29% of the respondents answered the chief compliance officer, 21% the chief risk officer, 15% the chief executive officer, and 8% the chief audit officer, while 17% said that their company doesn’t have any designated role for the task.
The organizations also showed the least confidence in their ability to identify vendor and third-party risks, including cyber, social media, supply chain, operational, and reputational – with 26% saying they’re not confident at all while 50% said they’re only somewhat confident.
Meanwhile, the top six most common GRC metrics tracked by global organizations include: substantiated allegations of misconduct (50%); risk coverage (46%); number of control violations (41%); number of control test failures (37%); requirement coverage (30%); and total cost of risk, compliance, and control activities (30%).
Andrea Brody, chief marketing officer at Riskonnect, commented that managing organizational risk is becoming more difficult, complex, and expensive.
“The best chance for companies to effectively identify and mitigate new vulnerabilities is to gain a deeper, more complete view of their entire threat landscape,” Brody said.
“This means integrating more points of the business and assigning clear ownership and accountability of risk, so all stakeholders can see where the organization is vulnerable, how those threats relate, their total impact, and the plan for moving forward.”