While risk management is a "significant" commitment for organizations, 76 percent of enterprises lack a holistic strategy, and more than 70 percent are in the dark about critical assets and vulnerabilities, according to a new survey.
"The Imperative to Raise Enterprise Risk Intelligence" study examines state of risk in enterprise environments and organizations' overall approach to risk management. Among the most significant findings was three-quarters of organizations lack a comprehensive risk management strategy. The biggest fears for organizations were long-term damage to brand and reputation (63 percent), followed by security breaches (51 percent), business disruption (51 percent) and intellectual property loss (37 percent).
Conducted by the Ponemon Institute and sponsored by RiskVision, the survey examined 641 individuals involved in risk management activities within their organization, with 56 percent in executive and management positions.
"In light of numerous large-scale and high profile data breaches in the headlines throughout 2016, organizations are increasingly aware that they need to understand their risk exposure," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "And the biggest fear for most organizations isn't security breaches, but long-term damage to brand and reputation. While security breaches are costly to detect and remediate, the expenses are finite. On the other hand, expenses around compliance, customer attrition and negative public relations incurred due to the resulting loss of brand and reputation are ongoing, sometimes dragged out for months or even years, and are much more difficult, if not almost impossible to predict or gauge."
The survey found that the vast majority of enterprises are aware that managing risk in their organization has become increasingly necessary, with 83 percent maintaining it was either a "significant" or "very significant" commitment for them, and are thus maturing their program. However, more than three quarters of organizations (76 percent) say they either don't have a clearly defined risk management strategy in place or the one that they have isn't applicable to the entire enterprise, representing a significant disconnect between desired risk management practices, and what they can realistically achieve. What's more, only 14 percent of respondents believe that their organization's risk management processes were truly "effective."
Other key findings include:
- The majority (52 percent) of organizations lack a formal budget for enterprise risk management.
- 63 percent fear reputational damage, followed by security breaches (51 percent) and business disruption (51 percent) as the biggest consequences resulting from lack of risk management.
- Lack of resources (44 percent), complexity (44 percent) and inability to get started (43 percent) represent the top three barriers to risk management goals.
- With respect to managing risk across the enterprise, 53 percent describe the working relationships between finance, operations, compliance, legal and IT as "operating in silos," with little collaboration between departments.
- 69 percent of organizations don't rate assets based on their criticality.
- 69 percent of enterprises either don't have metrics for determining risk intelligence effectiveness or are not sure.
- Of the organizations that had a formal budget dedicated to enterprise risk management, 58 percent said they planned to spend between $1 million and $5 million on risk management solutions in the upcoming fiscal year.