Risk management programs don't address today's risk environment

Despite the increasing pervasiveness of digital risks, many risk management programs are not maturing quickly enough to keep pace, according to AuditBoard’s 2022 Digital Risk Maturity Survey.

Today, enterprises are more digitally dependent than ever, investing heavily in digital transformation efforts to modernize, gain efficiencies, and adapt to the enduring environment caused by the COVID-19 pandemic. AuditBoard’s Digital Risk Maturity Survey sought to discover how enterprises currently undertake digital risk management by surveying more than 125 risk leaders across various industries about their approaches to navigating today’s dynamic risk environment.

3 key results of the survey:

1. Enterprises are maturing, but not fast enough

While more than 90% of respondents have digital risk on their radar, only 30% are at a stage of maturity where they are actively mitigating digital risks.
Over 69% revealed their organization is at an early stage of defining and assessing digital risks and not yet mitigating or monitoring them continuously.
Fragmented audit, risk, and compliance practices are a key reason for lagging maturity. Respondents reported managing digital-related risks separately as part of IT/cybersecurity (32%), operational risk (11%), enterprise risk (31%), or other areas of risk management (18%).
Meanwhile, 78% of respondents have placed ownership of digital risks with functions outside of business operations (such as IT or security), leading to the inappropriate categorization of these risks as technical or compliance-only and creating siloed risk management efforts. Security and risk teams may need to make changes to keep pace with management and board expectations to get ahead of digital threats.

2. Enterprises are struggling to generate reportable metrics to quantify digital risk

84% of respondents currently do not report measurable metrics to their management.
Of the minority who claim to use reportable metrics, 89% describe the activity as measuring only one component of digital risk, such as technology or fraud.
The results indicate that most enterprises have not yet reached the level of maturity to capture the metrics needed for continuous risk monitoring throughout their digital transformation journey, despite the critical importance of analytics to a successful risk management program.

3. Investing in risk management technology is essential to keep pace with expanding digital risks

While 38% of respondents said they manage digital risk manually using spreadsheets, shared drives, and email, over half (51%) reported using some form of risk management software.
Of those leveraging technology, 32% report using cloud-based risk management software. Analyzing data provided either directly by a third party or indirectly through an independent data source is essential for such a complex risk environment.
This underscores the importance of cloud-based technology, whose integration capabilities ensure the transfer of large amounts of data between systems.

From the boardroom to the C-suite, business leaders must make digital risk management a top priority to safeguard their success, says John Wheeler, former Gartner IRM Analyst and Senior Advisor, Risk and Technology at AuditBoard. “To achieve better visibility and understanding of strategic, operational, and technology risks across the business landscape, enterprises must adopt an integrated risk approach supported by the right technology — allowing them to accelerate program maturity and actively manage digital risk in today’s increasingly volatile environment.”

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.