It’s not just data breaches that worries Corporate America when it comes to risk management—in fact, long-term brand reputation damage and the resulting negative PR is the greatest fear of poor risk strategy. Enterprise risk intelligence company RiskVision recently announced the results of its global enterprise risk intelligence survey, The Imperative to Raise Enterprise Risk Intelligence, conducted by the Ponemon Institute, examining the state of risk in enterprise environments and organizations’ overall approach to risk management.
Among the most significant findings is that three quarters of organizations lack a comprehensive risk management strategy. The biggest fears for companies were long-term damage to brand and reputation (63 percent), followed by security breaches (51 percent), business disruption (51 percent) and intellectual property loss (37 percent).
“In light of numerous large-scale and high profile data breaches in the headlines throughout 2016, organizations are increasingly aware that they need to understand their risk exposure,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a news release. “And the biggest fear for most organizations isn’t security breaches, but long-term damage to brand and reputation. While security breaches are costly to detect and remediate, the expenses are finite. On the other hand, expenses around compliance, customer attrition and negative public relations incurred due to the resulting loss of brand and reputation are ongoing, sometimes dragged out for months or even years, and are much more difficult, if not almost impossible, to predict or gauge.”
The survey found that the vast majority of enterprises are aware that managing risk in their organization has become increasingly necessary, with 83 percent maintaining it was either a “significant” or “very significant” commitment for them, and are thus maturing their program. However, more than three quarters of organizations (76 percent) say they either don’t have a clearly defined risk management strategy in place or the one that they have isn’t applicable to the entire enterprise, representing a significant disconnect between desired risk management practices, and what they can realistically achieve. What’s more, only 14 percent of respondents believe that their organization’s risk management processes were truly “effective.”
Other key findings include:
- The majority (52 percent) of organizations lack a formal budget for enterprise risk management.
- 63 percent fear reputational damage, followed by security breaches (51 percent) and business disruption (51 percent) as the biggest consequences resulting from lack of risk management.
- Lack of resources (44 percent), complexity (44 percent) and inability to get started (43 percent) represent the top three barriers to risk management goals.
- With respect to managing risk across the enterprise, 53 percent describe the working relationships between finance, operations, compliance, legal and IT as “operating in silos,” with little collaboration between departments.
- 69 percent of organizations don’t rate assets based on their criticality.
- 69 percent of enterprises either don’t have metrics for determining risk intelligence effectiveness or are not sure.
- Of the organizations that had a formal budget dedicated to enterprise risk management, 58 percent said they planned to spend between $1 million and $5 million on risk management solutions in the upcoming fiscal year.
“It’s encouraging that organizations are increasingly becoming more aware about the importance of risk and the growing need to understand their risk environment,” said Joe Fantuzzi, CEO of RiskVision, in the release. “That said, there is a big disparity between awareness and implementation of risk management practices in the enterprise. The vast majority of organizations don’t have a risk management strategy in place, while more than two thirds don’t rate assets based on criticality or don’t have metrics for determining risk intelligence effectiveness. You can’t measure what you can’t see. And in light of an increasingly regulated and sophisticated threat landscape, it will be incumbent upon organizations to truly understand the entirety of their risk environment, enabling them to prioritize and address the most critical issues before damaging their reputation beyond the ability to recover.”
The survey examined 641 individuals involved in risk management activities within their organization, with 56 percent in executive and management positions.
Source: Marketwired; edited by Richard Carufel