That is a question that State of Enterprise Risk Management 2020, from ISACA®, CMMI Institute® and Infosecurity Group, attempted to answer. They “surveyed a global population of over 4,500 professionals involved in risk decisions for large and small enterprises, across six continents and all industries, from manufacturing to government and financial services, and every industry in between”.
My opinion is that if you want to know how effective risk management is, you should ask the customer and not the provider.
Pretty much every survey of top executives and board members has, for years, told us that they do not see risk management as much more than a compliance exercise, something you do because you have to: a requirement of governance codes and boards urged on by consultants. World-class, effective risk management helps people make the informed and intelligent decisions necessary for success. It helps the management of success rather than failure.
But the report does have some interesting comments, including (with my highlights):
- …practitioners who make risk decisions on behalf of their enterprises (e.g., risk managers, cybersecurity specialists, auditors, and governance and compliance practitioners) can be directed to advocate so strenuously and so often in favor of risk reduction that they can sometimes forget that risk management is about optimizing risk rather than removing it entirely.
- They may focus on unexpected or unplanned events that may impact profitability, competitiveness or reputation but ignore the fact that failure to incur the right risk can likewise be potentially problematic, by causing enterprises to stagnate, lose competitiveness/market share or otherwise underperform their competition.
- …enterprises question if they are too risk averse or not risk averse enough, if they invested the right amount in risk management processes to bring about the correct maturity level to accomplish their goals, and if they implemented the correct steps to ensure optimization.
- Comment: the question of how much to invest in risk management is a critical one, one that should be based on an assessment of its value. Value is created when risk management helps people make the informed and intelligent decisions necessary for success, taking the right risks.
- The survey data show that respondents—particularly those who are at a more senior level in the organizational hierarchy—understand well the most critical risk that challenges their enterprises. They understand both what the risk is—as well as the consequences—should undesirable outcomes occur. Sixty-seven percent of those surveyed indicate that they are either extremely or very familiar with the current business and technology risk facing their enterprise.
- Comment: I doubt that this is true, because most develop a list of risks that are rated high, medium, or low without considering how they might affect the business and its objectives. If we are to run the business wisely, we need to know which business objectives might be affected and by how much – and I see this done very rarely.
- What is interesting is that risk awareness correlates to seniority. As the respondent seniority level increases, the more aware they are of the risk that their enterprise faces. Eighty-six percent of respondents at an executive-level job, 80 percent of respondents at a director-level job, 66 percent of respondents at a manager-level job and 55 percent of respondents at a staff-level job are either extremely or very familiar with the business and technology risk.
- Comment: consider me a skeptic. The recent IIA report (which I wrote about last month) talks about a disconnect between those in senior positions and those in the trenches. It could easily be the case that the executive practitioners (such as the CRO, CAE, and CISO) think they understand the risks but are mistaken. The people closer to business operations may have a better understanding. In any case, I doubt any of them have analyzed the likelihood of achieving objectives, taking into account everything that might happen, both good and bad.
- Although over 80 percent of respondent enterprises undertake basic risk management steps, the maturity of the risk management process is, on the whole, less than expected given the relatively high adoption of these steps. Only 38 percent of respondents indicate that their enterprises have processes at either the managed or optimized level of the maturity spectrum for risk identification, which is one of the highest adopted risk management steps. Only 63 percent of respondents report having defined processes for risk identification. Results for risk assessment maturity were similar—42 percent at the managed or optimized level and 64 percent having defined processes.
- Comment: it would be much more useful to see how many look at the big picture rather than trying to manage one risk at a time. Consider the view from the top (achievement of objectives) instead of from the weeds. Are decision-makers getting and then using the information they need to take the right risks for success?
- When asked about cybersecurity risk tolerances, only 35 percent of respondents report that their enterprise has a defined (either completely defined or very defined) view of the risk tolerances for their organization.
- Comment: why is it that so few perform a business impact analysis? How would a breach affect the business and its objectives? How likely is a breach of that magnitude? How much should we spend to mitigate that effect or reduce its likelihood? What is the best business decision?
- Most risk managers intuitively understand that cybersecurity is a significant area of risk for their enterprises. Survey respondents report information/cybersecurity risk as the most critical risk category facing their enterprises; it is cited as the single most critical risk, with almost double the percentage of the next closest critical risk type (29 percent, compared to a distant second-place reputational risk at 15 percent). Moreover, reputational risk, the second highest type of risk cited, can be a consequence of a cybersecurity risk.
- Comment: they may understand it intuitively because that’s what the consultants keep saying. But is it? Have they done any form of business impact analysis? Actual breaches have, on average, had minimal effect on business success.
- The goal of effective risk management is not always to completely remove risk. Risk, when judiciously and strategically undertaken, can lead to competitive advantage, opportunities to better achieve the enterprise mission, entering new markets and numerous other advantages. Instead, the goal should be to ensure that the right risk is being taken in a manner that is judicious and alert to the possibility of potential failure, while ensuring that unnecessary risk—or risk that is out of conformance with the enterprise risk appetite—is avoided.
- Comment: Absolutely, although I am not in sync with the last part – unless you define risk appetite as the desired level of certainty that you will achieve or exceed your objectives.
I welcome your comments.