More than a decade since enterprise risk management became an accepted part of modern corporate management, most companies are still doing ERM the old-fashioned way: manually. That’s the finding of two recent surveys, one conducted by Deloitte & Touche and the other by KPMG.
The Deloitte survey of 192 companies finds that despite the availability of automated risk management tools, only 25% of respondents say they continuously monitor risk. More than two-thirds say they only periodically monitor risk across their organizations.
KPMG, for its part, surveyed 100 executives at a recent Archer GRC meeting and found just 16% say their companies have set up an automated risk management process, despite the availability of such systems. “This was a group of people who were there to look at automatic products,” says Greg Bell, lead partner at KPMG for information protection and business resiliency. “That really raised our eyebrows!”
“The basic hypothesis about the governance, risk and compliance is that if you get more information and collect all the data you can, you can make a dashboard” to monitor all the risks, says Bell, who's pictured at right. “The reality is that people are having a hard time automating. There are a lot of organizational and geographical silos, and different ways that different divisions and different regions view risk. This can create significant barriers.”