More than a decade since enterprise risk management became an accepted part of modern corporate management, most companies are still doing ERM the old-fashioned way: manually. That’s the finding of two recent surveys, one conducted by Deloitte & Touche and the other by KPMG.
The Deloitte survey of 192 companies finds that despite the availability of automated risk management tools, only 25% of respondents say they continuously monitor risk. More than two-thirds say they only periodically monitor risk across their organizations.
“We were surprised to find how much the level of analytics and of continuous monitoring of risks still lags,” says Henry Ristuccia, managing risk partner at Deloitte. “In part, the tools are still evolving,” Ristuccia explains, but he adds there are other problems too. “We still hear people say, for example when it comes to reputation risk, ‘Oh, we have a PR firm that monitors that,’ but that’s a response, not managing of risk.”
While 27% of companies say they monitor financial risks continuously, that percentage falls to 14% when it comes to political and geopolitical risk, and 15% for human capital risks.
KPMG, for its part, surveyed 100 executives at a recent Archer GRC meeting and found just 16% say their companies have set up an automated risk management process, despite the availability of such systems. “This was a group of people who were there to look at automatic products,” says Greg Bell, lead partner at KPMG for information protection and business resiliency. “That really raised our eyebrows!”
“The basic hypothesis about the governance, risk and compliance is that if you get more information and collect all the data you can, you can make a dashboard” to monitor all the risks, says Bell, who's pictured at right. “The reality is that people are having a hard time automating. There are a lot of organizational and geographical silos, and different ways that different divisions and different regions view risk. This can create significant barriers.”
Many companies still need to work at defining risk, Bell adds. “There are tools for automating the ERM process,” he explains, “but a lot of groundwork has to be done first, or automation won’t help.”
Change appears to be on the way, though, both studies found. As KPMG’s Bell notes, the executives at the Archer GRC Summit were there to look at ERM products, so it’s likely that at least some of them will go home with plans to introduce more automated ERM systems. Meanwhile, 91% of respondents to Deloitte’s survey say their companies plan to reorganize and reprioritize their approach to ERM over the next three years, with 55% saying that this will happen over the course of the next year. Of these, a third say they will be incorporating new technology.
For an earlier story about Talecris Biotherapeutics’ use of automated risk management processes, see Monitoring the Monitors.