In an era when many organizations appear to have successfully digitized critical processes through software and reduced them to keystroke control for greater efficiency, it may come as a surprise that many companies still rely on traditional manual mechanisms to manage and embed a process that can stand as a defense against high-risk challenges - enterprise risk management.
Enterprise risk management (ERM), in one form or another, has been a requisite staple in large organizations that seek to mitigate and effectively manage many areas of risk. Indeed, after the financial crisis in 2009, many organizations took a closer look at their ERM processes to make sure they were working to effectively manage their most challenging risks.
Yet, during a recent KPMG presentation at the 2012 RSA Archer GRC Summit in Chicago, June 5-7, almost two-thirds (64 percent) of over 100 participants polled in a pulse survey described their ERM process as “manual” as opposed to using a data warehouse (20 percent) and automated (16 percent).
What made this result perhaps even more surprising is that the largest number of participants polled - 47 percent - also work in what is indisputably one of the most IT-reliant industries - financial services. These participants were followed by those in the equally tech savvy technology and telecommunications (19 percent) and healthcare and pharmaceuticals industries (9 percent).
These industries tend to be highly regulated and should rely on technology to better manage their risk and compliance. It is also important for their oversight functions, e.g. internal audit, compliance, SOX, etc. to be able to sufficiently align and integrate risk-related information. Given the volume of risk information, technology enablement appears to be inevitable.
With the constant flow of new federal legislation, coupled with requisite compliance requirements, it is perhaps no surprise that participants in the KPMG pulse survey cited “response to regulatory requirement or expectation” as the strongest influencer (40 percent) on their organization’s interest in ERM, followed closely by “risk mitigation” (38 percent). Less than 10 percent chose “improve business performance” as a reason for interest in ERM.
Despite the need for near-constant attention to risk mitigation and oversight, organizations continue to struggle with how best to manage their ERM processes to make them more efficient and effective. Participants in the KPMG pulse survey overwhelmingly (50 percent) cited “organizational or geographical silos and politics” as the main impediment to effective ERM. This was followed by “lack of resources” (19 percent), “conflicting priorities” (12 percent), and “unclear benefits” (11 percent). The cost of ERM software and Board or Executive resistance (4 percent, respectively) lagged farther behind.
Despite what would appear to be a real need to create a risk-aware culture, few organizations seem to have a formal ERM training and/awareness program. Indeed, only 17 percent of those polled said they did have such a program in their organization, while 40 percent responded they had a “somewhat” formal training and awareness program compared to 43 percent that did not.
Finally, in an era when many organizations are trying to formally align organizational processes with strategic initiatives, ERM appears to be a major strategic driver. Two-thirds of those polled said their organization formally aligned ERM with strategic initiatives either “extremely well,” “good” or “moderate,” compared to slightly more than one-third that rated their organization’s ability as either “poor” or “extremely poor.”
KPMG has helped many organizations develop risk management programs through its ERM and Governance, Risk, and Compliance (GRC) services. The firm also recently published a thought leadership piece, A Good Offense is the Best Defense: Managing Regulatory Compliance with GRC, that describes how organizations can manage the ever-constant flow of federal regulations and requisite compliance by using a holistic GRC approach.
For more information about this recent pulse survey, please contact:
Governance, Risk, and Compliance
Information Protection and
IT GRC practice