Why GRC Matters: 50 Risk & Compliance Statistics

In today’s uncertain business environment, governance, risk, and compliance (GRC) management is more important than ever.

Why? As you’ll see in this this roundup of GRC statistics, many organizations are facing serious challenges in enterprise risk management, regulatory compliance, cybersecurity, vendor management, and other areas. And with regulators and examiners scrutinizing companies’ risk and compliance management practices more closely, it pays to be prepared.

Browse through these recent statistics and benchmarks for an overview of the current risk management landscape and how organizations like yours are coping with increasing risk levels, regulatory burden, and other GRC challenges.

Risk Management Statistics

57% of senior-level executives rank “risk and compliance” as one of the top two risk categories they feel least prepared to address. 19

Only 36% of organizations have a formal enterprise risk management (ERM) program. 8

69% of executives are not confident that their current risk management policies and practices will be enough to meet future needs. 19

62% of organizations have experienced a critical risk event in the past three years. 8

Of those organizations that experienced a critical risk event, they saw the most significant consequences (producing large or severe impact) in the following categories: 8

• Employee productivity (62%)
• Operational efficiency (e.g. disrupted systems, processes, etc.) (59%)
• Employee safety (29%)
• Competitive differentiation (29%)
• Brand and reputation (28%)

Banks rank their top three risk management challenges as: 1) Operational risk (including cyber risk and third-party risk), 2) Regulatory compliance, and 3) Credit risk. 18

Financial institutions rank their top risk management priorities as: 6

• Enhancing the quality, availability, and timeliness of risk data (79%)
• Enhancing risk information systems and technology infrastructure (68%)

Financial institutions rank their top ERM program priorities as: 6

• Collaboration between business units and the risk management function (66%)
• Managing increasing regulatory requirements and expectations (61%)
• Establishing and embedding the risk culture across the enterprise (55%)

Boards devote a relatively small amount of their meeting time to risk management — about 9% on average. 16

Only 6% of directors believe their organization’s board is effective at managing risk. 16

65% of organizations are operating “reactive” or “basic” policy management programs (as opposed to maturing or advanced). 3

44% of organizations plan to implement or expand/upgrade their existing implementation of GRC or risk management software. 8

Compliance Management Statistics

More than 900 regulatory agencies issued a combined 200+ regulatory updates every day, on average, in 2017. 20

Compliance officers rank “continuing regulatory change” as their biggest challenge. 20

Only 27% of chief compliance officers strongly agree that their organization’s compliance function has a change management process in place to both identify and incorporate regulatory and legal changes and to integrate those changes into their policies and procedures. 12

$10,000: Average regulatory costs per employee for organizations, regardless of size. 2

$59 billion: The amount corporations paid out in penalties for U.S. regulatory infractions in 2015. This number grew by more than five times between 2010 and 2015. 15

Credit unions in the U.S. face a combined $6.1 billion in annual regulatory costs, or about 15% of operating expenses. 5

Effective GRC reduces compliance costs. Implementing the following best practices resulted, on average, in significant savings for the organizations who participated in a benchmark compliance study: 10

• Centralized governance = $3.01 million in savings
• Compliance audits = $2.86 million in savings
• Integration with security and privacy functions = $2.02 million in savings
• Incident response processes = $1.89 million in savings
• Enabling compliance technology = $1.43 million in savings
• Regulatory monitoring = $1.02 million in savings

Only 47% of chief compliance officers say that their organization has an enterprise-wide reporting system and across functions and business units that integrates with compliance monitoring. 12

Less than three-quarters (69%) of organizations are leveraging technology to support their compliance initiatives. 12

Cybersecurity Statistics

87% of organizations see tech risk management as a siloed, reactive process rather than “an organization-wide function for proactive risk management.” 13

32% of organizations were victims of a major cyber attack in 2017. 13

130: The average number of security breaches per organization each year. 1

$11.7 million: Organizations’ average annual spending on cybercrime incidents and recovery. Average costs escalate to more than $17 million for businesses in the financial services and energy/utilities industries. 1

Nearly 60% of executives rank cybersecurity as one of their organization’s top five risks. 14

Over 75% of executives report that their organizations either have no method to measure cyber risk (49%) or they don’t know if their organization measures risk exposure (27%). 14

Only 18% of organizations have a cybersecurity incident response plan. 14

Only 18% of organizations leverage automated processes for IT risk data collection and reporting, even though this methodology provides the most proactive approach to risk mitigation. 13

Only 13% of organizations consistently use key risk indicators (KRIs) to understand and manage IT risk. 13

Internal Audit Statistics

Only 30% of internal audit departments effectively leverage advanced data analytics to identify and assess risk. 11

Fewer than half (48%) of internal audit departments identify and monitor key risk indicators (KRIs). 11

Cybersecurity and data protection is a top area of concern, with 70% of chief audit executives ranking cyber risk as high or very high at their organizations. 11

The average audit department dedicates only 4% of its resources to vendor risk assurance. 11

48% of chief audit executives view their organization’s oversight of third-party relationships as ad-hoc, weak, or nonexistent. Only 9% describe their vendor monitoring process as strong. 11

60% of chief audit executives say that internal audit rarely or never provides assurance on management information sent to the board. 11

Vendor & Third-Party Risk Management Statistics

57% of organizations don’t keep an inventory of all the third parties with which they share sensitive information. 17

60% of organizations feel underprepared to perform due diligence on their vendors. 17

Only 31% of financial institutions consider their management of cybersecurity risks from third-party providers to be very or extremely effective. 6

57% of organizations aren’t confident that their vendor management policies would prevent a data breach. 17

Only 31% of organizations manage third-party risk and issue tracking through an enterprise-wide tool capable of monitoring key risk and performance indicators (KRIs, KPIs). 12

Only 4% of organizations feel that their third-party risk management tools fully integrate and capture overall risk for reporting purposes. 9

Financial institutions find fourth-party management to be especially challenging. 60% of organizations that identify fourth parties do not maintain an inventory for monitoring and  governance. Nearly 80% of organizations rely on their own third parties to monitor and assess fourth parties. 9

Business Continuity Management (BCM) Statistics

22% of organizations plan to make major revisions to their BCM strategies and/or business continuity plans in 2019. 4

There is room for improvement in how organizations understand and measure business requirements and risks as part of their BCM strategy. More than a quarter of organizations (26%) have not formally conducted a business impact analysis (BIA), while a similar proportion (just under 28%) have not formally conducted a risk assessment. 7

Nearly 69% of organizations feel that business continuity / operational risk levels are increasing, ranking the top three drivers as: 7

• Increased threat of cyber attacks
• Increased reliance on technology
• Increasing frequency and intensity of natural disasters and extreme weather

More than half (51.75%) of organizations use internal or ad hoc tools and methods (such as spreadsheets and documents) to manage their business continuity plans. This trend is changing, as 40% are now using dedicated business continuity planning software, which is “essential for complex organizations, particularly those with limited staff, and with the growing importance of BC to business operations and strategy.” 7

56% of organizations lack a formal program for assessing the BC readiness of third parties. 7

For the 75% of organizations that have invoked their business continuity plan in the past five years, the top five lessons learned from the process included: 7

• There had not been enough training and awareness efforts across the organization
• Plans did not adequately address organization-wide communication and collaboration
• Plans did not adequately address workforce recovery requirements
• Plans did not account for downstream impact of the crisis/event/incident (e.g. transportation disruptions, disruption of critical infrastructure, etc.)
• Plans had too many built-in assumptions (e.g. availability of staff, ability to communicate, availability of critical infrastructure, etc.)

Only 27% of organizations rank their BC program maturity as a 4 or 5 (measured or optimized) out of 5, according to COBIT maturity level definitions. The remaining 73% fall into maturity levels 0­–3 (nonexistent, ad hoc, repeatable, or defined). 7

The Takeaway

To prepare for new and emerging threats and evolving risk and compliance management requirements, organizations need a strong framework for strategic GRC.

Management consulting firm Ernst & Young (EY) suggests that businesses need a “‘single source of truth’ that defines one single risk and compliance management approach for the entire organization.” This approach to GRC is integrated and fully digitized, enabling continual monitoring and the ability to support business strategy and decision-making.

But this is difficult without the right technology — technology that unites GRC in a single platform, rather than a combination of ad hoc or manual solutions.

Learn how the Quantivate GRC Software Suite offers a better approach, with built-in integration that unlocks powerful data-sharing and automation capabilities for more effective risk management and more strategic decision-making. Our solutions address critical risk areas like business continuity, vendor management, regulatory compliance, and more.

Schedule a demo or visit our GRC Resource Center to learn more.

---

Sources:

1. Accenture / Ponemon Institute, Cost of Cyber Crime Study, 2017
2. Competitive Enterprise Institute, Ten Thousand Commandments: An Annual Snapshot of the Federal Regulatory State, 2018
3. Compliance Week, “Best Practices in Policy Management,” 2018 June 25
4. Continuity Central, “Business Continuity Trends and Challenges 2019: Survey Results,” 2019 January 18
5. Credit Union National Association (CUNA), Regulatory Burden Financial Impact Study: An Elevated New Normal, 2017
6. Deloitte, Global Risk Management Survey, 11^th Edition, 2019
7. Disaster Recovery Journal (DRJ) / Forrester Research, The State of Business Continuity Preparedness, 2018
8. Disaster Recovery Journal (DRJ) / Forrester Research, The State of Enterprise Risk Management, 2019
9. Ernst & Young, Global Financial Services Third-Party Risk Management Survey, 2018
10. Globalscape / Ponemon Institute, The True Cost of Compliance with Data Protection Regulations, 2017
11. Institute of Internal Auditors (IIA), North American Pulse of Internal Audit: Defining Alignment in a Dynamic Risk Landscape, 2019
12. KPMG, The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate, 2017
13. KPMG / Forbes Insights, Disruption Is the New Norm: Tech Risk Management Survey Report, 2018
14. Marsh & McLennan Agency, Managing Cybersecurity: The Cyber Risk Perception Survey, 2018
15. McKinsey & Company, “Are You Prepared for a Corporate Crisis?,” 2017 April
16. McKinsey & Company, “Value and Resilience Through Better Risk Management,” 2018 October
17. Opus / Ponemon Institute, Data Risk in the Third-Party Ecosystem, 2017
18. Risk Management Association, “RMA Regulatory Survey Reveals Banks’ Concerns,” 2019 21 March
19. Ropes & Gray / The Financial Times Group, Risky Business: Mitigating Exposure Through Comprehensive Risk Management, 2017
20. Thomson Reuters, Cost of Compliance, 2018