In todayâs uncertain business environment, governance, risk, and compliance (GRC) management is more important than ever.
Why? As youâll see in this this roundup of GRC statistics, many organizations are facing serious challenges in enterprise risk management, regulatory compliance, cybersecurity, vendor management, and other areas. And with regulators and examiners scrutinizing companiesâ risk and compliance management practices more closely, it pays to be prepared.
Browse through these recent statistics and benchmarks for an overview of the current risk management landscape and how organizations like yours are coping with increasing risk levels, regulatory burden, and other GRC challenges.
57% of senior-level executives rank ârisk and complianceâ as one of the top two risk categories they feel least prepared to address. 19
Only 36% of organizations have a formal enterprise risk management (ERM) program. 8
69% of executives are not confident that their current risk management policies and practices will be enough to meet future needs. 19
62% of organizations have experienced a critical risk event in the past three years. 8
Of those organizations that experienced a critical risk event, they saw the most significant consequences (producing large or severe impact) in the following categories:Â 8
Banks rank their top three risk management challenges as: 1) Operational risk (including cyber risk and third-party risk), 2) Regulatory compliance, and 3) Credit risk. 18
Financial institutions rank their top risk management priorities as:Â 6
Financial institutions rank their top ERM program priorities as:Â 6
Boards devote a relatively small amount of their meeting time to risk management â about 9% on average. 16
Only 6% of directors believe their organizationâs board is effective at managing risk. 16
65% of organizations are operating âreactiveâ or âbasicâ policy management programs (as opposed to maturing or advanced). 3
44% of organizations plan to implement or expand/upgrade their existing implementation of GRC or risk management software. 8
More than 900 regulatory agencies issued a combined 200+ regulatory updates every day, on average, in 2017. 20
Compliance officers rank âcontinuing regulatory changeâ as their biggest challenge. 20
Only 27% of chief compliance officers strongly agree that their organizationâs compliance function has a change management process in place to both identify and incorporate regulatory and legal changes and to integrate those changes into their policies and procedures. 12
$10,000: Average regulatory costs per employee for organizations, regardless of size. 2
$59 billion: The amount corporations paid out in penalties for U.S. regulatory infractions in 2015. This number grew by more than five times between 2010 and 2015. 15
Credit unions in the U.S. face a combined $6.1 billion in annual regulatory costs, or about 15% of operating expenses. 5
Effective GRC reduces compliance costs. Implementing the following best practices resulted, on average, in significant savings for the organizations who participated in a benchmark compliance study: 10
Only 47% of chief compliance officers say that their organization has an enterprise-wide reporting system and across functions and business units that integrates with compliance monitoring. 12
Less than three-quarters (69%) of organizations are leveraging technology to support their compliance initiatives. 12
87% of organizations see tech risk management as a siloed, reactive process rather than âan organization-wide function for proactive risk management.â 13
32% of organizations were victims of a major cyber attack in 2017. 13
130: The average number of security breaches per organization each year. 1
$11.7 million: Organizationsâ average annual spending on cybercrime incidents and recovery. Average costs escalate to more than $17 million for businesses in the financial services and energy/utilities industries. 1
Nearly 60% of executives rank cybersecurity as one of their organizationâs top five risks. 14
Over 75% of executives report that their organizations either have no method to measure cyber risk (49%) or they donât know if their organization measures risk exposure (27%). 14
Only 18% of organizations have a cybersecurity incident response plan. 14
Only 18% of organizations leverage automated processes for IT risk data collection and reporting, even though this methodology provides the most proactive approach to risk mitigation. 13
Only 13% of organizations consistently use key risk indicators (KRIs) to understand and manage IT risk. 13
Only 30% of internal audit departments effectively leverage advanced data analytics to identify and assess risk. 11
Fewer than half (48%) of internal audit departments identify and monitor key risk indicators (KRIs). 11
Cybersecurity and data protection is a top area of concern, with 70% of chief audit executives ranking cyber risk as high or very high at their organizations. 11
The average audit department dedicates only 4% of its resources to vendor risk assurance. 11
48% of chief audit executives view their organizationâs oversight of third-party relationships as ad-hoc, weak, or nonexistent. Only 9% describe their vendor monitoring process as strong. 11
60% of chief audit executives say that internal audit rarely or never provides assurance on management information sent to the board. 11
57% of organizations donât keep an inventory of all the third parties with which they share sensitive information. 17
60% of organizations feel underprepared to perform due diligence on their vendors. 17
Only 31% of financial institutions consider their management of cybersecurity risks from third-party providers to be very or extremely effective. 6
57% of organizations arenât confident that their vendor management policies would prevent a data breach. 17
Only 31% of organizations manage third-party risk and issue tracking through an enterprise-wide tool capable of monitoring key risk and performance indicators (KRIs, KPIs). 12
Only 4% of organizations feel that their third-party risk management tools fully integrate and capture overall risk for reporting purposes. 9
Financial institutions find fourth-party management to be especially challenging. 60% of organizations that identify fourth parties do not maintain an inventory for monitoring and governance. Nearly 80% of organizations rely on their own third parties to monitor and assess fourth parties. 9
22% of organizations plan to make major revisions to their BCM strategies and/or business continuity plans in 2019. 4
There is room for improvement in how organizations understand and measure business requirements and risks as part of their BCM strategy. More than a quarter of organizations (26%) have not formally conducted a business impact analysis (BIA), while a similar proportion (just under 28%) have not formally conducted a risk assessment. 7
Nearly 69% of organizations feel that business continuity / operational risk levels are increasing, ranking the top three drivers as: 7
More than half (51.75%) of organizations use internal or ad hoc tools and methods (such as spreadsheets and documents) to manage their business continuity plans. This trend is changing, as 40% are now using dedicated business continuity planning software, which is âessential for complex organizations, particularly those with limited staff, and with the growing importance of BC to business operations and strategy.â 7
56% of organizations lack a formal program for assessing the BC readiness of third parties. 7
For the 75% of organizations that have invoked their business continuity plan in the past five years, the top five lessons learned from the process included: 7
Only 27% of organizations rank their BC program maturity as a 4 or 5 (measured or optimized) out of 5, according to COBIT maturity level definitions. The remaining 73% fall into maturity levels 0Ââ3 (nonexistent, ad hoc, repeatable, or defined). 7
To prepare for new and emerging threats and evolving risk and compliance management requirements, organizations need a strong framework for strategic GRC.
Management consulting firm Ernst & Young (EY) suggests that businesses need a ââsingle source of truthâ that defines one single risk and compliance management approach for the entire organization.â This approach to GRC is integrated and fully digitized, enabling continual monitoring and the ability to support business strategy and decision-making.
But this is difficult without the right technology â technology that unites GRC in a single platform, rather than a combination of ad hoc or manual solutions.
Learn how the Quantivate GRC Software Suite offers a better approach, with built-in integration that unlocks powerful data-sharing and automation capabilities for more effective risk management and more strategic decision-making. Our solutions address critical risk areas like business continuity, vendor management, regulatory compliance, and more.
Schedule a demo or visit our GRC Resource Center to learn more.
Sources:
- Accenture / Ponemon Institute, Cost of Cyber Crime Study, 2017
- Competitive Enterprise Institute, Ten Thousand Commandments: An Annual Snapshot of the Federal Regulatory State, 2018
- Compliance Week, âBest Practices in Policy Management,â 2018 June 25
- Continuity Central, âBusiness Continuity Trends and Challenges 2019: Survey Results,â 2019 January 18
- Credit Union National Association (CUNA), Regulatory Burden Financial Impact Study: An Elevated New Normal, 2017
- Deloitte, Global Risk Management Survey, 11th Edition, 2019
- Disaster Recovery Journal (DRJ) / Forrester Research, The State of Business Continuity Preparedness, 2018
- Disaster Recovery Journal (DRJ) / Forrester Research, The State of Enterprise Risk Management, 2019
- Ernst & Young, Global Financial Services Third-Party Risk Management Survey, 2018
- Globalscape / Ponemon Institute, The True Cost of Compliance with Data Protection Regulations, 2017
- Institute of Internal Auditors (IIA), North American Pulse of Internal Audit: Defining Alignment in a Dynamic Risk Landscape, 2019
- KPMG, The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate, 2017
- KPMG / Forbes Insights, Disruption Is the New Norm: Tech Risk Management Survey Report, 2018
- Marsh & McLennan Agency, Managing Cybersecurity: The Cyber Risk Perception Survey, 2018
- McKinsey & Company, âAre You Prepared for a Corporate Crisis?,â 2017 April
- McKinsey & Company, âValue and Resilience Through Better Risk Management,â 2018 October
- Opus / Ponemon Institute, Data Risk in the Third-Party Ecosystem, 2017
- Risk Management Association, âRMA Regulatory Survey Reveals Banksâ Concerns,â 2019 21 March
- Ropes & Gray / The Financial Times Group, Risky Business: Mitigating Exposure Through Comprehensive Risk Management, 2017