Risk management adoption remains critical
However, there are still significant barriers to entry that limit investment into risk management. Executives are skeptical – risk management is perceived as a hindrance to performance and a cost to both bottom line and business process.
Forrester VP and research director serving security and risk professionals, Christopher McClean, believes that it is critical that the organisation overcome these barriers by building a pregame that guides it through rapid market evolution and disruption.
“Corporate catastrophes like the VW emissions testing debacle, the Wells Fargo fake account scandal and the Equifax breach and botched response are happening all too often. And in the next five years, the risk landscape will become even more complex as customer demands increase and intangible assets show greater vulnerability to risk events. With these threats looming, executives should be clamoring for greater risk management budgets and authority; however, all too familiar barriers persist,” he writes in the report: The State of Risk Management.
The risk landscape
Risk management is not a cure. It is a tool that allows organisations to define processes and make intelligent risk decisions. Yet it is still perceived as a barrier to business and does not receive the resources it requires.
McClean points out that only 22% of organisations believe that they properly manage risk in spite of so many public examples of corporate failure. Of the top barriers, 21% perceive risk management efforts to increase costs, while 14% say it tends to reduce performance.
As a result, many organisations still report insufficient budgets and staffing for effective risk management programmes. Decision makers are focusing on short-term cost and performance metrics, writes McClean. In addition, there is a lack of base-level resources for risk and compliance functions. They also do not have the right technology to manage, oversee, mitigate or prevent risk.
Ironically, organisations that have well-rounded governance, risk and compliance (GRC) platforms and risk management programmes report a greater concern for risk.
McClean emphasises that risk management in itself isn’t a solution to sleep better at night, but a way to dramatically improve executive’s visibility, coordination and accountability. This can help the organisation make more informed decisions thanks to deeper insights from data and reporting capabilities - especially when it comes to risks that tend to go under the radar, such as geopolitical risk and third-party risk.
Companies with well-designed GRC platforms are more confident in their ability to comply with regulations while defining clearer processes and lines of accountability. It is also critical to recognise that while risk management technology can provide support, it must be framed within the contextual challenges that impact on individual organisational requirements.
Resolution in cloud and compliance
To manage risk effectively, organisations need to take GRC out of silos and integrate it across the business to understand the intricate ways in which risks interconnect. Reputational risk, in particular, is a rising business concern that requires vigilance and visibility; and those who work with business leaders to guard against reputational risk are likely to become trusted partners in future strategic initiatives.
Effective risk management requires mature GRC programmes for long-term, strategic risk management success. Technology is an essential component to both maturity and success of any GRC solution that can support the management of risk factors such as regulations, malicious and sophisticated threats, and volatile markets.
In its report, Benchmark the Performance of Your GRC Program, Forrester has found that:
Forrester senior analyst, Nick Hayes, explains that historically, risk professionals have been hesitant to adopt cloud delivery models, but that mentality has changed significantly.
“It took longer than most business software segments, but the cloud is now the predominant delivery method for GRC platforms. There are many reasons for this, such as better application performance and flexibility, favourable cost structures, and more-established security models for cloud deployments. Another major reason is simply that there are more cloud-based risk solutions available to address the emerging challenges that risk pros face,” he says.
Finding the value
The focus on investment into GRC platforms and cloud-based solutions should be on their value in delivering improved visibility, coordination and accountability. In addition, GRC platforms implemented correctly and at the right level of maturity allow for increased confidence in compliance with regulations alongside improved management of process, responsibility and oversight.
Risk management should be sold as a way to make better, more informed decisions as it delivers executive-level awareness and understanding.