June 21, 2016 by Canadian Underwriter
Nearly two-thirds (64%) of executives in the United States see strategic risk as a “highly significant threat” to their organizations compared to other types of risk – including compliance, operational and financial – according to a new survey from independent audit, tax and advisory firm Grant Thornton LLP.
Despite this high level of concern, the executives feel their real-world ability to manage strategic risk falls short, with only 43% saying they have effective measurement and monitoring in place and only half saying they can provide effective mitigation, Grant Thornton said in a statement on Tuesday. The Governance, Risk and Compliance Survey 2016, titled Balancing risk with opportunity in challenging times, received 535 valid submissions from a mix of U.S. executive titles and roles familiar with GRC activities.
Now in its sixth year, the GRC survey also found a gap between the level of concern business-specific risks cause for executives versus their ability to identify and mitigate them. In regards to cybersecurity, although 60% of executives reported that their cybersecurity risk is significant, only 43% measure and monitor it effectively – and just 46% are effective at mitigation of cybersecurity risk.
Conversely, many risks that do not strongly worry executives are those that receive substantial attention from management, the statement said. For example, only 13% of executives view tax as a significant risk, but 44% perform substantial measurement and monitoring of tax risk.
“Proactively viewing strategic risks as a driver of opportunity is a key component to comprehensive risk planning,” said Warren Stippich, partner and Grant Thornton’s national governance, risk and compliance practice leader. “Leaders who are successful in implementing prudent risk management approaches that add a strategic risk point of view can maintain and enhance their organization’s competitive advantage. Recognizing the risks in achieving objectives and providing the proper balance between investment in measuring and monitoring for such risks is key to optimizing GRC activities.”
The survey also revealed that many organizations face a large challenge in moving toward a higher maturity of GRC activities – 43% of respondents say they are operating their compliance efforts at an “ad hoc or fragmented/siloed” level. In addition, organizations who responded spend 12% of total revenue on GRC activities, however, spending levels vary widely across organizations. Almost half (48%) spend just 5% of total revenues or less on GRC activities.
When asked about the adoption of data analytics and technology for GRC activities, only 34% of organizations say that they are implementing these tools, Grant Thornton said in the statement. However, overall general use of data analytics has improved: the response of “none” decreased from 37% to 28% from 2015 to 2016 when respondents were asked to name the function for which data analytics is used.
But, while use of data analytics is increasing, many organizations fail to recognize their value for improving GRC functions – only 8% of polled executives use data analytics to monitor third-party compliance despite their dangers.
Other highlights from the survey include: