Nearly two-thirds (64%) of executives in the United States see strategic risk as a “highly significant threat” to their organizations compared to other types of risk – including compliance, operational and financial – according to a new survey from independent audit, tax and advisory firm Grant Thornton LLP.
Despite this high level of concern, the executives feel their real-world ability to manage strategic risk falls short, with only 43% saying they have effective measurement and monitoring in place and only half saying they can provide effective mitigation, Grant Thornton said in a statement on Tuesday. The Governance, Risk and Compliance Survey 2016, titled Balancing risk with opportunity in challenging times, received 535 valid submissions from a mix of U.S. executive titles and roles familiar with GRC activities.
Now in its sixth year, the GRC survey also found a gap between the level of concern business-specific risks cause for executives versus their ability to identify and mitigate them. In regards to cybersecurity, although 60% of executives reported that their cybersecurity risk is significant, only 43% measure and monitor it effectively – and just 46% are effective at mitigation of cybersecurity risk.
Conversely, many risks that do not strongly worry executives are those that receive substantial attention from management, the statement said. For example, only 13% of executives view tax as a significant risk, but 44% perform substantial measurement and monitoring of tax risk.
“Proactively viewing strategic risks as a driver of opportunity is a key component to comprehensive risk planning,” said Warren Stippich, partner and Grant Thornton’s national governance, risk and compliance practice leader. “Leaders who are successful in implementing prudent risk management approaches that add a strategic risk point of view can maintain and enhance their organization’s competitive advantage. Recognizing the risks in achieving objectives and providing the proper balance between investment in measuring and monitoring for such risks is key to optimizing GRC activities.”
The survey also revealed that many organizations face a large challenge in moving toward a higher maturity of GRC activities – 43% of respondents say they are operating their compliance efforts at an “ad hoc or fragmented/siloed” level. In addition, organizations who responded spend 12% of total revenue on GRC activities, however, spending levels vary widely across organizations. Almost half (48%) spend just 5% of total revenues or less on GRC activities.
When asked about the adoption of data analytics and technology for GRC activities, only 34% of organizations say that they are implementing these tools, Grant Thornton said in the statement. However, overall general use of data analytics has improved: the response of “none” decreased from 37% to 28% from 2015 to 2016 when respondents were asked to name the function for which data analytics is used.
But, while use of data analytics is increasing, many organizations fail to recognize their value for improving GRC functions – only 8% of polled executives use data analytics to monitor third-party compliance despite their dangers.
Other highlights from the survey include:
Sixty-three per cent of executives cite regulatory risk as significant, the highest among business specific risks. This is followed by cybersecurity risk (60%), market risk (52%) and competitive risk (50%);
Fifty-seven per cent of organizations use data analytics for performance measurement, up from 45% in 2015; 26% use it for predictive analytics; and 17% for forensic analysis;
Reliance on data analytics did not vary based on the size of the organization: Thirty-five per cent of companies with less than US$100 million in revenue use data analytics for GRC activities, while 35% with US$100 million to US$1 billion in revenue use data analytics and 34% with US$1 billion or more in revenue use data analytics;
Twenty-one per cent of organizations don’t rate third parties by the risks they pose, and nearly half (41%) don’t audit any of their third parties; and
For departments involved in GRC activities, 43% of executives cite skill shortages in audit departments, while 38% cite skill shortages in operations leadership/management departments.