Analyzing the LogicGate 2021 Risk Management Survey
LogicGate | July 15, 2021
“The goal of the survey was to understand the current state of people who make decisions around governance, risk, and compliance. How they should be running their risk management programs, how they see the role of technology, and how all of this has changed over the past year.”
In LogicGate’s second annual risk manager survey, we wanted to uncover what was top of mind for risk professionals after a year of changes and uncertainty due to the COVID-19 pandemic. Gina Hortatsos, the Chief Marketing Officer at LogicGate discussed the results of the survey and shared her thoughts on what stood out the most during a recent episode of LogicGate’s podcast, GRC & Me.
Gina shared, “We wanted to understand some of those sentiments and we also wanted to provide data to risk management decision-makers so that they could better benchmark their organizations, and the organization's appetite for risk and their approach to risk management versus their peers.”
Distributed to companies in the USA and UK, 190 individuals completed the survey representing a multitude of job roles including C-Suite, directors, and senior managers in many different companies across a range of sectors. Survey respondents came from a variety of different-sized companies ranging from around 100 full-time employees to over 10,000.
Gina explained, “We had really good representation from various industries, such as financial services, healthcare, hospitality, retail, high tech FinTech, a lot of SaaS (software as a service) companies as well as other industries like manufacturing, energy, and business services.”
Seek First to Understand
The results of the survey clearly showed that awareness of risk management has become common throughout many organizations, with responsibility being dispersed broadly across multiple functions. These include risk, compliance, information security, legal, the C-suite, and the board. Sixty-seven percent of the most senior respondents indicated that they hold risk management responsibilities within their organizations.
The survey looked at the main concerns in 2021 around four key risk categories, described by Gina as, “operational risk, strategic risk, reputational risk, and macroeconomic risk. We got some really interesting insights from those different parameters.”
The most significant single concern for survey respondents across all four categories was the impact of the global pandemic, followed closely by security breaches and then recession risk. The report highlighted the interconnectedness of risks with almost every one of the categories indicating common concerns over information, network, and cybersecurity. Examples of this interconnectedness included increases in cybersecurity risks resulting from more people operating from home during the pandemic.
Another area the survey looked to explore was how organizations collected their GRC information and how they used and communicated it, according to Gina,“From the information that's collected and the insights that are gathered, what information are they responsible for sharing with the board, and how do they actually use the data?”
The survey results indicated a clear focus for most organizations on new and emerging risks, with boards seeking to avoid further surprises in the aftermath of the global pandemic. There was also an emphasis on the prioritization of key enterprise risks and organizations looking to the future of their risk management programs.
Gina explained that they were not only interested in finding out what was reported but also how the data was being interpreted, “How do they use the insights that they gather from their risk programs to provide that visibility to the board and also to help make better decisions in the organization?”
It is around this point that concepts of operational resilience start to become evident. The report states, “Organizations that adopt dynamic GRC systems with the capability to actively identify, capture, and monitor risks using a framework that allows for risk-informed decision-making are finding themselves better equipped to tackle the ever-evolving landscape."
Important Versus Effective
Gina said that one of the most surprising results of the survey was the disparity between the importance and the effectiveness of the risk management process, “While over 90% of respondents said that risk management is extremely or very important, only 45% said their programs themselves are extremely or very effective. That tells us that there's a lot more work to do.”
The survey results indicated that 43% of respondents still use tools such as spreadsheets, emails, and Sharepoint to manage their GRC process.
Gina explained why using these old types of tools could be a hazard to the risk program, “Those methods are prone to error. If you miss something, or if someone goes out on vacation or you miss key data, that process of managing risk is risky.”
If the decision-makers understand that their current manual processes for managing the risk programs are error-prone, why do they not update those systems?
Gina answers this by saying, “I think that sometimes the reticence is just good old-fashioned inertia. We've been doing things the same way for a really long time, and the pain of same does not outweigh the pain of change.”
When reflecting on the spending in GRC during 2020, 99% of respondents stated that their organization would be investing the same amount or more into risk management in 2021. While some organizations are pushing forward with their digital transformation programs, many more are still spending time and effort using their existing tools and techniques.
Gina shared that it is important to, “Understand that there are really cutting edge and state of the art solutions that are out there that don't require a huge administration department, and that allows you to collect everything in one place and reduces the risk of error.”
Investing in such tools will undoubtedly go a long way in closing the gap between the perceived importance and the achieved effectiveness so desperately highlighted by many organizations.
How LogicGate Can Help
LogicGate’s Risk Cloud platform provides a holistic solution for risk professionals to effectively and efficiently manage their risk programs. To learn more about Risk Cloud you can request a demo or visit us at logicgate.com. If you are interested in reading the full risk manager survey report you can download the full report here.