Most organizations are managing the basics of IT risk practices effectively, but still have a long road ahead in converging their IT risk initiative with their overall enterprise GRC initiatives. Two recent surveys we conducted shed light on how companies are managing IT risk today and their plans for the coming year.

A survey of IT risk and compliance executives from a variety of industries including financial services, energy, government and healthcare, revealed that the majority (73%) of IT risk management solutions in practice today are either spreadsheets or point solutions with limited to no coordination within the overall GRC initiative.

George Westerman, Research Scientist – Center for Information Systems Research, MIT Sloan School of Management and an advisory board member for us, finds that “incorporating risk into all IT conversations, and linking IT risk to enterprise risk, leads to better management decisions, not just fewer incidents.”

Fortunately, investments in IT Risk management are expected to rise in 2010 and convergence with GRC is expected to follow. When asked about IT risk management budgets for the coming year, more than 95% of respondents stated that they expect budgets will increase or stay the same in 2010.

In a separate survey conducted at our OpenPages European Network (OPEN) Summit this fall, 93% of respondents stated that within 2-3 years, they are likely to converge or coordinate IT Risk and Compliance Management activities with GRC. Almost 90% said that their GRC spending would either increase or stay the same over the next year. During a time when IT spending overall is dropping, it’s important to note that spending in the risk management sector is holding up.

There were some interesting results from the OPEN survey, especially when compared with those from our annual user event (OPUS), held 11 months prior in October of 2008. The first question asked whether or not we’ll see new laws and regulations over corporate risk management oversight within the next year. Just over 80% said they believed that we would see new laws and regulations within the next year. What’s interesting is that almost the same percentage said the same thing almost one year ago. The difference is that we’ve seen no new laws or regulations in the past year. In other words, the expectation of regulatory reform is clearly stronger than the reality. Obama’s focus on healthcare, the EU’s debate over various regulatory reform proposals, and the general resistance to change are all contributing to a lengthening of the regulatory reform process.

Our second question asked whether the financial and credit crisis has influenced your company’s thinking and approach to risk management. 62% said yes. Eleven months ago only 46% said yes. The difference here speaks to what companies have found over the last year that suggests a revamping of their approach to risk management. Frankly, I am surprised that the number is not higher. Clearly, we all learned that very smart people can make bad decisions–isn’t that something that companies should want to control for?

The answer to the next question may provide some insight as to why. We asked how companies would characterize the current state of their GRC management efforts: siloed, converged or coordinated. 73% said siloed, 27% coordinated. This mirrors almost exactly the responses from October 2008, which suggests that the road to convergence is not a short one.

The fact that IT Risk management investment is expected to rise is certainly good news, but as George Westerman concludes: “…until companies can drive internal focus around IT risk management in the context of overall GRC

You do not have flash or javascript support.

Average (1 vote)

Reply