The Imperative to Raise Enterprise Risk Intelligence

How to raise enterprise risk intelligence

  • Break down silos and collaborate. To ensure all risks are addressed, finance, operations, compliance, legal and IT functions should work together in managing enterprise risks. According to 53 percent of respondents, there is little, if any, collaboration among these functions to achieve a clearly defined enterprise risk management strategy.
  • Focus on accomplishments that will make a difference. The findings reveal a significant gap between the most important features of a risk intelligence platform and what features are actually accomplished. The features considered most important but rarely accomplished are:
    • Business continuity response (produces plans, runs business impact analyses, resiliency controls and engages stakeholders in crisis drills and recovery)
    • Incident/issue risk response (coordination of classification, collaboration, evidence, policies and reporting across the organization for all operational and security risk events)
    • Operational risk & compliance (creates risk registers and runs Risk and Compliance Self-Assessments (RCSAs) against critical business processes to report key risk indicators (KRIs), findings and loss events)
    • Threat and vulnerability mitigation (automates continuous risk correlation, prioritization and remediation of assets and operation criticality, threat reachability, control and vulnerabilities)
  • Establish a formal budget for enterprise risk management. It is critical to allocate resources specifically designated to achieving a well-executed enterprise risk management program. Fiftyeight percent of respondents say their organizations do not have a formal budget.
  • Engage management and the board of directors in the organization’s risk strategy. The inability to get started was one of the top three barriers to achieving risk management objectives. Senior leadership’s involvement will incentivize and motivate collaboration and a formal process for achieving the objectives of a risk management program.
  • Achieve clarity of your IT assets and infrastructure. A clear map of the infrastructure and categorization of assets, especially high value and knowledge assets, is key to ensuring appropriate risk measures are in place. Only 24 percent of respondents say they have categorized assets based on their business criticality.
  • Assign accountability for the achievement of specific risk management objectives. According to the findings, either no one person has overall responsibility or it is dispersed throughout the organization.
  • Measure effectiveness in risk intelligence efforts. Only 31 percent of respondents say their organizations have specific metrics to determine how well risks are being managed. Many organizations represented in this study are not measuring such key objectives as time to contain threats and attacks, time to identify and pinpoint high-risk areas and time to remediate after containment of the attack.
  • Consolidated risk reporting is essential. Sixty-three percent of respondents say it is essential or very important to have a centralized or consolidated risk reporting (one set of metrics) in order to achieve a strong security posture.
  • Replace complexity with ease of use. The number one barrier to achieving risk management objectives is the complexity of technologies that support risk management objectives. Understandably, the number one feature of a risk management solution is ease of use (53 percent of respondents). Investments in risk management technologies that end up on the shelf because of complexity and the lack of in-house expertise will frustrate any attempts to achieve an enterprise risk management program.

ERM Survey