RSA® Archer™ Risk Intelligence Index Risk Intelligence Index OVERVIEW In October 2015, RSA completed a global survey of almost 400 organizations to gather insight into current trends and perceptions regarding Risk Management. The survey utilized RSA’s proprietary Risk Intelligence Index to ask questions around key areas of risk and how organizations are addressing the changing risk landscape. The Risk Intelligence Index is based on the RSA Archer Maturity Model that measures organizations’ GRC program components across five stages of maturity. Low Maturity Model High Compliance Based Risk Centric Opportunity Focused Siloed Transition Managed Transform Advantaged Baseline activities Activities focused Operational Transformative Processes are are in place to on improving processes have initiatives are optimized and manage risk but effectiveness are evolved into a executed to build balanced by are isolated and underway to steady state and a better business context fragmented stabilize are now effective, connection and risk priorities processes and repeatable and between risk expand scope sustainable management and business 2 Risk Intelligence Index OVERALL ORGANIZATIONAL ATTITUDE TOWARDS RISK 15% It is a necessary evil Key Finding 27% Approximately 40% of the respondents’ It is absolutely executives view risk management as an essential for business ingredient to business success. 60% still see growth DDeessccrriibbee hhooww risk management as an operational problem. yyoouurr eexxeeccuuttiivvee 25% It should be tteeaamm vviieewwss rriisskk a consistent Key Recommendation operational mmaannaaggeemmeenntt; Risk Management functions need to connect 14% process every effort to the business strategy to raise It has the potential to help awareness and educate executives on how the business risk management can accelerate business growth. 19% Advantaged It is a defined, accepted Transform responsibility of operations Managed Transition Siloed 3 Risk Intelligence Index OPERATIONAL RISK MANAGEMENT WhWehne int icto cmomeess t oto m maannaaggiinngg rriisskkss wwiitthhinin b buusisniensess os poepraetriaotnios,n ws,e ;we 20% 20% 19% 19% 19% Are improving Have a robust Manage risks as Have a standardized Understand processes as operational risk they come up operational risk risks and part of a larger management management controls in the strategy program in place program context of our that engages all business stakeholders Low Maturity Model High Key Finding Key Recommendation Although 4/5 of respondents have ORM in place, Organizations should strive to understand the full the survey results indicate an equal distribution of business context of their risks and controls to get operational risk management maturities. the most out of the risk management program. 4 Risk Intelligence Index REGULATORY & CORPORATE COMPLIANCE OOuurr rreegguullaattoorryy aanndd ccoorrppoorraattee ccoommpplliiaannccee eeffffoorrttss aarree:: Key Finding h Enabling: Proactively meeting regulatory Hig 26% and corporate compliance obligations Respondents reported an almost equal split allows our business to explore new between respondents that are anticipating opportunities more aggressively regulatory changes as those that continue to react as a compliance exercise. Flexible: We can effectively adjust 22% business requirements based on regulatory and compliance obligations del Key Recommendation o M y 16% Operational: We can demonstrate urit Organizations should implement compliance without difficulty Mat continuous controls monitoring in conjunction with risk-based compliance Improving: We're gaining a solid to gain program efficiencies. 17% understanding of the full breadth and depth of our compliance requirements 19% Reactive: Each new compliance obligation is a fire drill w o L 5 Risk Intelligence Index IT AND SECURITY RISK MANAGEMENT 22% 19% Thorough, and Managed individu- offer ideas on ally within our IT how to utilize Key Finding operations group technology as a Only 22% of the respondents indicated that competitive advantage OOuurr they are able to use IT and Security Risk Management as a competitive advantage. ccaappaabbiilliittiieess iinn 15% IITT aanndd sseeccuurriittyy Shifting to 15% improve Becoming more rriisskk mmaannaaggee-- coordination Key Recommendation between in tune with business mmeenntt aarree:: functions IT and Security functions should build requirements business context around security issues and ensure IT and security risks are connected to overall operational and enterprise risk 29% Advantaged strategies. Managed by IT and security Transform functions and connected to Managed business strategies Transition Siloed 6 Risk Intelligence Index BUSINESS RESILIENCY IfI ft htheerree i sis aa ddiissrruuppttiioonn wwiitthhiinn bbuussiinneessss o oppeerraatitoionnss:: 28% Business, IT and crisis groups work 23% 22% together to manage Business and IT A central program the recovery plans include helps operational risk-driven 15% groups work response and will together to Individual opera- recover without 12% manage response tional groups are significant impact and recovery We will absorb responsible to effectively disruptions and recover on their own keep operating without a hitch Low Maturity Model High Key Finding Key Recommendation 85% of the respondents have a central or To drive confidence in resiliency, organizations coordinated program for recovery, but only 1/3 need to have a central program, collaboration indicate true confidence in managing their among recovery functions, and take risk-based business resiliency risk. approaches. 7 Risk Intelligence Index THIRD PARTY GOVERNANCE Third-party risk is: Third party risk is: Key Finding h g Centrally monitored for all aspects of Hi Third party risk is one of the fastest rising 26% vendors, both in the business value they provide the risks they pose to issues and 1/3 of the respondents indicate the organization low maturity in addressing third party risk. 18% Proactively identified and cataloged Key Recommendation el d o M Organizations with low maturity should Defined in operational processes using y 20% standard terminology, assessment aturit establish a maturity roadmap and engage approaches, and rating scales M stakeholders across the organization in the third-party governance program. 20% Not fully cataloged but we try to keep it on the radar 15% Addressed locally by individual business units w o L 8 Risk Intelligence Index AUDIT MANAGEMENT 23% 28% Performing basic Key Finding Dynamically compliance audits on assessing risks an ad-hoc basis 77% of respondents reported that their audit and monitoring activities were risk-based to adjust based on key controls business changes. continuously WWee eennssuurree oouurr ccoonnttrroollss 16% aarree wwoorrkkiinngg Key Recommendation Using static 12% eeffffeeccttiivveellyy bbyy:: analysis of risk Internal Audit (IA) should leverage insight and criticality from Enterprise and Operational Risk Leveraging flexible to plan and Management to dynamically adjust audit audit processes execute audits that can adjust to plans and engagements in response to shifting risks 21% changing business conditions. Advantaged Using an established audit Transform function to conduct risk-driven Managed reviews Transition Siloed 9 Risk Intelligence Index GRC TECHNOLOGY USAGE DDesecsrcirbibee h hooww t etecchhnnoollooggyy ssuuppppoorrttss yyoouurr G GRRCC p proroggrarmam: : 22% 21% 19% 19% We have an We integrate 18% enterprise GRC We are in the We have a few GRC data sources technology We utilize desktop beginning tools that manage into a GRC infrastructure that products for stages of individual segments platform as part is deployed managing our risks utilizing GRC of our risk manage- of an overall risk across our risk and controls technology ment program management management strategy program Low Maturity Model High Key Finding Key Recommendation Respondents indicate there is still a wide variety Organizations must look for an integrated of maturities in utilizing technology to support technology strategy to create a cohesive picture the GRC program. of risk. 10
Description: