A new report finds that despite the growth of digital risks, many risk management programs are not maturing quickly enough to keep pace.
The study, 2022 Digital Risk Maturity Survey, conducted by AuditBoard—which provides audit, risk, and compliance management platforms—finds that while more than 90 percent of respondents have digital risk on their radar, only 30 percent are at a stage of maturity where they are actively mitigating digital risks.
“Today, enterprises are more digitally dependent than ever, investing heavily in digital transformation efforts to modernize, gain efficiencies, and adapt to the enduring environment caused by the COVID-19 pandemic,” the company said in a statement. “AuditBoard’s Digital Risk Maturity Survey sought to discover how enterprises currently undertake digital risk management by surveying more than 125 risk leaders across a range of industries about their approaches to navigating today’s dynamic risk environment.”
Fragmented Risk Management
The majority of respondents (over 69 percent) revealed their organization is at an early stage of defining and assessing digital risks, and not yet mitigating or monitoring them continuously. Fragmented audit, risk, and compliance practices are a top reason for lagging maturity. Respondents reported managing digital-related risks separately as part of IT and cybersecurity (32 percent), operational risk (11 percent), enterprise risk (31 percent), or other areas of risk management (18 percent).
Meanwhile, 78 percent of respondents have placed ownership of digital risks with functions outside of business operations (such as IT or security), which can lead to inappropriate categorization of these risks as technical or compliance-only and create siloed risk management efforts. To get ahead of digital risks, risk teams may need to make changes to keep pace with management and board expectations.
“To achieve better visibility and understanding of strategic, operational, and technology risks across the business landscape, enterprises must adopt an integrated risk approach supported by the right technology — allowing them to accelerate program maturity and actively manage digital risk in today’s increasingly volatile environment,” said John Wheeler, former Gartner IRM Analyst and senior advisor, risk and technology at AuditBoard.
Quantifying Digital Risks
The study also finds that companies are struggling with reportable metrics to quantifying digital risk. In fact, 84 percent of respondents currently do not report measurable metrics to their management. Of the minority who claim to use reportable metrics, 89 percent describe the activity as measuring only one component of digital risk, such as technology or fraud. These results indicate that most companies have not yet reached the level of maturity to capture the metrics needed for continuous risk monitoring throughout their digital transformation journey, despite the critical importance of analytics to a successful risk management program.
Some respondents said they were still managing digital risks with dated methods. While 38 percent of respondents said they are managing them manually using spreadsheets, shared drives, and email, over half (51 percent) reported using some form of risk management software. Of those leveraging technology, 32 percent report using cloud-based risk management software. The ability to analyze data provided either directly by a third party or indirectly through an independent data source (such as a security ratings service) is essential for such a complex risk environment. This underscores the importance of cloud-based technology, whose integration capabilities ensure the transfer of large amounts of data between systems.