Comments on the Ponemon survey The Imperative to Raise Enterprise Risk Intelligence
Mar 9th, 2017
We could not resist to publish some comments on the Ponemon survey The Imperative to Raise Enterprise Risk Intelligence.”
The survey shows, as expected, that reputation and cyber risk concerns remain central. Meanwhile progress in abolishing silos between legal, IT and finance is slow. This pairs up with 50% of polled organizations lacking a formal budget for Enterprise Risk Management (ERM). As a result the survey delivers a fairly dull and inefficient landscape.
Ponemon adeptly differentiate Enterprise Risk Intelligence (ERI), i.e. the “data gathering discipline” from ERM. ERM is the systematic analysis of enterprise risks. ERM should not be encumbered by silos, as discussed, for example above or in a prior post.
Roughly 40% of the respondents stated that ERI integrates well with the way decision-makers select their course of actions. This sounds good, meaning that 40% believe that getting data before making decisions is “good practice”. What is astounding is that 50% do not have “formal” ERM funded. This can be interpreted as they believe that data gathering and subsequent “intuitions” are enough to steer their companies toward success.
It could well be that the fault lies with the applied approach or even with the risk manager. That is if there is one formally in charge. Not defining the system to which ERM is applied and, more importantly, not stating clearly and transparently enough the success criteria of the ERM (the mirror image of the failure criteria) nullifies any ERM effort.
This is probably why many respondents consider ERM “useless”.
Another culprit is certainly to be found in communication, both internal and external. Furthermore, closely related to it, the failure to formulating coherent risk tolerance levels.
What to do
So, unless risk managers better their results, that is better define hazards and resulting risks, interdependencies and the full scope of potential outcomes there will be little progress.
Four years ago we were already stating this in papers like “Can we stop misrepresenting reality to the public and “Is it true that pigs can fly”
Get over the obstructions and see a clearer future. Contact us!
Tagged with: Enterprise Risk Intelligence, ERI, Ponemon survey, risk tolerance levels., success criteria
Category: Risk analysis, Risk management, Tolerance/Acceptability