The Risk Management Survey First of all.

Please accept my apology for sharing the results and comments so long after we started the survey, the positive side is that we had just under 200 responses and the negative side it that those who expected results earlier might be a bit annoyed with me, but here we go anyway. The first question dealt with the factors that will affect the way you do business in the next 5 years and Technological Developments was the top answer here. This is very true and in the light of this brings many challenges to those responsible for IT security and information security in general. Check out the 5 Whys discussion here . Rapid Globalisation and Political changes followed closely after technology changes. Political changes are not just driven by the Arab Spring (almost Spring to Spring by now), but we saw a number of other key global changes and are expecting more. In this global environment it is no longer just changes in and close to your country that have an effect on your risk profile, as risk practitioners we must watch everything, everywhere. It is heartening to see that 85% of the respondents confirmed that they have a formal risk management process in place in their organisation. The question arises as to how effective and how mature that function is. We have recently launched the Risk Culture Maturity Monitor system, an on-line assessment that can accurately measure the level of maturity of your risk management functions in 6 operational areas on a scale of 5 different levels of maturity. You can find details here The response to the following question on the responsibility for risk management was very disappointing with only 32% saying every employee must be a risk manager. The fact that 45% said it is the responsibility of the Head of Risk Management or Chief Risk Officer confirms why we are in the global crisis and why Risk Management failed. It is impossible for one person to be responsible for risk management in the entire organisation. Very often we see organisations buying a seemingly successful CRO from another organisation; thinking that he/she has a magic wand. You can have the best people, best systems and processes, without an embedded risk management culture in the organisation, there will be no effective mitigation, control or optimization of risk. To refer to the definition we embrace in this group, go here (Feel free to check out the wall for some pictures) It is encouraging to note that 60% responded saying that Risk Management and Internal Audit are two completely independent departments! A question here would be how qualified are the auditors to audit the risk management processes and how often are these processes audited? A comment I often get in my training programs is that audit does not understand risk management and does not get involved; maybe there is a need for auditors to up skill. 82% of the respondents said they can list the top 5 risks that will prevent them from reaching heir business goals this year. With 85% confirming they have a formal risk

management process in place; this is a good indication that these risk management processes are working with regards to Risk Identification. As a group we would love to hear how accurate you were on these and how you are tracking performance in these areas. I recently said to an executive team in one of our risk culture building workshops that after all the years of risk management evolution; if your risk department cannot show a positive ROI, get rid of them. Its all about culture and sustainable competitive advantage. On the next question of ranking some of the main risks identified in 2011, the highest risk was voted as People & Organisational Design. As a Risk Culture Builder this is great news as it confirms the need for the work and research we do and the discussions we are having in this group. I again invite members to participate actively in the discussions. The value lies in what you contribute, not just what you take out. Operational Processes came a close second with the others trailing behind. The question on Data Quality had a response of 25% stating that they have NO PROBLEMS with the quality of the data in their systems. They are either operating in another world, is a one man show or are just not telling us the real story. I have never met anybody that has perfectly clean data, for most people their private e-mail accounts are even a mess. I guess it would be great for people to share what controls they have to get to hat kind of utopia. 75% of the respondents claimed to have Business Continuity Programs in place, for those the question is: How often are these updated and tested? For the remaining 25%, we might not see you next year. The final two questions on CD Rom/ USB drive usage were also interesting. This is a very simple data leakage/ virus mitigating control. 70% confirmed that they have access and ONLY 25% of them had a kind of control mechanism in place to obtain such authority. These questions were just added to gauge the response on one very simple loophole that could cause an organisation to loose its entire IT system, or at a minimum, cause some serious downtime. The opportunity is taken to thank the respondents for the time they took to complete the survey. Group members are welcome to comment on the results and to start discussions that can add value to the Future of Risk Management. To do that on our Linked In group, Risk Culture Builders, go to Risk Culture Builders | LinkedIn