Nine out of ten organizations are maintaining or increasing technology investments across all risk objectives. However, as investment in digital transformation proliferates, so does digital risk. Is your organization’s approach to risk management equal to withstanding the pervasive, relentless, and ever-expanding spectrum of digital risk?
Drawing on AuditBoard’s survey of 130+ risk leaders, the 2023 Digital Risk Report: Pervasive Risk, Persistent Fragmentation, and Accelerating Technology Investment takes a deep dive into these questions and others, looking at how and why companies’ digital risk management approaches are falling short — and what they can do to change the trajectory.
Watch report author John Wheeler share his perspective on key findings from the report, and continue reading for key takeaways on the hurdles companies must overcome to advance maturity, including the use of manual technologies, lack of reportable metrics, and the need for technology investment across the board.
For a more comprehensive look at how companies are using digital risk management to achieve stronger resilience, better performance, greater assurance, and more cost-effective compliance, download the full 2023 Digital Risk Report.
1. Many Organizations Still Don’t Manage or Monitor Third-Party Digital Risk
Effective digital risk management requires improved visibility into the full scope of third-party digital risk. When risk leaders were asked about the processes used for managing and monitoring third-party risk, however, their responses show little progress from 2022.
- Approximately 1 in 5 organizations (21%) are not managing and monitoring third-party digital risk. This is a small decrease from 2022 (26%).
- More than half of organizations rely on qualitative assessment approaches offering limited effectiveness. Specifically, 56% of risk leaders are relying only on qualitative risk assessments, with 24% basing their assessments on internal views of third parties only — an approach offering very limited effectiveness.
2. Nearly Half of Organizations Rely on Manual Technologies to Manage Digital Risk
While digital risk demand continues to increase exponentially, growth in risk management capacity remains slow. The reality is that fragmented, inflexible, and compliance-driven legacy governance, risk, and compliance (GRC) software simply cannot provide the connected risk capabilities needed to keep pace with digital risk — and as a result, most organizations are still relying on piecemeal manual processes, as shown below.
Organizations using manual technologies for digital risk management — an approach that tends to be very time-consuming — actually increased, from 38% in 2022 to 44% in 2023. In sum, nearly half of the organizations surveyed are still not leveraging available risk management technology solutions to advance digital risk management maturity.
3. Most Organizations Lack the Reportable Metrics Impending Regulations Will Mandate
Monitoring based on reportable metrics is a better overall process for digital risk management than relying on periodic risk assessments. But organizations continue to lag in their use of reportable metrics, even as impending regulatory changes will require swift adoption. As seen below, approximately four out of five organizations (79%) are not using reportable metrics to effectively manage digital risk.
This figure marks a small reduction from 2022 results (dropping from 84%). In other words, maturity in this area is largely not changing, though the risks most certainly are.
It’s time for a reality check for the four out of five organizations that aren’t yet using reportable metrics. Many will soon be forced to adopt reportable metrics by the U.S. Securities and Exchange Commission (SEC) cybersecurity disclosure requirements expected in 2023. To learn more about the coming regulatory changes and leading practices for preparing your company to comply, download the full 2023 Digital Risk Report.
4. Nine Out of Ten Organizations Anticipate Maintaining or Increasing Their Technology Investments
Increasing maturity requires increased investment. As shown below, when asked to describe anticipated levels of technology investment in the different risk objectives, risk leaders anticipated high levels of investment across all areas — representing noteworthy increases of 40 percentage points from 2022’s anticipated investment levels.
While compliance continues to receive high levels of focus, resilience received the highest percentage of planned investment increases (54%). Advancing digital risk management maturity, however, requires a balanced view on risk that doesn’t over-emphasize one risk objective at the expense of another. Since full integration requires all areas to be at similar levels of maturity, companies will have to place greater emphasis on performance and assurance going forward.
AuditBoard’s new digital risk report examines how integrated risk management (IRM) approaches and technologies support the more balanced, comprehensive approach needed to surmount these critical challenges and unlock key opportunities for value creation. Download Digital Risk Report 2023: Pervasive Risk, Persistent Fragmentation, and Accelerating Technology Investment to learn more.
John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.