- of
Aberdeen divided the respondents into three categories: best-in-class, industry average, and laggards. The rankings were based on respondent’s estimates of year-over-year change in three performance categories.
Performance Category #1: Identification of weaknesses in existing risk management processes--Best-in-class organizations saw a mean improvement of 11.2%--Industry average organizations saw a mean improvement of 7.1%--Laggard organizations saw no change
Performance Category #2: Ability to translate risk assessment data into actionable recommendations--Best-in-class organizations saw a mean improvement of 9.6%--Industry average organizations saw a mean improvement of 5.8%--Laggard organizations saw no change
Performance Category #3: Flexibility to adjust to new or updated regulatory requirements--Best-in-class organizations saw a mean improvement of 11.5%--Industry average organizations saw a mean improvement of 4.8%--Laggard organizations saw no change
Aberdeen says enterprises emphasize compliance first, IT governance next and risk management last.
Best-in-class organizations have had compliance programs in place for an average of 4.6 years, governance programs for 3.9 years and risk management programs for 3.6 years.
Best-in-class organizations were most likely (39%) to report that improving operational efficiencies and reducing total cost was the top driver for investing in IT GRC.
Laggard organizations were most likely (36%) to report that addressing new and changing regulatory compliance requirements was the top driver for investing in IT GRC.
33% of all organizations establish and enforce consistent policies and procedures.
36% said they develop and improve IT governance frameworks.
16% reported they develop comprehensive “continuous compliance” infrastructure.
14% automate risk and compliance processes and controls.
70% of best-in-class organizations depend on centralized, automated controls and procedures, while only 24% of industry average and 19% of laggards do the same.
More than 43% of laggard organizations depend on centralized, manually-intensive controls and procedures, while 29% of industry average and only 12% of best-of-class organizations do the same.
Best-in-class organizations are more likely (85%) to have an executive or team with primary ownership of IT GRC initiative than average (55%) or laggard (49%) organizations.
Best-in-class organizations were nearly twice as likely to employ a hierarchy of accountability with defined channels for escalation and issue resolution than average or laggard organizations.
Only 31% of laggards regularly perform IT vulnerability assessments, while 70% of best-in-class organizations do so.
Only 29% of laggards regularly perform IT risk assessments, while 59% of best-in-class organizations do so.
Only 24% of laggards have standardized analysis and reporting for IT compliance, while 61% of best-in-class organizations do so.
Fewer than half of all organizations (39% best-in-class, 31% average, 24% of laggards) fail to systematically eliminate root causes of risks.
Approximately 55% of best-in-class companies, 29% of average organizations and 24% of laggards cross-map IT policies, objectives and process frameworks.
Government 
The 10 Hottest IT Certifications
Make 8 Popular Performance Tools Work for You
Ten Enemies of Innovation
IT Workers More Confident in Jobs, Economy
The Secret of Apple's Success
Money Woes Take a Toll on Worker Performance
