 |
 |
|
Aberdeen Group conducted a comprehensive study of 130 enterprises regarding their attitudes and practices surrounding governance, risk and compliance (GRC) initiatives. This slideshow highlights findings from Aberdeen’s wrap-up report, IT GRC: Managing Risk, Improving Visibility, and Reducing Operating Costs, by analyst Derek Brink.
One detail: the GRC acronym has things out of order; Aberdeen says enterprises emphasize compliance first, IT governance next and risk management last.
|
|
- Aberdeen divided the respondents into three categories: best-in-class, industry average, and laggards. The rankings were based on respondent’s estimates of year-over-year change in three performance categories.
- Performance Category #1: Identification of weaknesses in existing risk management processes--Best-in-class organizations saw a mean improvement of 11.2%--Industry average organizations saw a mean improvement of 7.1%--Laggard organizations saw no change
- Performance Category #2: Ability to translate risk assessment data into actionable recommendations--Best-in-class organizations saw a mean improvement of 9.6%--Industry average organizations saw a mean improvement of 5.8%--Laggard organizations saw no change
- Performance Category #3: Flexibility to adjust to new or updated regulatory requirements--Best-in-class organizations saw a mean improvement of 11.5%--Industry average organizations saw a mean improvement of 4.8%--Laggard organizations saw no change
- Aberdeen says enterprises emphasize compliance first, IT governance next and risk management last.
- Best-in-class organizations have had compliance programs in place for an average of 4.6 years, governance programs for 3.9 years and risk management programs for 3.6 years.
- Best-in-class organizations were most likely (39%) to report that improving operational efficiencies and reducing total cost was the top driver for investing in IT GRC.
- Laggard organizations were most likely (36%) to report that addressing new and changing regulatory compliance requirements was the top driver for investing in IT GRC.
- 33% of all organizations establish and enforce consistent policies and procedures.
- 36% said they develop and improve IT governance frameworks.
- 16% reported they develop comprehensive “continuous compliance” infrastructure.
- 14% automate risk and compliance processes and controls.
- 70% of best-in-class organizations depend on centralized, automated controls and procedures, while only 24% of industry average and 19% of laggards do the same.
- More than 43% of laggard organizations depend on centralized, manually-intensive controls and procedures, while 29% of industry average and only 12% of best-of-class organizations do the same.
- Best-in-class organizations are more likely (85%) to have an executive or team with primary ownership of IT GRC initiative than average (55%) or laggard (49%) organizations.
- Best-in-class organizations were nearly twice as likely to employ a hierarchy of accountability with defined channels for escalation and issue resolution than average or laggard organizations.
- Only 31% of laggards regularly perform IT vulnerability assessments, while 70% of best-in-class organizations do so.
- Only 29% of laggards regularly perform IT risk assessments, while 59% of best-in-class organizations do so.
- Only 24% of laggards have standardized analysis and reporting for IT compliance, while 61% of best-in-class organizations do so.
- Fewer than half of all organizations (39% best-in-class, 31% average, 24% of laggards) fail to systematically eliminate root causes of risks.
- Approximately 55% of best-in-class companies, 29% of average organizations and 24% of laggards cross-map IT policies, objectives and process frameworks.
|
Government 
