Government Slideshow: Understanding Governance, Risk and Compliance

By Ericka Chickowski  |  Posted 06-18-2009

Understanding Governance, Risk and Compliance

Aberdeen divided the respondents into three categories: best-in-class, industry average, and laggards. The rankings were based on respondent's estimates of year-over-year change in three performance categories.

Understanding Governance, Risk and Compliance

Understanding Governance, Risk and Compliance - Page 2

Performance Category #1: Identification of weaknesses in existing risk management processes--Best-in-class organizations saw a mean improvement of 11.2%--Industry average organizations saw a mean improvement of 7.1%--Laggard organizations saw no change

Understanding Governance, Risk and Compliance - Page 2

Understanding Governance, Risk and Compliance - Page 3

Performance Category #2: Ability to translate risk assessment data into actionable recommendations--Best-in-class organizations saw a mean improvement of 9.6%--Industry average organizations saw a mean improvement of 5.8%--Laggard organizations saw no change

Understanding Governance, Risk and Compliance - Page 3

Understanding Governance, Risk and Compliance - Page 4

Performance Category #3: Flexibility to adjust to new or updated regulatory requirements--Best-in-class organizations saw a mean improvement of 11.5%--Industry average organizations saw a mean improvement of 4.8%--Laggard organizations saw no change

Understanding Governance, Risk and Compliance - Page 4

Understanding Governance, Risk and Compliance - Page 5

Aberdeen says enterprises emphasize compliance first, IT governance next and risk management last.

Understanding Governance, Risk and Compliance - Page 5

Understanding Governance, Risk and Compliance - Page 6

Best-in-class organizations have had compliance programs in place for an average of 4.6 years, governance programs for 3.9 years and risk management programs for 3.6 years.

Understanding Governance, Risk and Compliance - Page 6

Understanding Governance, Risk and Compliance - Page 7

Best-in-class organizations were most likely (39%) to report that improving operational efficiencies and reducing total cost was the top driver for investing in IT GRC.

Understanding Governance, Risk and Compliance - Page 7

Understanding Governance, Risk and Compliance - Page 8

Laggard organizations were most likely (36%) to report that addressing new and changing regulatory compliance requirements was the top driver for investing in IT GRC.

Understanding Governance, Risk and Compliance - Page 8

Understanding Governance, Risk and Compliance - Page 9

33% of all organizations establish and enforce consistent policies and procedures.

Understanding Governance, Risk and Compliance - Page 9

Understanding Governance, Risk and Compliance - Page 10

36% said they develop and improve IT governance frameworks.

Understanding Governance, Risk and Compliance - Page 10

Understanding Governance, Risk and Compliance - Page 11

16% reported they develop comprehensive "continuous compliance" infrastructure.

Understanding Governance, Risk and Compliance - Page 11

Understanding Governance, Risk and Compliance - Page 12

14% automate risk and compliance processes and controls.

Understanding Governance, Risk and Compliance - Page 12

Understanding Governance, Risk and Compliance - Page 13

70% of best-in-class organizations depend on centralized, automated controls and procedures, while only 24% of industry average and 19% of laggards do the same.

Understanding Governance, Risk and Compliance - Page 13

Understanding Governance, Risk and Compliance - Page 14

More than 43% of laggard organizations depend on centralized, manually-intensive controls and procedures, while 29% of industry average and only 12% of best-of-class organizations do the same.

Understanding Governance, Risk and Compliance - Page 14

Understanding Governance, Risk and Compliance - Page 15

Best-in-class organizations are more likely (85%) to have an executive or team with primary ownership of IT GRC initiative than average (55%) or laggard (49%) organizations.

Understanding Governance, Risk and Compliance - Page 15

Understanding Governance, Risk and Compliance - Page 16

Best-in-class organizations were nearly twice as likely to employ a hierarchy of accountability with defined channels for escalation and issue resolution than average or laggard organizations.

Understanding Governance, Risk and Compliance - Page 16

Understanding Governance, Risk and Compliance - Page 17

Only 31% of laggards regularly perform IT vulnerability assessments, while 70% of best-in-class organizations do so.

Understanding Governance, Risk and Compliance - Page 17

Understanding Governance, Risk and Compliance - Page 18

Only 29% of laggards regularly perform IT risk assessments, while 59% of best-in-class organizations do so.

Understanding Governance, Risk and Compliance - Page 18

Understanding Governance, Risk and Compliance - Page 19

Only 24% of laggards have standardized analysis and reporting for IT compliance, while 61% of best-in-class organizations do so.

Understanding Governance, Risk and Compliance - Page 19

Understanding Governance, Risk and Compliance - Page 20

Fewer than half of all organizations (39% best-in-class, 31% average, 24% of laggards) fail to systematically eliminate root causes of risks.

Understanding Governance, Risk and Compliance - Page 20

Understanding Governance, Risk and Compliance - Page 21

Approximately 55% of best-in-class companies, 29% of average organizations and 24% of laggards cross-map IT policies, objectives and process frameworks.

Understanding Governance, Risk and Compliance - Page 21