Enterprise risk management can be challenging. On the one hand, there are natural human instincts that can be difficult to overcome that can interfere with objective and systematic risk analysis and mitigation. For example, practitioners who make risk decisions on behalf of their enterprises (e.g., risk managers, cybersecurity specialists, auditors, and governance and compliance practitioners) can be directed to advocate so strenuously and so often in favor of risk reduction that they can sometimes forget that risk management is about optimizing risk rather than removing it entirely. They may focus on unexpected or unplanned events that may impact profitability, competitiveness or reputation but ignore the fact that failure to incur the right risk can likewise be potentially problematic, by causing enterprises to stagnate, lose competitiveness/market share or otherwise underperform their competition. On the other hand, the importance of assessing, mitigating, managing, measuring and tracking risk is well known; enterprises should assume only appropriate risk and avoid or mitigate excess risk–or potentially incur dire consequences.
Finding the right middle ground is as important as it is challenging. Because the business landscape is constantly shifting, new risk can emerge, allowing relatively little time for enterprises to respond. For example, low-risk applications or business processes can suddenly take on a whole new dimension of risk. This scenario is against a backdrop of attackers and external threat actors who continue to innovate and leverage new technologies to pursue their nefarious intent, geopolitical risk that can cause regional dynamics to shift, financial markets (e.g., historical securities and derivatives markets and the new cryptocurrency market) that can turn suddenly, and increasingly interdependent supply chains that expand logistical complexity. The turbulence in the risk landscape is unprecedented.
With this in mind, it is natural for organizations to ask how they fare relative to other enterprises in their risk efforts. For example, enterprises question if they are too risk averse or not risk averse enough, if they invested the right amount in risk management processes to bring about the correct maturity level to accomplish their goals, and if they implemented the correct steps to ensure optimization. To help enterprises answer these questions, gain perspective and guide their risk management development, ISACA, CMMI Institute and Infosecurity Group surveyed those who are best equipped to know—a global population of over 4,500 specialists involved in risk decisions for large and small enterprises, across six continents and all industries, from manufacturing to government and financial services, and every industry in between.
State of Enterprise Risk Management 2020 reports, analyzes and presents the key findings from the survey. This research brief also provides conclusions about risk management practices, and risk management areas of opportunity and guidance for boards of directors and executive teams.