A study conducted this spring by Deloitte and Forbes Insights finds that an astonishing 91 percent of respondents plan to reorganize and re-prioritize risk management over the coming three years.
Planned changes included:
- elevating the function within the organization (52 percent)
- reorganizing processes (39 percent)
- providing additional training for staff (37 percent)
- incorporating new technology (31 percent)
- integrating ERM into strategic planning (28 percent)
Why all the turmoil? ERM programs are changing in response to a variety of forces. These stimuli include market volatility, regulatory changes, and even the rise of social media -- which is the fourth-most-commonly cited source of risk in the survey. Overall, the Deloitte study notes that companies have "less tolerance for volatility and less tolerance for surprises" in the wake of ongoing global financial challenges, as articulated by one of the survey participants.
The response base comprised three broad industry groupings: life sciences and healthcare, consumer and industrial products, and telecom. Interestingly, when asked about their preferred outcomes of ERM efforts, life sciences companies were more likely to be concerned about compliance with regulatory changes; respondents from the other two industries were more focused on improving revenue growth.
In our observation, security pros (and associations and vendors) are prone to shave off their piece of the risk management pie, dubbing their disciplines security risk management, information risk management, and so on. These naming conventions can provide focus, but may also foster the development of functions that are out of sync with broader ERM initiatives.