1IT Risk Assessments Suffer From Lack of Automation, Planning: KPMG
The vast majority of organizations are taking a “reactive and siloed” approach to IT risk assessments, according to a recent survey from KPMG. The accompanying report, titled “Disruption is the New Norm,” reveals that most companies only consult with risk assessment teams about projects after IT issues have already emerged. Few are constantly deploying data analytics to develop key risk indicators. Nor are they investing in automated tools to collect risk-related data. More than 200 senior executives responsible for IT risk management took part in the research, which was conducted by Forbes Research. This slide show presents highlights from the report—which contains additional survey research from KPMG—with charts provided courtesy of KPMG.
2New Tech Brings Concerns
Among survey respondents, 46 percent said the deployment of new technologies within their organization would spur an expansion of their tech risk management efforts. One-half said emerging tech within their industries may also drive such an expansion.
3Passive Response Remains Commonplace
Tech risk management is perceived as “reactive and siloed” among 87 percent of companies. More than seven of 10, in fact, said tech risk teams are brought into projects “after the fact,” only after issues begin to arise.
4Assessments Lacking for Mobile, IoT Adoption
KPMG reports that 47 percent of organizations are adopting mobile apps and devices without assessing associated risks. When it comes to the internet of things (IoT), 46 percent are adopting this technology without assessing the risks.
5Compliance Role Dominates
Nearly two-thirds of organizations view tech risk assessment as “an arm of compliance.” Just over one-third perceive of it as an “arm of cybersecurity.”
6Risk Mitigation Investments to Increase
Nearly nine of 10 survey respondents believe that the assessment of tech risk drives value for their organization. Almost one-half predict that tech risk spending will increase over the next three years.
7KRI Delivery Brings Mixed Results
Ninety-two percent of organizations use key risk indicators (KRIs) to measure the likelihood that individual events will bring harm, according to the report. But 87 percent of companies only “sometimes but not consistently” leverage data analytics to develop key risk indicators.
8Excel Remains Tool of Choice
Two-thirds of organizations are still using common tools—like Excel—to develop KRIs. Nearly one of five develop their own tools in-house.
9Automation Tools in Short Supply
One-half of companies collect data for risk reports via informal, ad hoc processes, such as having conversations with team members and collecting anecdotes. Only 18 percent are using automated processes to ensure IT risk data is collected regularly through system-based sources.
10Organizations Are Underprepared for Threats
Just 40 percent of companies are “well prepared” for a cyber-event. Among incidents, more than 30 percent are linked to software glitches.