There’s | 25 24 | There’s no reward without risk — EY’s global governance, risk and compliance survey 2015 Survey findings Implications Coordination of risk activities • Organizations expect to see a significant improvement in the level of coordination of risk activities. • Companies must better align and coordinate risk activities throughout the entire organization to effectively and efficiently respond to risk. 21% 67% 21% of respondents indicated risk activities are well-coordinated today; whereas 67% indicated they expect risk activities to be well-coordinated within three years. Top internal audit skills or experience: • Businesses clearly recognize that their Internal Audit functions require the appropriate skills and experience to address the risks associated with a rapidly changing landscape. • Organizations must appropriately develop and align talent with the requisite skill sets — not only in Internal Audit, but across each of their lines of defense. 1. Critical/analytical thinking 2. Analytics 3. Risk management 4. Audit 5. Business strategy GRC technology • We have witnessed many organizations adopt and leverage technology — in many cases multiple technologies — to better enable and sustain risk management activities. • Organizations must view technology as a way to more efficiently and effectively execute, as well as sustain, their responses to risk. 46% 49% 5% 46% of respondents do not yet utilize a GRC technology, 49% utilize one or more technologies and 5% did not know. GRC technology capabilities • While organizations continue to prioritize capabilities typically associated with managing preventable risks, we are also seeing an increased demand for other capabilities (e.g., business continuity, data analytics and modeling, process improvement). Medium High Audit and compliance management Policy management Continuous monitoring Security and process controls Process improvement or automation Document management Data analytics and modeling Dashboards and reporting Enterprise risk management Access to third-party content Incident or issue management Business continuity management What we learned from the survey further validated our viewpoint that organizations need to think about, manage and respond to risk differently. Survey findings What our clients are telling us In this year’s GRC survey, we focused on an array of topics (e.g., risk strategy, coordination of functions, internal audit, technology) to gain a better understanding of how well organizations are managing risk today. However, while organizations demonstrated they are making progress, they indicated that further opportunities exist to improve the way that they identify, manage and respond to risk. Survey findings Implications Top five risks Bottom five risks • While organizations have expanded their view of risk, they continue to primarily focus on preventable risks. • Organizations that also focus on strategic and external risks are able to profit from the upside of risk. 1. Financial 2. Operational 3. Regulatory 4. Cybersecurity 5. Reputational 1. Geopolitical crises 2. Natural disasters 3. Data privacy 4. R &D and product development 5. Mer gers and acquisitions Link risk to the business • Organizations have made a significant amount of progress in bridging the gap between risk management objectives and business objectives. • However, greater opportunity exists for organizations to achieve stronger alignment. 97% 97% of organizations have made progress in linking their risk management objectives and business objectives ... Risk involvement • Organizations recognize the value of directly involving risk management in business decision-making. • Organizations that directly involve risk management are better able to identify, manage and respond to the risks that impact their business. 90% ... but 90% expect to be directly involved or providing inputs within the next three years. Trends/risk drivers • We are seeing businesses impacted by a multitude of disruptive forces and mega trends globally, each requiring a different response to manage the associated risk. • Organizations are challenged with developing a comprehensive view of risk, as well as regularly identifying and responding to existing and emerging risks. Challenges Opportunities Cybersecurity Reputation Strategic transactions Emerging markets Economic stability Technology shifts Changing consumer preferences Regulatory compliance • While a rapidly changing risk landscape creates challenges, it also presents opportunities. • Organizations that manage risk well are better positioned to capitalize on the upside potential of risk. 16% ... but only 16% of the 97% consider them to be closely linked today. 66% 66% of organizations indicated that risk management has limited involvement ...