A Gartner survey of more than 100 organizational risk leaders shows that ERM is maturing as a function. As Gartner’s Matt Shinkman explains, the ERM function still has a long way to go to complete its integration into key business activities, however.
2018 was a year of continued progress for enterprise risk management (ERM) teams. Five years ago, just 57 percent of ERM leaders considered their function mature or relatively mature. According to Gartner’s latest survey, conducted in 2018, that figure has risen to 96 percent.
ERM leaders have achieved this notable progress during a period in which budgets have grown only marginally and staffing levels have remained flat. Given how much the risk landscape has expanded in the last five years, this strongly suggests improving levels of effectiveness and productivity in the ERM function, because it has handled more risk without any significant increase in resources.
Budget expectations from ERM leaders for 2019, however, show a stark departure from previous norms, with the average expected increase jumping to 16 percent. Flat team sizes and increasing budgets suggest that the higher spending is funding better technology to an extent, but also higher salaries, as salaries are still the single-biggest drain on ERM budgets.
In monetary terms, the median ERM budget was around $500,000 in 2017 and 2018, but is expected to rise to around $590,000 in 2019.
It’s interesting to note that skeptical attitudes to governance, risk and compliance (GRC) tools remain, with 26 percent of respondents saying they have no tool in place and have no plans to change that situation soon. A further 19 percent have no tool in place, but are evaluating vendors. So, in total, considerably more than one-third of respondents have no GRC tool. Furthermore, sentiment among those who do is far from uniformly positive, given the average Net Promoter Score of just 5.5/10 from ERM users.
Looking more specifically at attitudes toward data analytics investments, a different picture emerges. Although just 7 percent of respondents use advanced analytics technology as a routine part of daily operations, a further 71 percent use it on a case-by-case basis or plan to adopt it in some form soon. Moreover, 94 percent of adopters agree that data analytics has “significantly enhanced the value that ERM adds to the organization.”
This sentiment further confirms the hypothesis that budget increases are likely to be spent on technologies pertaining to analytics and on hiring people with the right skills (or training people without them).
The survey responses also show that the ERM function still has a long way to go to complete its integration into key business activities. In 2013, more than half of ERM leaders said their team did not participate at all in corporate budgeting; that proportion has not changed significantly since.
We see a very similar lack of progress when looking at ERM’s role in capital allocation decisions. The rate of ERM participation in publicly disclosing risk remains high, at 72 percent, but it also has not changed significantly in the last five years.
Even in terms of integration with other assurance functions, there is work to be done; fewer than half the respondents (44 percent) reported that their ERM function has an established process for sharing risk and control information with other assurance groups. Just 11 percent of respondents said their ERM team worked consistently with other risk control groups to provide holistic risk reporting.
With digital and technological disruption expanding the risk landscape and increasing the velocity of business, this lack of integration poses a risk in itself. In the current scenario, it’s at least plausible that important risks are slipping through the cracks between assurance functions and are therefore not being managed effectively.