Survey: Executives struggling to measure and mitigate strategic risks

"Proactively viewing strategic risks as a driver of opportunity is a key component to comprehensive risk planning"
CHICAGO, IL -- A new survey from Grant Thornton LLP finds that almost two-thirds of executives (64 percent) see strategic risk as a highly significant threat to their organizations compared to other types of risk – including compliance risk, operational risk and financial risk. Despite this high level of concern, the executives feel their real-world ability to manage strategic risk falls short, with only 43 percent saying they have effective measurement and monitoring in place and only half saying they can provide effective mitigation.

Now in its sixth year, the Governance, Risk and Compliance (GRC) Survey also finds a similar gap between the level of concern business-specific risks cause for executives versus their ability to identify and mitigate them. In regards to cybersecurity, although 60 percent of executives report that their cybersecurity risk is significant, only 43 percent measure and monitor it effectively – and just 46 percent are effective at mitigation of cybersecurity risk. Conversely, many risks that do not strongly worry executives are those that receive substantial attention from management. For example, only 13 percent of executives view tax as a significant risk, but 44 percent perform substantial measurement and monitoring of tax risk.

“Proactively viewing strategic risks as a driver of opportunity is a key component to comprehensive risk planning,” said Warren Stippich, partner and Grant Thornton’s national Governance, Risk and Compliance practice leader. “Leaders who are successful in implementing prudent risk management approaches that add a strategic risk point of view can maintain and enhance their organization’s competitive advantage. Recognizing the risks in achieving objectives and providing the proper balance between investment in measuring and monitoring for such risks is key to optimizing GRC activities.”

The survey also reveals that many organizations face a large challenge in moving toward a higher maturity of GRC activities – 43 percent of respondents say they are operating their compliance efforts at an ad hoc or fragmented/siloed level. In addition, organizations who responded spend 12 percent of total revenue on GRC activities, however, spending levels vary widely across organizations. Almost half (48 percent) spend just 5 percent of total revenues or less on GRC activities.

When asked about the adoption of data analytics and technology for GRC activities, only 34 percent of organizations say that they are implementing these tools. However, overall general use of data analytics has improved. The response of “None” decreased from 37 percent to 28 percent from 2015 to 2016 when respondents were asked to name the function for which data analytics is used. But, while use of data analytics is increasing, many organizations fail to recognize their value for improving GRC functions – only 8 percent of executives use data analytics to monitor third-party compliance despite their dangers.

Other highlights from the survey include:

  • Sixty-three percent of executives cite regulatory risk as significant, the highest among business specific risks. This is followed by cybersecurity risk (60 percent), market risk (52 percent) and competitive risk (50 percent).
  • Twenty-one percent of organizations don’t rate third parties by the risks they pose, and nearly half (41 percent) don’t audit any of their third parties.
  • For departments involved in GRC activities, 43 percent of executives cite skill shortages in audit departments, while 38 percent cite skill shortages in operations leadership/management departments.
  • Fifty-seven percent of organizations use data analytics for performance measurement, up from 45 percent in 2015; 26 percent use it for predictive analytics; and 17 percent for forensic analysis.
  • Reliance on data analytics did not vary based on the size of the organization: Thirty-five percent of companies with less than $100 million in revenue use data analytics for GRC activities, while 35 percent with $100 million to $1 billion in revenue use data analytics and 34 percent with $1 billion or more in revenue use data analytics.

Please visit Grant Thornton’s Governance, Risk and Compliance Survey for a copy of the survey findings.

About Grant Thornton LLP’s Governance, Risk and Compliance Survey

The 2016 survey was administered online in January and February 2016. The survey received 535 valid submissions from a mix of executive titles and roles familiar with GRC activities. Participants in the GRC Survey represented a range of organization types, sizes and industries in the United States.

About Grant Thornton LLP

Founded in Chicago in 1924, Grant Thornton LLP (Grant Thornton) is the U.S. member firm of Grant Thornton International Ltd, one of the world’s leading organizations of independent audit, tax and advisory firms. In the United States, Grant Thornton has revenue in excess of $1.45 billion and operates 59 offices with more than 550 partners and 7,000 employees. Grant Thornton works with a broad range of dynamic publicly and privately held companies, government agencies, financial institutions, and civic and religious organizations.

“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. Services are delivered by the member firms. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. Please see for further details.

Grant Thornton LLP
Adam Bond
T +1 312 602 8332