Featured Consultant

Robert N. Charette Director and Senior Consultant

EXPERT VIEWS

• Quote of the Day
• Senior Consultant Team

For more on risk management practices, see the Enterprise Risk Management & Governance Executive Report "Risk Management 2006: A Comprehensive Survey (Part I)" (clients only).

The State of Risk Management Practice

An interview with Robert N. Charette Fellow and Director, Enterprise Risk Management & Governance Practice, Cutter Consortium

1. Bob, you just finished a report on the current state of risk management practice. Can you tell me a little about the survey and what it covered?

Back in 2002, Cutter Consortium conducted its first comprehensive survey of the state of risk management practice in the IT community around the world.

That survey found that 86% of responding organizations claimed they were practicing risk management and 51% of those were practicing it in a disciplined, formal manner. We decided to repeat the survey in 2006 to find out if risk management practice has actually grown, and if so, by how much?

One-hundred eighty two people, representing 43 countries, completed the survey, similar to the response in 2002. The 2006 survey duplicated the 2002 survey questions - thereby creating a baseline - as well as asked additional questions on enterprise risk management practice. We asked over 50 in-depth questions ranging from whether organizations use risk management to perceived level of support management gives IT project risk management efforts. We looked at how different industries and countries use IT risk management, as well as what managers at various levels of the organization thought about risk management.

The interesting thing is that we have now done two IT risk management surveys using the same data points; this allows us to track some trends in risk management practices. To my knowledge, no one else has done this before.

2. What major changes did you see between the 2002 and this year's survey?

This year's survey showed that 80% of organizations claiming to do risk management and 66% of those were using formal approaches. So the application of formal risk management has increased quite a bit from four years ago, even as the overall percentage of organizations practicing risk management appears to be holding steady.

Similarly, we saw that the number of individuals claiming to apply formal risk management for more than five years doubled from 16% to 32%, indicating that risk management practice is maturing.

Nearly 93% of the organizations in our survey who said that they were doing risk management also had contingency plans in place. This is an increase from 72% in 2002, and seems to reflect a heightened awareness brought on by the major changes in societal risk seen over the last four years.

The last four years have further seen a major increase in training in risk management. In 2002, 65% of the surveyed organizations did not have any formal risk management training, while in this year's survey, that dropped to 35%.

The survey also shows that about 30% of organizations practicing risk management are also practicing enterprise risk management (ERM). Further, 71% of those practicing ERM are doing so because of governance or regulatory pressures. Business continuity and management was also a very big driver.

3. What do you see as the most dramatic change in the survey results?

I would say it is the increase in formal risk management practice. At first, I was very doubtful that the uptake of formal risk management was as great as the survey indicated. However, the answers to other survey questions seem to support the increase being reported.

The survey data also indicates a shift away from "selling" risk management to organizations to improving its practice. For instance, in 2002, gaining organizational buy-in was a major issue for organizations practicing either formal or informal risk management. In 2006, this issue, while still a concern for organizations practicing informal risk management, it has almost dropped off the radar screen for organizations utilizing formal approaches to risk management.

4. Did you find anything unexpected?

I would say that the external drivers of risk management were much stronger than I had expected. In 2002, organizations responding to our survey indicated that neither Y2K nor 9/11 pushed them to take on risk management.

However, in our 2006 survey, it seems pretty clear that the changes in corporate governance requirements like Sarbanes-Oxley as well as changes in the external risk environment have strongly influenced organizations to practice risk management. I would guess that the events of the past four years, as well as future risks like the possibility of a pandemic have been traumatic enough to convince organizations that they need to actively manage their risks.

5. So, give us the bottom-line. What is the current state of risk management practice?

Based on the survey results, I would say that the overall current state of risk management practice is healthy and it appears to be growing into a standard organizational practice. It will be interesting to see whether risk management will reach a level of institutionalized practice in four years time when we conduct our next survey.