As the global economy shows cautious recovery, organizations are beginning to delve into new products, customers and regions in an effort to expand the business. But, according to a new study, the growing risk they face is unfortunately not being tempered by the right technology.
Although companies are looking to increase their “risk appetite,” a new study by Cary, N.C.-based SAS Institute Inc. finds three out of five respondents in a pool of 315 executives cite growing complexity in that risk exposure.
“There’s a real concern … that basic technology infrastructure is probably out-of-date or inadequate to cope with greater complexity that’s being brought forward by these companies,” said Wes Gill, executive lead for enterprise risk management with SAS Canada.
That complexity can be internal and external, where the latter can be the crisis in the Middle East or the earthquake in Japan. Internal risk in the business can be IT systems failure, lack of governance processes, and inaccurate reports created from bad data.
But while the survey reports two-thirds of respondents cite that external risks present a bigger challenge than internal ones, only 52 per cent have put in place risk management processes to deal with either type.
Respondents to the survey were primarily executives in risk management roles in financial services. Historically, said Gill, the issue has been that the financial sector has “grown up in silos,” which means data sources are scattered across global organizations.
“Just look at the number of data marts,” said Gill.
It’s really no use examining the past and present information alone, said Gill. Rather, businesses must look at where they are going and do the analytics in a timely fashion. The challenge, he added, will be to bring all that data together into a single view in order to facilitate sound decision-making.
Gill, who has spent two decades working in financial services, said it’s not just about technology and governance. The risk management and business groups must better communicate and maintain transparency regarding what’s going on and where they are going.
“You can then start talking about, ‘How can we co-operate to both achieve your objectives of increasing, say profit … and risk objectives of governing the corporation,” said Gill.
One risk management expert said it’s not good practice that chief information officers often end up as quasi-risk managers. The problem, said John Evans, is because it’s not an IT leader’s responsibility to identify and evaluate risks to the business.
“Risk management is a completely different function; it’s to look at the information and say, ‘What is significant and what could go wrong?’” said Evans.
–with files from IDG’s Georgina Swan