The Corporate Governance Consultancy Services recently conducted a study to determine the internal process that leads to an organization creating and executing on an internal risk management program.
Surprisingly, a whopping 63% of companies said risk management programs came from their IT Departments, compared to only 13% from Legal and 13% from Operations. An overwhelming number of companies look to their IT Department to solve and implement risk planning.
While it makes sense for companies to ask IT Departments to spearhead the creation of an internal risk program, it can lead to an over-reliance on software and technology to promote risk management compliance, when you consider that of those same companies, over 60% report that there is either little or absolutely no communication between the IT Department and Operations or Legal departments.
The combination of lack of resources with the silo effect of solely placing an isolated IT Department in charge of implementing internal risk management practices is problematic because tech and software solutions are given priority over human interaction, client communication and improving relationships with vendors, contractors and suppliers.
When asked what solutions they hoped to achieve from the technology side of their internal risk program, the top response wasRisk Assessment, which is a natural expectation to have from an IT driven approach. However, the fourth most sought outcome was listed asIncident Response and Management, something which is more elusive to improve when the solution is coming from a purely IT Department implementation.
While it makes sense that many organizations look to their IT Department for the creation and implantation of a risk management program, if 60% of those companies also completely silo the IT Department from communicating and working with Operations and Legal, the scope of the risk program will inherently be limited.
Human interactions and hands-on personal review of insurance and compliance documents by trained risk management personnel cannot be replaced with a pure technology solution, and creating a workable risk management program should never result in a siloed approach separating IT, Operations and Legal.