How effective is risk management today?

That is a question that State of Enterprise Risk Management 2020, from ISACA®, CMMI Institute® and Infosecurity Group, attempted to answer. They “surveyed a global population of over 4,500 professionals involved in risk decisions for large and small enterprises, across six continents and all industries, from manufacturing to government and financial services, and every industry in between”.

My opinion is that if you want to know how effective risk management is, you should ask the customer and not the provider.

Pretty much every survey of top executives and board members has, for years, told us that they do not see risk management as much more than a compliance exercise, something you do because you have to: a requirement of governance codes and boards urged on by consultants. World-class, effective risk management helps people make the informed and intelligent decisions necessary for success. It helps the management of success rather than failure.

But the report does have some interesting comments, including (with my highlights):

• …practitioners who make risk decisions on behalf of their enterprises (e.g., risk managers, cybersecurity specialists, auditors, and governance and compliance…