KPMG survey finds increasing concerns about information technology risk
The majority of corporate audit committee members are increasingly concerned about information technology risk, according to a survey by the Audit Committee Institute (ACI) of KPMG LLP.
The survey revealed that the speed and impact of IT developments – from the influence of the cloud to social media and mobile technologies – are causing company directors to probe more deeply into ‘defensive’ IT risks, including data privacy and security, cyber risk, and regulatory compliance.
Importantly, directors are also sharpening their focus on an underlying strategic IT risk: the failure to understand IT as a critical business driver and to leverage technology as part of the company's strategy and business model.
The survey polled 240 audit committee members serving boards of at least one US public company.
More than half (58 percent) of corporate audit committee members say they need to devote more time to the oversight of IT risk and emerging technologies, while 70 percent pointed to ‘lack of innovation’ as a potential threat to their businesses.
"Boards and audit committees are sharpening their focus on their companies' increasing vulnerabilities in IT and technology," said Jim Liddy, KPMG's US vice chair - Audit. "This data is valuable because it confirms what KPMG is hearing directly from clients who are confronting the risks brought on by rapid technology change and its implications for strategy, cyber security, and compliance.
"Directors also recognize that linking risk and strategy continues to be a challenge for their companies," Liddy said, noting that corporate strategy was ranked third-highest among the issues where audit committees say they want to devote more time over the next year.
The study also found that audit committee members are not happy with the quality of the information they receive regarding IT risk – fewer than half (41 percent) expressed satisfaction. Survey respondents also indicated that they want to hear more frequently from the chief information officer (CIO), mid-level management, and the chief risk officer (CRO).
In addition, only 34 percent of respondents indicated they were satisfied that they hear dissenting views about the company's risk environment and related controls.
"The quality of information regarding IT risk was ranked lowest of all categories," said Mary Pat McCarthy, vice chair and executive director of KPMG's Audit Committee Institute. "This reflects the ongoing challenge, and the critical importance, of effective communications with the CIO – in plain-English and business context."
- 42 percent said their company's risk management program still ‘requires substantial work.’
- Of the types of systemic risks posing the greatest threat to their companies, most were concerned about economic and financial risk, at 87 percent, cyber risk (assault on global IT infrastructure), at 41 percent, geopolitical risk, 39 percent, and supply chain risk, 32 percent.
- 8 percent said they were satisfied that the company is "ready to respond" in the event that a crisis ‘goes viral’ through social media networks (and 23 percent were not sure).
- 22 percent reported that the company's crisis-readiness and response plans were ‘robust and ready to go.’
- 62 percent of respondents said their board or audit committee had not received briefings on the company's plans for employing the cloud.
- 77 percent said their audit committees or boards had not yet discussed the company's policy concerning use of social media to reach customers and investors.
•Date: 25th October 2011 • Region: US/World •Type: Article • Topic: Enterprise risk management