Allison alluded to the interactive survey being done during the GRC keynote in her blog post this morning, and I happened to take down the questions and answers to all of them so figured I'd pass them along. There are some interesting results. My wording may not be exactly what was on the screen -- between my lousy handwriting and quickness in order to get it all down, my notes don't sound quite as clear as they did in Jim Dunham's verbiage.
1. What is the primary driver of GRC investment in your company?
37% Exposure/cost of non-compliance
17% Reduction in GRC costs
13% Internal/external transparency
13% Optimized business performance
13% Gains in mitigating risks
9% Reduction in GRC effort
Obviously cost is the main driver (generally speaking), but it was surprising to see people not concerned about effort and time. Perhaps if the crowd were more general, and not comprised of GRC professionals, it would have been.
2. How would you characterize risk management in your company?
39% Managed only for compliance
11% Not managed
11% Top-down ERM approach
6% Integrated with line of business
Good to see the best option (ERM) catch up with the worst (not managed), but not surprising to see compliance lead this one.
3. In the next 2-3 years, what stage do you expect your company to achieve?
0% Manual processes
This referred to a model Jim talked about, but it essentially falls in line with the previous answer -- people are moving away from manual processes and have automation, but it's not necessarily optimized at this time.
4. In the next 2-3 years, what is your company's investment priority?
41% Compliance management
32% Automation and testing of controls
27% Risk management
0% Transaction monitoring
I was surprised to see no one select reporting, and also the level that risk management registered. I would have assumed an even greater majority would have been focused on compliance. Clearly some of this audience is already buying into Jim (and SAP)'s message.
5. What is the biggest benefit you see in bringing together GRC and business planning and strategy?
48% Reducing risk and compliance violations
43% Ability to mitigate risks
5% Improving operational effectiveness
5% Optimizing outcomes of business initiatives
0% Increasing working capital
0% Decreasing cost of capital
This one is the clearest indicator that it was entirely GRC professionals answering the questions -- surely folks in other areas would have picked some of the other options.