Services for Organizations

Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection

Consulting & Strategy Sessions

Ventana On Demand

    Services for Investment Firms

    We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

    Consulting & Strategy Sessions

    Ventana On Demand

      Services for Technology Vendors

      We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

      Analyst Relations

      Demand Generation

      Product Marketing

      Market Coverage

      Request a Briefing

        Robert Kugel's Analyst Perspectives

        << Back to Blog Index

        Addressing Key Operational Risk Requirements

        I’ve frequently commented on the artificiality of the emerging software category of governance, risk and compliance (GRC). The term is used to a cover a combination of what were once viewed as stand-alone software categories, including IT governance, audit documentation and industry-specific compliance management, to name three examples. While it’s still common for specific types of software to be purchased piecemeal by different departments, these disparate areas have started a long convergence process. Since just about all controls and risk management efforts require a secure IT environment to be effective, there is a growing interdependence between effective IT governance and everything else connected with enterprise GRC.

        Our research has established that companies are immature with respect to their risk and compliance activities. One fertile area where most companies can make substantial improvements is in operational vr_grc_operational_risk_effectivenessrisk effectiveness. Although one-fifth or fewer said their operational risk controls are ineffective, even fewer rated them very effective. For example, just 20 percent said their company’s controls for natural disasters are ineffective, but only 15 percent assessed them as very effective; the rest rated their controls in the middle category, effective. Just 9 percent have controls for supply chain disruption, and therefore almost all must improvise in response to these relatively common occurrences. Certainly, companies with big, important brands pay attention to the risk of reputational loss. Yet even small businesses must now contend with the impact of negative reviews on a range of websites – assuming they even know that one has been posted. Just one in eight (13%) has effective controls to deal with natural disasters – and that’s the leading risk category. More than a decade after the Sarbanes-Oxley Act was enacted to address it, just 6 percent of companies say they have effective internal fraud controls. (For private U.S. companies, it doesn’t matter if they don’t document these controls, but for the sake of good governance they must be present and effective.) The research shows that companies are least good at controlling demand disruption (26% said their controls are ineffective and just 5% said they are very effective) and reputational loss (26% and 9%, respectively).

        The responses show that a majority of organizations believe they are doing reasonably well, but I disagree. “Somewhat effective” is a risky attitude. This type of thinking leads to complacency and a lack of effort to improve risk management. I think “very effective” ought to be the standard companies apply to their risk controls.

        Financial controls are easier to implement, and there is a long history of their use, yet here again many companies are lagging. Of six key financial risk management efforts we listed, participants identified as the most effective their controls for material financial misstatements (the key objective of the Sarbanes-Oxley Act), with 37 percent saying they are very effective and 51 percent calling them effective. Fewer rated their credit controls very effective (24%), though only 5 percent said they are ineffective. The explanation for this distinction may be that, whereas the consequences of material financial misstatements are direct and severe (likely requiring restatement of financial results and possibly a loss of investor credibility), there may be a strategic reason for a certain laxity in granting trade credit (such as trading off higher revenues against increased credit losses). Controlling risk through contingency planning was identified as the least effective control, with just 14 percent saying it is very effective and 34 percent labeling it ineffective. (Of course, in this case such an assessment is speculative.) Across industries, fire, insurance and real estate companies rated their risk management efforts more effective, likely because risk management is a well-established practice and readily quantifiable in that industry. Midsize companies rated their tax risk management as very effective much less often than larger ones, likely because they have fewer resources to devote to it; they also said more often they are ineffective at preventing disruption of funding.

        Managements in heavily regulated industries are more attuned to the risk vr_grc_value_of_a_better_approach_to_grcof compliance failures. Those in financial services businesses are regularly focused on risk because it is a core competence (after all, risk is what insurance is all about). Other types of industries, however, pay less attention to managing risk and usually implement change after disaster strikes. Human nature being what it is, many successful executives and managers are less inclined to focus on risk, yet companies will find that regular risk reviews are in order to challenge assumptions and consider potential responses when unfavorable events occur. Along with this, companies must define and develop methods for spotting risk events sooner and responding faster. The research finds that one of most often identified benefits companies get from GRC efforts is being able to identify and manage risk faster (chosen by 79%), followed by improving the control environment (59%) and preventing situations from occurring because of neglect (54%).

        Managing risk and compliance effectively is an important component of good governance. Managing risk intelligently enables organizations to be more successful because it can deliver a competitive edge. Those businesses that are good at managing risk are able to make aggressive moves more prudently, spot negative trends faster, and respond more quickly and effectively when disaster strikes. Harnessing IT for more intelligent risk and compliance management is an important practice in operational risk management. Executives and managers must become familiar with the technology if they want to manage risks as intelligently as they should.


        Robert Kugel – SVP Research


        Robert Kugel
        Executive Director, Business Research

        Robert Kugel leads business software research for Ventana Research, now part of ISG. His team covers technology and applications spanning front- and back-office enterprise functions, and he personally runs the Office of Finance area of expertise. Rob is a CFA charter holder and a published author and thought leader on integrated business planning (IBP).


        Our Analyst Perspective Policy

        • Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business, industry and technology vendor trends. Each Analyst Perspective presents the view of the analyst who is an established subject matter expert on new developments, business and technology trends, findings from our research, or best practice insights.

          Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to

        View Policy

        Subscribe to Email Updates

        Posts by Month

        see all

        Posts by Topic

        see all

        Analyst Perspectives Archive

        See All