FAIR Institute Releases 2017 Risk Management Maturity Benchmark Survey Findings

[fa icon="calendar"] Nov 20, 2017 5:11:09 PM / by Luke Bader

Luke Bader

Results show low risk management maturity levels regardless of industry or organization size; findings suggest cyber and technology risk managers may be going through the motions of risk management without addressing the fundamentals of well-informed decision-making or reliable execution.

Originally published November 20, 2017 by Globe Newswire

Reston, Va., Nov. 20, 2017—The FAIR Institute, an expert non-profit organization led by information risk officers, CISOs and business executives to advance the discipline of measuring and managing information and operational risk, today released key findings and conclusions from its 2017 Risk Management Maturity Benchmark Survey, sponsored by RiskLens and RSA.

The FAIR Institute and RSA will hold a joint webinar Tuesday, Dec. 5, at 3 p.m. (ET), to discuss key findings. The webinar will be hosted by FAIR Institute Chairman Jack Jones and will dive into the current state organizational risk management and recommendations on how organizations can move forward in effectively aligning their risk posture.

FAIR Institute Chairman Jack Jones commented: “Our survey was undertaken to help gauge the current state of cyber and technology risk management maturity. The intent being, if we know our strengths and weaknesses — and their significance — then we can make informed choices about how to improve over time. On the webinar we will deep-dive into key findings and conclusions, including why just five percent of all respondents rated their organizations as ‘Strong’ across ten or more of fourteen factors.”

The report’s key findings show cyber and technology risk management programs going through the motions on risk management, putting policies, processes and technologies in place without addressing the fundamentals of well-informed decision-making and reliable execution. As a result, these programs are more likely to:

  • Struggle with identifying and maintaining a focus on their most significant priorities, wasting limited resources on lower risk concerns and potentially delaying remediation of truly high risk concerns.
  • Implement risk mitigations that are less cost-effective, missing the opportunity to apply the misspent resources on other risk concerns or business opportunities.
  • Experience control failures due to unreliable execution, which introduces avoidable levels of risk.
  • Experience a ‘risk management groundhog day’ — repeatedly experiencing the same failures by not recognizing and treating root causes.

The survey, administered Aug. 1 to Sept. 8, was completed by 114 respondents who identified as: Chief Information Security Officer (24%); Cyber Security Specialist (20%); Risk Officer (16%); Risk Analyst (11%); and C-Level Executive (6%); 22% chose ‘Other’ to describe their role within their organization.

A wide variety of industries and organization types were represented: Banking/Finance (27%); Technology (23%); Healthcare (8%); Insurance (7%); Manufacturing (5%); Retail (4%); Telecommunication (3%); Transport/Logistics (3%); 19% of respondents selected ‘Other’ to describe their industry.

Survey respondents represented organizations of various sizes, with smaller and larger organizations making up over half of all responses:  less than $500M in annual revenue (31%) or greater than $20B in revenue (25%). Typical midrange organizations had annual revenue between $500M and $1B (11%), $1B to $5B (16%), and $5B to $20B (18%).

About the FAIR Institute

In less than two years, The FAIR Institute has attracted more than 2,000 members and established itself as the premier organization for learning how to manage information and operational risk from a business perspective, enabling cost-effective decision-making. An expert, non-profit organization led by information risk officers, CISOs and business executives, the FAIR Institute was created to develop and share standard information and operational risk management practices based on FAIR. Factor Analysis of Information Risk (FAIR) is the only international standard value-at-risk model for information security and operational risk. To learn more and get involved visit:

Topics: FAIR, FAIR Institute

Luke Bader

Written by Luke Bader

Luke Bader is Director, Membership and Programs for FAIR Institute

Download the Report & RSVP for the Webinar

Subscribe to Email Updates

Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts