In a previous post, I talked about the “illusory superiority” effect, and how it blinds people to the fact that, on average, it’s unlikely that they use data better than their competitors.

Guess what? It turns out that it applies to governance, risk, and compliance, too. Here are some figures from another Economist Intelligence Unit Survey, “Ascending the Maturity Curve, Effective Management of Enterprise Risk and Compliance”:


We can see that of those who haven’t experienced failures, only 1% believe that they are worse than average – and even among companies that have experienced failures, fully 87% believe that they are as least as good as their peers.  Unless the Economist has stumbled across a particularly great group of companies to study, it seems clear that most organizations are overestimating the quality of their GRC practices, and hence underestimating the real risks they are running…

There’s also data in the report that seems to indicate that the finance function is the mostly likely to be blindsided – as you can see in the chart below, they are far more likely to say that there was no significant risk or compliance failure in the past three years. Since this is not a group known for their exuberant optimism, it’s likely that they simply didn’t know about the risks run by the other teams…


In conclusion, if you’re in the finance function, and responsible for your GRC practices, it’s likely that you should be investing more than you are today. For more information, check out SAP’s GRC products, and Norman Mark’s blog on Governance, Risk Management, and Internal Audit.