Guess which three critical areas of enterprise risk management (ERM) programs typically fall short? People, process and technology.

If you’re thinking, “Thanks for the news flash, Bloggy,” I don’t blame you. But bear with me: the reason I mention these results of a survey that KPMG LLP conducted is not because of what the results were, but because how they were measured.

The firm asked respondents – internal auditors and corporate board members – to evaluate, among other important ERM facets, their company’s “risk culture.”

The survey found significant deficiencies around risk culture: 58 percent of respondents reported that their company’s employees had little or no understanding of how risk exposures should be assessed for likelihood and impact.

“Since risk culture includes organizational / human behavior, as well as related training and ‘tone at the top,’ it’s noteworthy that one-third (33 percent) of the respondents said that key leaders in their organization had no formal risk management training or guidance, with only 16 percent receiving frequent (at least annual) training,” reads KPMG’s press release on the subject.

The author of the release told me that KPMG’s GRC experts have been happily surprised by how many people have mentioned the survey results to them – and expressed appreciation for focusing on the behaviors behind the people, process and technology.

I’ve emphasized the importance of behavior in GRC, and I’m glad to see that KPMG, and many others, agree:

“When ERM programs miss the ‘behavioral’ piece of the equation, there is no foundation for critical thinking and judgment around decision-making,” noted John Farrell, KPMG’s lead partner for ERM. “All executives – particularly senior management – must understand the risks facing their organization in order to help define their company’s risk appetite and effectively manage risks.”