While many companies pay lip service to the concept of risk management, nearly one-third are not devoting any budget to these programs and almost one-quarter have no risk management initiative at all, a new study says.

According to a report published this week by security and compliance vendor Sailpoint, 77 percent of companies surveyed have a risk management function within their IT organizations. However, nearly 30 percent of those companies don't allocate budget to that function.

"That means nearly 50 percent of the affected companies either do not have, or underfund, their IT risk management activities," Sailpoint says.

In addition, only 43 percent of respondents said they could present a complete record of user access privileges for each employee in a single day. Forty-two percent said they do not have the ability to immediately remove all access privileges for terminated employees in the event of a large layoff.

Seventeen percent said "it's just a matter of time" before an internal breach occurs, and only 14 percent said they have the right controls in place to prevent insider threats.

"The survey showed that companies lack the necessary transparency to adequately manage worker access to sensitive data and applications," said Jackie Gilbert, SailPoint's co-founder and vice president of marketing. "Since we conducted our first survey last November, close to half of our respondents have undergone major layoffs. In light of this heightened risk, 'what you don't know' can have real consequences on businesses -- and executives are starting to realize that."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.