7/26/2019 2015 Forrester Survey

1/7

S U R V E Y

The State ofEnterprise Risk

Management 2016

By Stephanie Balaouras

7/26/2019 2015 Forrester Survey

2/7

More and More Firms Have Formal

Enterprise Risk ManagementPrograms

According to our study, 40 percent of rms have

a formal enterprise risk management program while

another 27 percent say they have a single director

or head of risk for select areas but not necessarily

a broad enterprise program (see Figure 1). Its clear

that more and more rms are making the effort to

unite isolated areas of risk management in order

to more objectively identify, assess, mitigate, and

respond to risks to organizational goals.

Heads of Risk Management

are Reporting Higher into the

Organization

Together with more formalized programs, we

see the increasing presence of a chief risk ofcer

(CRO), which has not always been common. CROs

rst started appearing after Basel I was established

in the late 80s/early 90s. They were responsible for

credit and liquidity risk to make sure nancial ser-

vices rms kept enough capital on hand in the case of major market uctuations. They

then became even more common and prominent as rms had to deal with compliance to

Sarbanes-Oxley in 2004 to 2005. In this survey, we found that:

Forrester Research and Disaster Recovery Journal

have partnered to eld a number of market studies

in business continuity (BC), disaster recovery (DR),

and overall enterprise risk management (ERM) in

order to gather data for company comparison andbenchmarking, to guide research, and for the pub-

lication of best practices and recommendations for

the industry. This is the ninth annual joint survey.

This particular study focuses on the state of ERM.

Specically, we designed this study to determine:

ERM roles, responsibilities, and reporting structure.

The relationship of business continuity to ERM.

Crisis response including business continuity crises and other

brand and reputational crises.

The solutions rms invest in to facilitate ERM.

DISASTER RECOVERY JOURNAL| WINTER 2016 2

7/26/2019 2015 Forrester Survey

3/7

3

DISASTER RECOVERY JOURNAL| WINTER 2016

Thirty-four percent of rms have a CRO. In

addition, another 17 percent of rms say they havea single head of business or operational risk. Both

trends support the convergence of multiple riskmanagement domains under a single leader (see

Figure 2-1).

The head of risk is most likely to report into the

ofce of the CEO. Thirty-two percent report their

head of risk reports into the ofce of the CEO (seeFigure 2-2). Where the head of risk management

reports dictates the focus of your rms riskmanagement initiatives. If your head of riskmanagement reports into legal or compliance, the

focus of your efforts is obviously on reducing riskfrom these areas at the lowest possible cost, itsnot using ERM as a means to maximize businessperformance. As more heads of risk management

continue to report into senior business leaders, the

focus of the program becomes more expansive.

The head of risk reports directly into a C-levelexecutive. Its not only important where you headof risk management reports but how high into

the organization. Too far removed from a C-levelexecutive and your head of risk wont haveenough inuence to affect changes in strategy,operations, and risk mitigation efforts across

the rm. He or she will also struggle to garnerbusiness participation in risks assessments,

response plan development, and response plansimulations. Our survey revealed good news: 78percent of the heads of r isk management report

directly into a C-level executive.

ERM Responsibilities Are

IncreasingAs rms continue to seek formalize their

ERM efforts, they are both unifying and taking

on responsibility for additional areas of risk

management. According to our study:

Seventy-ve percent are fully or mostly

responsible for operational risk. Other areasof notable responsibility include regulatory and

compliance risk (71 percent) and information

security and privacy risk (68 percent) (see Figure3-1). Most organizations still have dedicatedteams for these areas, but the data demonstrates

demand to ensure that there is an objective

understanding of these risk areas impactorganizational goals and objectives, plus, howthey affect the organizations risk posture. Itsalso a reection that every group has a role toplay in responding to these risks. For example,if your rm suffers a data breach, your securityincident response team will be responsible for the

immediate containment, eradication, and recoveryfrom the attack, but enterprise-wide coordination

and crisis communication is best handled by the

BC team.

7/26/2019 2015 Forrester Survey

4/7

DISASTER RECOVERY JOURNAL| WINTER 2016 4

Within operational risk, responsibilities focus

on minimizing business disruption. Within

operational risk, we see most ERM responsibilitiesfocused on traditional BC crisis events suchas business disruptions and workplace safety.

Once again, there is an emphasis on legal andcompliance risk (see Figure 3-2).

ERM and BC Teams are WorkingMore Closely Together

Historically, BC teams have coordinated with

counterparts in risk management but havent

necessarily taken the extra step to begin collabo-

rating closely on core planning processes such as

business impact analysis and risk assessments;

this is starting to change. Our survey also found

that:

Thirty-seven percent of ERM teams say

they report directly into ERM. An additional

29 percent say they work closely with risk

management to share information (see Figure

4-1). This trend is reinforce from data from our

2014 State of Business Continuity. In that survey,16 percent of respondents said the CRO was theexecutive-level BC sponsor; this is a signicantincrease from 2011 when it was only 9 percent.

We expect this trend to continue and for the CROto eventually become the dominant executive-levelsponsor for BC.

ERM teams are involved in the entire BC

planning lifecycle. We also see a degree

of involvement between risk managementprofessionals and dedicated BC professionals.(See Figure 4-2). In fact, as rms continue toconsolidate operational risk domains under

a single umbrella and make less and less of

distinction between the category of risk to the

business and how to identity and prepare for it,

well see a unied approach to planning from BIAsand risk assessments to plan development andtesting.

Documented Response Plans

Frequently Focus On Data Integrity

BC pros often have three or four generic plans

that address loss of employees, loss of physi-

cal facilities, and loss of technology/IT. Theseimpact-based plans assume a critical resource

is unavailable and the rm must invoke a given

BCP to address it. They are useful because you

cant anticipate every possible risk scenario,

and this way you at least have a basic plan in

place. These are helpful for risk scenarios such

as extreme weather or IT outages but they arent

detailed enough to address other types of crises

so the rm has to develop scenario-based plans.

In our study:

7/26/2019 2015 Forrester Survey

5/7

5

DISASTER RECOVERY JOURNAL| WINTER 2016

Most have plans for data tampering, workplace

violence, employee misconduct, and privacy

breach. Data tampering is a broad category that

could include rms deliberately tampering with theresults of their own internal test for a given productor service, but it could also include maliciousinsiders or external actors stealing or manipulatingdata for individual gain. Privacy breaches typicallyfocus on security breaches of customers personalinformation which require formal breach

notication in most regions of the world or itcould also involve the inappropriate use or transferof personal information (see Figure 5-1).

Plan exercises occur annually for most

risk scenarios but most frequently for data

integrity. When it comes to data tampering and

privacy breaches, rms are more likely to testthese more frequently than other plan types, 27

percent and 20 percent say they test these plans

more than once per year (see Figure 5-2). They

also have the lowest percentage of respondentswho say they never test these plans.

Business involvement in simulations

remains unacceptably low. Perhaps one of

the more disheartening statistics in our study,

it turns out that only about one-third of CEOsand representatives bother to participate inplan simulations (see Figure 5-3). This is

unfortunate because the CEO sets the tone forthe organization and when it comes to customer-facing or highly public breaches, theyll be undertremendous scrutiny.

A Majority Have Invoked a

Response Plan During the LastFive Years

Individuals not involved in enterprise risk

management often view risk mitigation efforts

and response plans as expensive insurance poli-

cies their rms will rarely, or ever, use. However,

as is often the case, conventional wisdom is

wrong. According to our study, 58 percent of

respondents have invoked a response plan at

least once during the last ve years. According

to our study:

Data tampering, employee misconduct, and

political or social unrest caused the most

frequent invocations. Security pros often remark

there are two types of companies: those that havebeen breached, and those that dont know yet. Its an apt saying when you consider that 56percent of rms have had to invoke a plan for data tampering and 38 percent have invokeda plan for a customer privacy breach (see Figure 6-1). Interestingly, 40 percent of rms havehad to invoke a plan to deal with political or social unrest. However, this is often the type ofplan rms fail to document ahead of time, which means most fall back on generic impact-based plans.

Customer privacy breaches cause the most signicant impact to the organization.

Just how much impact? Well consider that in its most recent 10Q ling, Home Depotattributed $232 million in pretax gross expenses attributed to its September 2014 customer

7/26/2019 2015 Forrester Survey

6/7

DISASTER RECOVERY JOURNAL| WINTER 2016 6

data breach. Breach costs include the cost of

the forensic investigation, breach remediation,customer breach notication, and services suchas credit monitoring, legal fees etc. However, thecosts dont stop there. Home Depots costs couldcontinue to rise due to impending lawsuits and

future counterfeit fraud claims from card networks.

Six months after the crisis, employee morale

and corporate strategy still suffered. In additionto the direct costs attributed to the immediate

response to the crises, the rm will feel the impactfor some time. According to our study, six monthslater after a crisis, respondents report the cost of

dealing with the crises forced them to re-prioritizeother strategic investments and that it was stillhaving an effect on employee morale (see Figure6-2). Its a cycle that can feed itself. Employeesare likely demoralized from dealing with theaftermath of the crises or repeatedly seeing

the rms name in the news. Having to delay orforego strategic investments further feeds thisdemoralization.

Technology Focuses On

Communication and Core Planning

Unfortunately in risk management, there is

no single solution that provides all of the capa-

bilities you need for: 1) the upfront planning

(business impact analysis and risk assessment);

2) the plan development (document, maintain,

and test plans); and 3) the incident or crisis

response itself (real-time collaboration, commu-

nication, and decision-making based on inter-

nal and external information). Even with these

areas, there are tools that specialize in deliveringspecic functionality, for example, automated

communication solutions that provide reliable

mass and two way, communication or geospatial

risk mapping and visualization tool that overlay

multiple data feeds (e.g., social media, weather

data, surveillance cameras, access points, etc.)

onto the maps to add risk context during inci-

dent/crisis response. In our survey:

New investment is going to automated

communication and BC planning software.

Firms tend to invest in automated communication

services because the scale, reliability, andother functionality of these solutions is almost

impossible to duplicate with internal tools.

Communication is also one of the areas that rmsstruggle with during an incident/crisis. For some

time, investment in BC planning software hadplateaued because there wasnt much innovationin the software. Most vendors focused ondelivering the core planning capabilities but lackedreal-time incident/crisis management functionality.

Planning still remains the core value propositionbut many vendors have begun expanding focus to

7/26/2019 2015 Forrester Survey

7/7

7

DISASTER RECOVERY JOURNAL| WINTER 2016

include vendor risk management and improve theirincident/crisis response. According to our study,

32 percent of respondents plan to implement new

deployments or expand existing deployments oftheir automated communication and 32 percent

plan similar investments for BC planning software(see Figure 7)

Most risk management pros havent made up

their minds. Perhaps just as notable as what

respondents say they plan to invest in is the factthat so many of them still havent made up theirminds if they would deploy a given solution, oreven understand what functionality the solutionprovides. For example, 15 percent of respondentsreplied dont know on the question of GRCplatform investment or investing to secure a riskintelligence provider.

Study Methodology

In the Fall of 2015, Forrester Research and

Disaster Recovery Journal (DRJ) conducted an

online survey of 188 DRJ members and Forresterclients. In this survey:

All respondents indicated they were decision-

makers, inuencers, or contributors to their

rms risk management activities.

Respondents were from a range of company

sizes: 40 percent had 1 to 999 employees; 23percent had 1,000 to 4,999 employees; 13 percenthad 5,000 to 19,999 employees; and 25 percenthad 20,000 or more employees.

Respondents were from companies with a

range of revenues: 46 percent of respondentswere from companies with revenues of less than$500 million; 12 percent were from companieswith revenues of $500 million to $999 million; 21percent were from companies with revenues of$1 billion to $4.99 billion; 4 percent were fromcompanies with revenues of $5 billion to $10billion; and 18 percent were from companies withrevenues of more than $10 billion.

Respondents were from a variety of industries.

Respondents were primarily from North

America but there was representation from

Europe, the Middle East, Africa, and Asia. Manycompanies had business operations in multiple

regions: 84 percent of respondents had locationsin North America; 11 percent had locations in Europe, Middle East, or Africa; 4 percent hadlocations in Asia; and 1 percent had locations in South America.

This survey used a self-selected group of respondents (DRJ members and Forrester clients) and is

therefore not random. These respondents are more sophisticated than the average. They read and partici-

pate in business continuity and disaster recovery publications, online discussions, etc. They have above-

average knowledge of best practices and technology in BC/DR and enterprise risk management. While

nonrandom, the survey is still a valuable tool in understanding where advanced users are today and where

the industry is headed.

vStephanie Balarousis a vice president and research director of security and risk management forForrester Research. Balarous leads a team of analysts at Forrester who provide research and advisoryservices.