7/26/2019 2015 Forrester Survey
1/7
S U R V E Y
The State ofEnterprise Risk
Management 2016
By Stephanie Balaouras
7/26/2019 2015 Forrester Survey
2/7
More and More Firms Have Formal
Enterprise Risk ManagementPrograms
According to our study, 40 percent of rms have
a formal enterprise risk management program while
another 27 percent say they have a single director
or head of risk for select areas but not necessarily
a broad enterprise program (see Figure 1). Its clear
that more and more rms are making the effort to
unite isolated areas of risk management in order
to more objectively identify, assess, mitigate, and
respond to risks to organizational goals.
Heads of Risk Management
are Reporting Higher into the
Organization
Together with more formalized programs, we
see the increasing presence of a chief risk ofcer
(CRO), which has not always been common. CROs
rst started appearing after Basel I was established
in the late 80s/early 90s. They were responsible for
credit and liquidity risk to make sure nancial ser-
vices rms kept enough capital on hand in the case of major market uctuations. They
then became even more common and prominent as rms had to deal with compliance to
Sarbanes-Oxley in 2004 to 2005. In this survey, we found that:
Forrester Research and Disaster Recovery Journal
have partnered to eld a number of market studies
in business continuity (BC), disaster recovery (DR),
and overall enterprise risk management (ERM) in
order to gather data for company comparison andbenchmarking, to guide research, and for the pub-
lication of best practices and recommendations for
the industry. This is the ninth annual joint survey.
This particular study focuses on the state of ERM.
Specically, we designed this study to determine:
ERM roles, responsibilities, and reporting structure.
The relationship of business continuity to ERM.
Crisis response including business continuity crises and other
brand and reputational crises.
The solutions rms invest in to facilitate ERM.
DISASTER RECOVERY JOURNAL| WINTER 2016 2
7/26/2019 2015 Forrester Survey
3/7
3
DISASTER RECOVERY JOURNAL| WINTER 2016
Thirty-four percent of rms have a CRO. In
addition, another 17 percent of rms say they havea single head of business or operational risk. Both
trends support the convergence of multiple riskmanagement domains under a single leader (see
Figure 2-1).
The head of risk is most likely to report into the
ofce of the CEO. Thirty-two percent report their
head of risk reports into the ofce of the CEO (seeFigure 2-2). Where the head of risk management
reports dictates the focus of your rms riskmanagement initiatives. If your head of riskmanagement reports into legal or compliance, the
focus of your efforts is obviously on reducing riskfrom these areas at the lowest possible cost, itsnot using ERM as a means to maximize businessperformance. As more heads of risk management
continue to report into senior business leaders, the
focus of the program becomes more expansive.
The head of risk reports directly into a C-levelexecutive. Its not only important where you headof risk management reports but how high into
the organization. Too far removed from a C-levelexecutive and your head of risk wont haveenough inuence to affect changes in strategy,operations, and risk mitigation efforts across
the rm. He or she will also struggle to garnerbusiness participation in risks assessments,
response plan development, and response plansimulations. Our survey revealed good news: 78percent of the heads of r isk management report
directly into a C-level executive.
ERM Responsibilities Are
IncreasingAs rms continue to seek formalize their
ERM efforts, they are both unifying and taking
on responsibility for additional areas of risk
management. According to our study:
Seventy-ve percent are fully or mostly
responsible for operational risk. Other areasof notable responsibility include regulatory and
compliance risk (71 percent) and information
security and privacy risk (68 percent) (see Figure3-1). Most organizations still have dedicatedteams for these areas, but the data demonstrates
demand to ensure that there is an objective
understanding of these risk areas impactorganizational goals and objectives, plus, howthey affect the organizations risk posture. Itsalso a reection that every group has a role toplay in responding to these risks. For example,if your rm suffers a data breach, your securityincident response team will be responsible for the
immediate containment, eradication, and recoveryfrom the attack, but enterprise-wide coordination
and crisis communication is best handled by the
BC team.
7/26/2019 2015 Forrester Survey
4/7
DISASTER RECOVERY JOURNAL| WINTER 2016 4
Within operational risk, responsibilities focus
on minimizing business disruption. Within
operational risk, we see most ERM responsibilitiesfocused on traditional BC crisis events suchas business disruptions and workplace safety.
Once again, there is an emphasis on legal andcompliance risk (see Figure 3-2).
ERM and BC Teams are WorkingMore Closely Together
Historically, BC teams have coordinated with
counterparts in risk management but havent
necessarily taken the extra step to begin collabo-
rating closely on core planning processes such as
business impact analysis and risk assessments;
this is starting to change. Our survey also found
that:
Thirty-seven percent of ERM teams say
they report directly into ERM. An additional
29 percent say they work closely with risk
management to share information (see Figure
4-1). This trend is reinforce from data from our
2014 State of Business Continuity. In that survey,16 percent of respondents said the CRO was theexecutive-level BC sponsor; this is a signicantincrease from 2011 when it was only 9 percent.
We expect this trend to continue and for the CROto eventually become the dominant executive-levelsponsor for BC.
ERM teams are involved in the entire BC
planning lifecycle. We also see a degree
of involvement between risk managementprofessionals and dedicated BC professionals.(See Figure 4-2). In fact, as rms continue toconsolidate operational risk domains under
a single umbrella and make less and less of
distinction between the category of risk to the
business and how to identity and prepare for it,
well see a unied approach to planning from BIAsand risk assessments to plan development andtesting.
Documented Response Plans
Frequently Focus On Data Integrity
BC pros often have three or four generic plans
that address loss of employees, loss of physi-
cal facilities, and loss of technology/IT. Theseimpact-based plans assume a critical resource
is unavailable and the rm must invoke a given
BCP to address it. They are useful because you
cant anticipate every possible risk scenario,
and this way you at least have a basic plan in
place. These are helpful for risk scenarios such
as extreme weather or IT outages but they arent
detailed enough to address other types of crises
so the rm has to develop scenario-based plans.
In our study:
7/26/2019 2015 Forrester Survey
5/7
5
DISASTER RECOVERY JOURNAL| WINTER 2016
Most have plans for data tampering, workplace
violence, employee misconduct, and privacy
breach. Data tampering is a broad category that
could include rms deliberately tampering with theresults of their own internal test for a given productor service, but it could also include maliciousinsiders or external actors stealing or manipulatingdata for individual gain. Privacy breaches typicallyfocus on security breaches of customers personalinformation which require formal breach
notication in most regions of the world or itcould also involve the inappropriate use or transferof personal information (see Figure 5-1).
Plan exercises occur annually for most
risk scenarios but most frequently for data
integrity. When it comes to data tampering and
privacy breaches, rms are more likely to testthese more frequently than other plan types, 27
percent and 20 percent say they test these plans
more than once per year (see Figure 5-2). They
also have the lowest percentage of respondentswho say they never test these plans.
Business involvement in simulations
remains unacceptably low. Perhaps one of
the more disheartening statistics in our study,
it turns out that only about one-third of CEOsand representatives bother to participate inplan simulations (see Figure 5-3). This is
unfortunate because the CEO sets the tone forthe organization and when it comes to customer-facing or highly public breaches, theyll be undertremendous scrutiny.
A Majority Have Invoked a
Response Plan During the LastFive Years
Individuals not involved in enterprise risk
management often view risk mitigation efforts
and response plans as expensive insurance poli-
cies their rms will rarely, or ever, use. However,
as is often the case, conventional wisdom is
wrong. According to our study, 58 percent of
respondents have invoked a response plan at
least once during the last ve years. According
to our study:
Data tampering, employee misconduct, and
political or social unrest caused the most
frequent invocations. Security pros often remark
there are two types of companies: those that havebeen breached, and those that dont know yet. Its an apt saying when you consider that 56percent of rms have had to invoke a plan for data tampering and 38 percent have invokeda plan for a customer privacy breach (see Figure 6-1). Interestingly, 40 percent of rms havehad to invoke a plan to deal with political or social unrest. However, this is often the type ofplan rms fail to document ahead of time, which means most fall back on generic impact-based plans.
Customer privacy breaches cause the most signicant impact to the organization.
Just how much impact? Well consider that in its most recent 10Q ling, Home Depotattributed $232 million in pretax gross expenses attributed to its September 2014 customer
7/26/2019 2015 Forrester Survey
6/7
DISASTER RECOVERY JOURNAL| WINTER 2016 6
data breach. Breach costs include the cost of
the forensic investigation, breach remediation,customer breach notication, and services suchas credit monitoring, legal fees etc. However, thecosts dont stop there. Home Depots costs couldcontinue to rise due to impending lawsuits and
future counterfeit fraud claims from card networks.
Six months after the crisis, employee morale
and corporate strategy still suffered. In additionto the direct costs attributed to the immediate
response to the crises, the rm will feel the impactfor some time. According to our study, six monthslater after a crisis, respondents report the cost of
dealing with the crises forced them to re-prioritizeother strategic investments and that it was stillhaving an effect on employee morale (see Figure6-2). Its a cycle that can feed itself. Employeesare likely demoralized from dealing with theaftermath of the crises or repeatedly seeing
the rms name in the news. Having to delay orforego strategic investments further feeds thisdemoralization.
Technology Focuses On
Communication and Core Planning
Unfortunately in risk management, there is
no single solution that provides all of the capa-
bilities you need for: 1) the upfront planning
(business impact analysis and risk assessment);
2) the plan development (document, maintain,
and test plans); and 3) the incident or crisis
response itself (real-time collaboration, commu-
nication, and decision-making based on inter-
nal and external information). Even with these
areas, there are tools that specialize in deliveringspecic functionality, for example, automated
communication solutions that provide reliable
mass and two way, communication or geospatial
risk mapping and visualization tool that overlay
multiple data feeds (e.g., social media, weather
data, surveillance cameras, access points, etc.)
onto the maps to add risk context during inci-
dent/crisis response. In our survey:
New investment is going to automated
communication and BC planning software.
Firms tend to invest in automated communication
services because the scale, reliability, andother functionality of these solutions is almost
impossible to duplicate with internal tools.
Communication is also one of the areas that rmsstruggle with during an incident/crisis. For some
time, investment in BC planning software hadplateaued because there wasnt much innovationin the software. Most vendors focused ondelivering the core planning capabilities but lackedreal-time incident/crisis management functionality.
Planning still remains the core value propositionbut many vendors have begun expanding focus to
7/26/2019 2015 Forrester Survey
7/7
7
DISASTER RECOVERY JOURNAL| WINTER 2016
include vendor risk management and improve theirincident/crisis response. According to our study,
32 percent of respondents plan to implement new
deployments or expand existing deployments oftheir automated communication and 32 percent
plan similar investments for BC planning software(see Figure 7)
Most risk management pros havent made up
their minds. Perhaps just as notable as what
respondents say they plan to invest in is the factthat so many of them still havent made up theirminds if they would deploy a given solution, oreven understand what functionality the solutionprovides. For example, 15 percent of respondentsreplied dont know on the question of GRCplatform investment or investing to secure a riskintelligence provider.
Study Methodology
In the Fall of 2015, Forrester Research and
Disaster Recovery Journal (DRJ) conducted an
online survey of 188 DRJ members and Forresterclients. In this survey:
All respondents indicated they were decision-
makers, inuencers, or contributors to their
rms risk management activities.
Respondents were from a range of company
sizes: 40 percent had 1 to 999 employees; 23percent had 1,000 to 4,999 employees; 13 percenthad 5,000 to 19,999 employees; and 25 percenthad 20,000 or more employees.
Respondents were from companies with a
range of revenues: 46 percent of respondentswere from companies with revenues of less than$500 million; 12 percent were from companieswith revenues of $500 million to $999 million; 21percent were from companies with revenues of$1 billion to $4.99 billion; 4 percent were fromcompanies with revenues of $5 billion to $10billion; and 18 percent were from companies withrevenues of more than $10 billion.
Respondents were from a variety of industries.
Respondents were primarily from North
America but there was representation from
Europe, the Middle East, Africa, and Asia. Manycompanies had business operations in multiple
regions: 84 percent of respondents had locationsin North America; 11 percent had locations in Europe, Middle East, or Africa; 4 percent hadlocations in Asia; and 1 percent had locations in South America.
This survey used a self-selected group of respondents (DRJ members and Forrester clients) and is
therefore not random. These respondents are more sophisticated than the average. They read and partici-
pate in business continuity and disaster recovery publications, online discussions, etc. They have above-
average knowledge of best practices and technology in BC/DR and enterprise risk management. While
nonrandom, the survey is still a valuable tool in understanding where advanced users are today and where
the industry is headed.
vStephanie Balarousis a vice president and research director of security and risk management forForrester Research. Balarous leads a team of analysts at Forrester who provide research and advisoryservices.