Forrester Consulting, part of independent research firm Forrester Research, found that only 30 percent of business and government entities are very confident they can handle the increasing complexity of risk management in the future. The survey, which polled nearly 470 risk, security and business continuity executives across mid-size to large enterprises, government and education entities, also cites misaligned priorities, technology missteps and lack of proactivity as key reasons why organizations are unprepared.

The study, Failing to Plan is Planning to Fail, found that while 99 percent of organizations experienced a critical event (i.e., catastrophic weather, active assailant, cyber-attack, etc.) in the last 18 months, only 30 percent of organizations are very confident they can handle increasing risk complexity and just 38 percent of respondents cite “becoming more proactive” in their critical event management goals. The study also reveals that too many organizations are unaware and much less prepared to tackle the new face of risk today. 

Key findings include:

  • Organizations are overconfident in their ability to respond to incidents: Less than half of respondents believe risk management complexity will increase in the next two years — despite the rise in critical events.
  • Risk monitoring is inconsistent and insufficient today: More than 50 percent of respondents believe their organizations are ineffective at responding across critical risk categories.
  • Organizations lack the tools to be proactive: Current security stacks make it harder to monitor and effectively respond to incidents — 44 percent lack risk intelligence, more than half lack security analytics, and 63 percent don’t have governance, risk and compliance (GRC).
  • Critical event management is siloed: Organizations are still very likely to silo critical event management today — as only 17 percent have tapped an enterprise risk management (ERM) team to lead CEM and just 1 percent distribute responsibility across their organizations today.
  • Strong, proactive CEM strategies improve operations: Without an effective strategy to proactively respond to crises, organizations experience negative impacts to their operations and reputation. Organizations with a strong CEM strategy are five times as likely to have an effective or optimized response to all manner of business risk, including information security, travel, employee risk, data privacy, and risk that impacts customer experiences.
  • All the respondents in the study agreed that improving CEM would deliver better business and customer outcomes for their firm, and they were most likely to say that improving risk intelligence and critical communications are the two CEM capabilities that would most improve their firm’s response to recent incidents they experienced.

Using data from its findings, Forrester recommends evaluating your CEM capabilities and maturity to better prepare for the next incident that will inevitably occur; drive interoperability across your firm’s CEM stack for faster and more effective response; and combine internal data, external intelligence and predictive analytics to continually monitor threats, risk events and changes in the business environment. 

“Risk and organizational resilience are now board-level conversations,” said Mark Herrington, CEO, OnSolve. “As organizational risk becomes increasingly complex, businesses need to prepare to handle the inherent ripple effect it has on their people, places and property. Today’s news underscores the importance of having an effective resilience strategy fortified by advanced technology in place to proactively respond to crises and disasters before they impact a company’s bottom line.”