SURVEY

Photo by cassis Fotolia.com

The State of
Enterprise Risk
Management 2016
By Stephanie Balaouras

orrester Research and Disaster Recovery Journal

have partnered to field a number of market studies
in business continuity (BC), disaster recovery (DR),
and overall enterprise risk management (ERM) in
order to gather data for company comparison and
benchmarking, to guide research, and for the publication of best practices and recommendations for
the industry. This is the ninth annual joint survey.
This particular study focuses on the state of ERM.
Specifically, we designed this study to determine:
n ERM roles, responsibilities, and reporting structure.
n The relationship of business continuity to ERM.
n Crisis response including business continuity crises and other

brand and reputational crises.
n The solutions firms invest in to facilitate ERM.

More and More Firms Have Formal

Enterprise Risk Management
Programs
According to our study, 40 percent of firms have
a formal enterprise risk management program while
another 27 percent say they have a single director
or head of risk for select areas but not necessarily
a broad enterprise program (see Figure 1). Its clear
that more and more firms are making the effort to
unite isolated areas of risk management in order
to more objectively identify, assess, mitigate, and
respond to risks to organizational goals.
Heads of Risk Management
are Reporting Higher into the
Organization
Together with more formalized programs, we
see the increasing presence of a chief risk officer
(CRO), which has not always been common. CROs
first started appearing after Basel I was established
in the late 80s/early 90s. They were responsible for
credit and liquidity risk to make sure financial services firms kept enough capital on hand in the case of major market fluctuations. They
then became even more common and prominent as firms had to deal with compliance to
Sarbanes-Oxley in 2004 to 2005. In this survey, we found that:

DISASTER RECOVERY JOURNAL | WINTER 2016

n Thirty-four percent of firms have a CRO. In

addition, another 17 percent of firms say they have
a single head of business or operational risk. Both
trends support the convergence of multiple risk
management domains under a single leader (see
Figure 2-1).
n The head of risk is most likely to report into the
office of the CEO. Thirty-two percent report their
head of risk reports into the office of the CEO (see
Figure 2-2). Where the head of risk management
reports dictates the focus of your firms risk
management initiatives. If your head of risk
management reports into legal or compliance, the
focus of your efforts is obviously on reducing risk
from these areas at the lowest possible cost, its
not using ERM as a means to maximize business
performance. As more heads of risk management
continue to report into senior business leaders, the
focus of the program becomes more expansive.
n The head of risk reports directly into a C-level
executive. Its not only important where you head
of risk management reports but how high into
the organization. Too far removed from a C-level
executive and your head of risk wont have
enough influence to affect changes in strategy,
operations, and risk mitigation efforts across
the firm. He or she will also struggle to garner
business participation in risks assessments,
response plan development, and response plan
simulations. Our survey revealed good news: 78
percent of the heads of risk management report
directly into a C-level executive.

ERM Responsibilities Are

Increasing
As firms continue to seek formalize their
ERM efforts, they are both unifying and taking
on responsibility for additional areas of risk
management. According to our study:
n Seventy-five percent are fully or mostly
responsible for operational risk. Other areas
of notable responsibility include regulatory and
compliance risk (71 percent) and information
security and privacy risk (68 percent) (see Figure
3-1). Most organizations still have dedicated
teams for these areas, but the data demonstrates
demand to ensure that there is an objective
understanding of these risk areas impact
organizational goals and objectives, plus, how
they affect the organizations risk posture. Its
also a reflection that every group has a role to
play in responding to these risks. For example,
if your firm suffers a data breach, your security
incident response team will be responsible for the
immediate containment, eradication, and recovery
from the attack, but enterprise-wide coordination
and crisis communication is best handled by the
BC team.

DISASTER RECOVERY JOURNAL | WINTER 2016

n Within operational risk, responsibilities focus

on minimizing business disruption. Within
operational risk, we see most ERM responsibilities
focused on traditional BC crisis events such
as business disruptions and workplace safety.
Once again, there is an emphasis on legal and
compliance risk (see Figure 3-2).

ERM and BC Teams are Working

More Closely Together
Historically, BC teams have coordinated with
counterparts in risk management but havent
necessarily taken the extra step to begin collaborating closely on core planning processes such as
business impact analysis and risk assessments;
this is starting to change. Our survey also found
that:
n Thirty-seven percent of ERM teams say
they report directly into ERM. An additional
29 percent say they work closely with risk
management to share information (see Figure
4-1). This trend is reinforce from data from our
2014 State of Business Continuity. In that survey,
16 percent of respondents said the CRO was the
executive-level BC sponsor; this is a significant
increase from 2011 when it was only 9 percent.
We expect this trend to continue and for the CRO
to eventually become the dominant executive-level
sponsor for BC.
n ERM teams are involved in the entire BC
planning lifecycle. We also see a degree
of involvement between risk management
professionals and dedicated BC professionals.
(See Figure 4-2). In fact, as firms continue to
consolidate operational risk domains under
a single umbrella and make less and less of
distinction between the category of risk to the
business and how to identity and prepare for it,
well see a unified approach to planning from BIAs
and risk assessments to plan development and
testing.

Documented Response Plans

Frequently Focus On Data Integrity
BC pros often have three or four generic plans
that address loss of employees, loss of physical facilities, and loss of technology/IT. These
impact-based plans assume a critical resource
is unavailable and the firm must invoke a given
BCP to address it. They are useful because you
cant anticipate every possible risk scenario,
and this way you at least have a basic plan in
place. These are helpful for risk scenarios such
as extreme weather or IT outages but they arent
detailed enough to address other types of crises
so the firm has to develop scenario-based plans.
In our study:

DISASTER RECOVERY JOURNAL | WINTER 2016

n Most have plans for data tampering, workplace

violence, employee misconduct, and privacy
breach. Data tampering is a broad category that
could include firms deliberately tampering with the
results of their own internal test for a given product
or service, but it could also include malicious
insiders or external actors stealing or manipulating
data for individual gain. Privacy breaches typically
focus on security breaches of customers personal
information which require formal breach
notification in most regions of the world or it
could also involve the inappropriate use or transfer
of personal information (see Figure 5-1).
n Plan exercises occur annually for most
risk scenarios but most frequently for data
integrity. When it comes to data tampering and
privacy breaches, firms are more likely to test
these more frequently than other plan types, 27
percent and 20 percent say they test these plans
more than once per year (see Figure 5-2). They
also have the lowest percentage of respondents
who say they never test these plans.
n Business involvement in simulations
remains unacceptably low. Perhaps one of
the more disheartening statistics in our study,
it turns out that only about one-third of CEOs
and representatives bother to participate in
plan simulations (see Figure 5-3). This is
unfortunate because the CEO sets the tone for
the organization and when it comes to customerfacing or highly public breaches, theyll be under
tremendous scrutiny.

A Majority Have Invoked a

Response Plan During the Last
Five Years
Individuals not involved in enterprise risk
management often view risk mitigation efforts
and response plans as expensive insurance policies their firms will rarely, or ever, use. However,
as is often the case, conventional wisdom is
wrong. According to our study, 58 percent of
respondents have invoked a response plan at
least once during the last five years. According
to our study:
n Data tampering, employee misconduct, and
political or social unrest caused the most
frequent invocations. Security pros often remark
there are two types of companies: those that have
been breached, and those that dont know yet. Its an apt saying when you consider that 56
percent of firms have had to invoke a plan for data tampering and 38 percent have invoked
a plan for a customer privacy breach (see Figure 6-1). Interestingly, 40 percent of firms have
had to invoke a plan to deal with political or social unrest. However, this is often the type of
plan firms fail to document ahead of time, which means most fall back on generic impactbased plans.
n Customer privacy breaches cause the most significant impact to the organization.
Just how much impact? Well consider that in its most recent 10Q filing, Home Depot
attributed $232 million in pretax gross expenses attributed to its September 2014 customer

DISASTER RECOVERY JOURNAL | WINTER 2016

data breach. Breach costs include the cost of

the forensic investigation, breach remediation,
customer breach notification, and services such
as credit monitoring, legal fees etc. However, the
costs dont stop there. Home Depots costs could
continue to rise due to impending lawsuits and
future counterfeit fraud claims from card networks.
n Six months after the crisis, employee morale
and corporate strategy still suffered. In addition
to the direct costs attributed to the immediate
response to the crises, the firm will feel the impact
for some time. According to our study, six months
later after a crisis, respondents report the cost of
dealing with the crises forced them to re-prioritize
other strategic investments and that it was still
having an effect on employee morale (see Figure
6-2). Its a cycle that can feed itself. Employees
are likely demoralized from dealing with the
aftermath of the crises or repeatedly seeing
the firms name in the news. Having to delay or
forego strategic investments further feeds this
demoralization.

Technology Focuses On
Communication and Core Planning
Unfortunately in risk management, there is
no single solution that provides all of the capabilities you need for: 1) the upfront planning
(business impact analysis and risk assessment);
2) the plan development (document, maintain,
and test plans); and 3) the incident or crisis
response itself (real-time collaboration, communication, and decision-making based on internal and external information). Even with these
areas, there are tools that specialize in delivering
specific functionality, for example, automated
communication solutions that provide reliable
mass and two way, communication or geospatial
risk mapping and visualization tool that overlay
multiple data feeds (e.g., social media, weather
data, surveillance cameras, access points, etc.)
onto the maps to add risk context during incident/crisis response. In our survey:
n New investment is going to automated
communication and BC planning software.
Firms tend to invest in automated communication
services because the scale, reliability, and
other functionality of these solutions is almost
impossible to duplicate with internal tools.
Communication is also one of the areas that firms
struggle with during an incident/crisis. For some
time, investment in BC planning software had
plateaued because there wasnt much innovation
in the software. Most vendors focused on
delivering the core planning capabilities but lacked
real-time incident/crisis management functionality.
Planning still remains the core value proposition
but many vendors have begun expanding focus to

DISASTER RECOVERY JOURNAL | WINTER 2016

include vendor risk management and improve their

incident/crisis response. According to our study,
32 percent of respondents plan to implement new
deployments or expand existing deployments of
their automated communication and 32 percent
plan similar investments for BC planning software
(see Figure 7)
n Most risk management pros havent made up
their minds. Perhaps just as notable as what
respondents say they plan to invest in is the fact
that so many of them still havent made up their
minds if they would deploy a given solution, or
even understand what functionality the solution
provides. For example, 15 percent of respondents
replied dont know on the question of GRC
platform investment or investing to secure a risk
intelligence provider.

Study Methodology
In the Fall of 2015, Forrester Research and
Disaster Recovery Journal (DRJ) conducted an
online survey of 188 DRJ members and Forrester
clients. In this survey:
n All respondents indicated they were decisionmakers, influencers, or contributors to their
firms risk management activities.
n Respondents were from a range of company
sizes: 40 percent had 1 to 999 employees; 23
percent had 1,000 to 4,999 employees; 13 percent
had 5,000 to 19,999 employees; and 25 percent
had 20,000 or more employees.
n Respondents were from companies with a
range of revenues: 46 percent of respondents
were from companies with revenues of less than
$500 million; 12 percent were from companies
with revenues of $500 million to $999 million; 21
percent were from companies with revenues of
$1 billion to $4.99 billion; 4 percent were from
companies with revenues of $5 billion to $10
billion; and 18 percent were from companies with
revenues of more than $10 billion.
n Respondents were from a variety of industries.
n Respondents were primarily from North
America but there was representation from
Europe, the Middle East, Africa, and Asia. Many
companies had business operations in multiple
regions: 84 percent of respondents had locations
in North America; 11 percent had locations in Europe, Middle East, or Africa; 4 percent had
locations in Asia; and 1 percent had locations in South America.
This survey used a self-selected group of respondents (DRJ members and Forrester clients) and is
therefore not random. These respondents are more sophisticated than the average. They read and participate in business continuity and disaster recovery publications, online discussions, etc. They have aboveaverage knowledge of best practices and technology in BC/DR and enterprise risk management. While
nonrandom, the survey is still a valuable tool in understanding where advanced users are today and where
the industry is headed.

Stephanie Balarous is a vice president and research director of security and risk management for
Forrester Research. Balarous leads a team of analysts at Forrester who provide research and advisory
services.

DISASTER RECOVERY JOURNAL | WINTER 2016