The State of Enterprise Risk Management 2016

Transcription

1 S URVEY The State of Enterprise Risk Management 2016 Photo by cassis Fotolia.com By Stephanie Balaouras

2 Forrester Research and Disaster Recovery Journal have partnered to field a number of market studies in business continuity (BC), disaster recovery (DR), and overall enterprise risk management (ERM) in order to gather data for company comparison and benchmarking, to guide research, and for the publication of best practices and recommendations for the industry. This is the ninth annual joint survey. This particular study focuses on the state of ERM. Specifically, we designed this study to determine: n ERM roles, responsibilities, and reporting structure. n The relationship of business continuity to ERM. n Crisis response including business continuity crises and other brand and reputational crises. n The solutions firms invest in to facilitate ERM. More and More Firms Have Formal Enterprise Risk Management Programs According to our study, 40 percent of firms have a formal enterprise risk management program while another 27 percent say they have a single director or head of risk for select areas but not necessarily a broad enterprise program (see Figure 1). It s clear that more and more firms are making the effort to unite isolated areas of risk management in order to more objectively identify, assess, mitigate, and respond to risks to organizational goals. Heads of Risk Management are Reporting Higher into the Organization Together with more formalized programs, we see the increasing presence of a chief risk officer (CRO), which has not always been common. CROs first started appearing after Basel I was established in the late 80s/early 90s. They were responsible for credit and liquidity risk to make sure financial services firms kept enough capital on hand in the case of major market fluctuations. They then became even more common and prominent as firms had to deal with compliance to Sarbanes-Oxley in 2004 to In this survey, we found that: DISASTER RECOVERY JOURNAL WINTER

3 n Thirty-four percent of firms have a CRO. In addition, another 17 percent of firms say they have a single head of business or operational risk. Both trends support the convergence of multiple risk management domains under a single leader (see Figure 2-1). n The head of risk is most likely to report into the office of the CEO. Thirty-two percent report their head of risk reports into the office of the CEO (see Figure 2-2). Where the head of risk management reports dictates the focus of your firm s risk management initiatives. If your head of risk management reports into legal or compliance, the focus of your efforts is obviously on reducing risk from these areas at the lowest possible cost, it s not using ERM as a means to maximize business performance. As more heads of risk management continue to report into senior business leaders, the focus of the program becomes more expansive. n The head of risk reports directly into a C-level executive. It s not only important where you head of risk management reports but how high into the organization. Too far removed from a C-level executive and your head of risk won t have enough influence to affect changes in strategy, operations, and risk mitigation efforts across the firm. He or she will also struggle to garner business participation in risks assessments, response plan development, and response plan simulations. Our survey revealed good news: 78 percent of the heads of risk management report directly into a C-level executive. ERM Responsibilities Are Increasing As firms continue to seek formalize their ERM efforts, they are both unifying and taking on responsibility for additional areas of risk management. According to our study: n Seventy-five percent are fully or mostly responsible for operational risk. Other areas of notable responsibility include regulatory and compliance risk (71 percent) and information security and privacy risk (68 percent) (see Figure 3-1). Most organizations still have dedicated teams for these areas, but the data demonstrates demand to ensure that there is an objective understanding of these risk areas impact organizational goals and objectives, plus, how they affect the organization s risk posture. It s also a reflection that every group has a role to play in responding to these risks. For example, if your firm suffers a data breach, your security incident response team will be responsible for the immediate containment, eradication, and recovery from the attack, but enterprise-wide coordination and crisis communication is best handled by the BC team. 3 DISASTER RECOVERY JOURNAL WINTER 2016

4 n Within operational risk, responsibilities focus on minimizing business disruption. Within operational risk, we see most ERM responsibilities focused on traditional BC crisis events such as business disruptions and workplace safety. Once again, there is an emphasis on legal and compliance risk (see Figure 3-2). ERM and BC Teams are Working More Closely Together Historically, BC teams have coordinated with counterparts in risk management but haven t necessarily taken the extra step to begin collaborating closely on core planning processes such as business impact analysis and risk assessments; this is starting to change. Our survey also found that: n Thirty-seven percent of ERM teams say they report directly into ERM. An additional 29 percent say they work closely with risk management to share information (see Figure 4-1). This trend is reinforce from data from our 2014 State of Business Continuity. In that survey, 16 percent of respondents said the CRO was the executive-level BC sponsor; this is a significant increase from 2011 when it was only 9 percent. We expect this trend to continue and for the CRO to eventually become the dominant executive-level sponsor for BC. n ERM teams are involved in the entire BC planning lifecycle. We also see a degree of involvement between risk management professionals and dedicated BC professionals. (See Figure 4-2). In fact, as firms continue to consolidate operational risk domains under a single umbrella and make less and less of distinction between the category of risk to the business and how to identity and prepare for it, we ll see a unified approach to planning from BIAs and risk assessments to plan development and testing. Documented Response Plans Frequently Focus On Data Integrity BC pros often have three or four generic plans that address loss of employees, loss of physical facilities, and loss of technology/it. These impact-based plans assume a critical resource is unavailable and the firm must invoke a given BCP to address it. They are useful because you can t anticipate every possible risk scenario, and this way you at least have a basic plan in place. These are helpful for risk scenarios such as extreme weather or IT outages but they aren t detailed enough to address other types of crises so the firm has to develop scenario-based plans. In our study: DISASTER RECOVERY JOURNAL WINTER

5 n Most have plans for data tampering, workplace violence, employee misconduct, and privacy breach. Data tampering is a broad category that could include firms deliberately tampering with the results of their own internal test for a given product or service, but it could also include malicious insiders or external actors stealing or manipulating data for individual gain. Privacy breaches typically focus on security breaches of customers personal information which require formal breach notification in most regions of the world or it could also involve the inappropriate use or transfer of personal information (see Figure 5-1). n Plan exercises occur annually for most risk scenarios but most frequently for data integrity. When it comes to data tampering and privacy breaches, firms are more likely to test these more frequently than other plan types, 27 percent and 20 percent say they test these plans more than once per year (see Figure 5-2). They also have the lowest percentage of respondents who say they never test these plans. n Business involvement in simulations remains unacceptably low. Perhaps one of the more disheartening statistics in our study, it turns out that only about one-third of CEOs and representatives bother to participate in plan simulations (see Figure 5-3). This is unfortunate because the CEO sets the tone for the organization and when it comes to customerfacing or highly public breaches, they ll be under tremendous scrutiny. A Majority Have Invoked a Response Plan During the Last Five Years Individuals not involved in enterprise risk management often view risk mitigation efforts and response plans as expensive insurance policies their firms will rarely, or ever, use. However, as is often the case, conventional wisdom is wrong. According to our study, 58 percent of respondents have invoked a response plan at least once during the last five years. According to our study: n Data tampering, employee misconduct, and political or social unrest caused the most frequent invocations. Security pros often remark there are two types of companies: those that have been breached, and those that don t know yet. It s an apt saying when you consider that 56 percent of firms have had to invoke a plan for data tampering and 38 percent have invoked a plan for a customer privacy breach (see Figure 6-1). Interestingly, 40 percent of firms have had to invoke a plan to deal with political or social unrest. However, this is often the type of plan firms fail to document ahead of time, which means most fall back on generic impactbased plans. n Customer privacy breaches cause the most significant impact to the organization. Just how much impact? Well consider that in its most recent 10Q filing, Home Depot attributed $232 million in pretax gross expenses attributed to its September 2014 customer 5 DISASTER RECOVERY JOURNAL WINTER 2016

6 data breach. Breach costs include the cost of the forensic investigation, breach remediation, customer breach notification, and services such as credit monitoring, legal fees etc. However, the costs don t stop there. Home Depot s costs could continue to rise due to impending lawsuits and future counterfeit fraud claims from card networks. n Six months after the crisis, employee morale and corporate strategy still suffered. In addition to the direct costs attributed to the immediate response to the crises, the firm will feel the impact for some time. According to our study, six months later after a crisis, respondents report the cost of dealing with the crises forced them to re-prioritize other strategic investments and that it was still having an effect on employee morale (see Figure 6-2). It s a cycle that can feed itself. Employees are likely demoralized from dealing with the aftermath of the crises or repeatedly seeing the firm s name in the news. Having to delay or forego strategic investments further feeds this demoralization. Technology Focuses On Communication and Core Planning Unfortunately in risk management, there is no single solution that provides all of the capabilities you need for: 1) the upfront planning (business impact analysis and risk assessment); 2) the plan development (document, maintain, and test plans); and 3) the incident or crisis response itself (real-time collaboration, communication, and decision-making based on internal and external information). Even with these areas, there are tools that specialize in delivering specific functionality, for example, automated communication solutions that provide reliable mass and two way, communication or geospatial risk mapping and visualization tool that overlay multiple data feeds (e.g., social media, weather data, surveillance cameras, access points, etc.) onto the maps to add risk context during incident/crisis response. In our survey: n New investment is going to automated communication and BC planning software. Firms tend to invest in automated communication services because the scale, reliability, and other functionality of these solutions is almost impossible to duplicate with internal tools. Communication is also one of the areas that firms struggle with during an incident/crisis. For some time, investment in BC planning software had plateaued because there wasn t much innovation in the software. Most vendors focused on delivering the core planning capabilities but lacked real-time incident/crisis management functionality. Planning still remains the core value proposition but many vendors have begun expanding focus to DISASTER RECOVERY JOURNAL WINTER

7 include vendor risk management and improve their incident/crisis response. According to our study, 32 percent of respondents plan to implement new deployments or expand existing deployments of their automated communication and 32 percent plan similar investments for BC planning software (see Figure 7) n Most risk management pros haven t made up their minds. Perhaps just as notable as what respondents say they plan to invest in is the fact that so many of them still haven t made up their minds if they would deploy a given solution, or even understand what functionality the solution provides. For example, 15 percent of respondents replied don t know on the question of GRC platform investment or investing to secure a risk intelligence provider. Study Methodology In the Fall of 2015, Forrester Research and Disaster Recovery Journal (DRJ) conducted an online survey of 188 DRJ members and Forrester clients. In this survey: n All respondents indicated they were decisionmakers, influencers, or contributors to their firm s risk management activities. n Respondents were from a range of company sizes: 40 percent had 1 to 999 employees; 23 percent had 1,000 to 4,999 employees; 13 percent had 5,000 to 19,999 employees; and 25 percent had 20,000 or more employees. n Respondents were from companies with a range of revenues: 46 percent of respondents were from companies with revenues of less than $500 million; 12 percent were from companies with revenues of $500 million to $999 million; 21 percent were from companies with revenues of $1 billion to $4.99 billion; 4 percent were from companies with revenues of $5 billion to $10 billion; and 18 percent were from companies with revenues of more than $10 billion. n Respondents were from a variety of industries. n Respondents were primarily from North America but there was representation from Europe, the Middle East, Africa, and Asia. Many companies had business operations in multiple regions: 84 percent of respondents had locations in North America; 11 percent had locations in Europe, Middle East, or Africa; 4 percent had locations in Asia; and 1 percent had locations in South America. This survey used a self-selected group of respondents (DRJ members and Forrester clients) and is therefore not random. These respondents are more sophisticated than the average. They read and participate in business continuity and disaster recovery publications, online discussions, etc. They have aboveaverage knowledge of best practices and technology in BC/DR and enterprise risk management. While nonrandom, the survey is still a valuable tool in understanding where advanced users are today and where the industry is headed. v Stephanie Balarous is a vice president and research director of security and risk management for Forrester Research. Balarous leads a team of analysts at Forrester who provide research and advisory services. 7 DISASTER RECOVERY JOURNAL WINTER 2016