Organizations Are Making ERM Progress, but There's Work To Be Done

Risk Assessment

March 13, 2023 |

Risk Assessment

As business risks grow more complex, many risk leaders are taking too narrow a view of the systemic risks facing their organizations, a new examination of businesses' enterprise risk management (ERM) progress suggests.

A survey conducted by Forrester Consulting commissioned by artificial intelligence (AI) firm Dataminr found that fewer than a third of risk leaders surveyed—31 percent—completely agreed that risks to their businesses can come from anywhere.

"Yet the rise of digital business only opens up more opportunities for incidents to occur as more employees and third-party partners access critical business systems virtually, as climate risk increases the intensity and frequency of natural disasters, as cloud adoption grows, and as customer experience and customer expectations can make or break a brand," Forrester says in its study, Constant Disruption Is the New Status Quo.

Forrester surveyed 500 risk leaders for its study aimed at evaluating the state of enterprise risk management at midsize to large businesses in the North America, Europe, and Asia-Pacific (APAC) regions. The survey found that organizations encounter significant organizational, strategic, and technological barriers as they look to implement effective ERM strategies.

The study also found nearly 70 percent of respondents reporting that their organizations had experienced at least 2 separate critical risk events in the past year, while more than 40 percent experienced at least 3 such incidents, and 20 percent suffered 6 or more.

"The events of the past 3 years have wreaked havoc on even the best-laid business plans," the March 9, 2023, Forrester report says. "These times have brought into focus how inadequate our collective ability to discover and manage major risk events can be in the face of rapid change."

Of the risk leaders surveyed, 59 percent reported being concerned or highly concerned about 10 or more types of business risks today, Forrester says, though, on average, they're actively tracking or monitoring just 6 categories.

Forrester's research revealed that while risk strategies have advanced significantly in recent years, they still have a long way to go. Only 36 percent of survey respondents' organizations have a C-suite champion leading risk management, Forrester found. "Progress towards shoring up risk exposure is hampered by a lack of participation and alignment with other business groups, poorly integrated technologies, and confusion around aligning risk monitoring with response effectiveness," the report says.

Cyber security and real-time alerting capabilities will be major areas of focus for organizations going forward, Forrester says. Survey respondents most often cited cyber-risk tools and real-time alerting capabilities as the most critical features their organization's next risk management platform must include.

The report notes that successful ERM implementations are driven by an alignment of leadership, vision, and technology. "It's critical that firms empower leaders to work across the enterprise and better understand and avert the impacts of systemic risk on the business," the report says. "As they do so, these leaders will require powerful, integrated technology that can improve program effectiveness and response times."

While increased digitalization has led business to become more interconnected and dispersed around the world, it's also diversified risks and heightened the risk of systemic disruptions, Forrester says.

"These physical and virtual interconnections between the complex networks of partners, suppliers, employees, and customers mean the impact of seemingly isolated events like adverse weather, natural disasters, or ransomware attacks against a service provider isn't limited or contained at operational risk," the report says. "Rather, they threaten systemic repercussions across all elements of the enterprise, including [customer experience], brand reputation, regulatory penalties, and lost revenue."

But Forrester's survey found risk leaders struggling to respond to that new reality with comprehensive strategies that recruit, engage, and empower stakeholders across their organizations.

The survey did find that leaders have shown real, though limited, progress recently in how they identify and categorize risk. Compared to 2 years ago, risks leaders today are 71 percent more likely to describe their approach as centered around dynamic risk taxonomies and registers that leverage multiple internal and external sources to frequently review and update the risks the organization is actively looking for, Forrester says.

The Forrester study also sought to evaluate the effectiveness of respondents' ERM strategies across five essential competencies: the ability to identify, evaluate, monitor, respond, and communicate. The combination of those competencies allows firms to keep up with the rise in business, ecosystem, and systemic risks they face, the report says.

Looking across those competencies, Forrester found that the risk leaders surveyed lacked confidence in their organizations' current strategies' abilities to manage risk. Only 40 percent indicated that their current strategies are effective across at least 4 of the 5 competencies, Forrester says, while only 18 percent reported having strategies that were effective across all 5.

"Fundamentally, study data reveals that misalignment is most to blame, and it takes three primary forms: organizational misalignment, misaligned priorities and visibility, and technological misalignment," the Forrester study says.

Forrester also notes that while the goals of an ERM program of effectively balancing both near- and long-term risks across the organization and its stakeholders are best accomplished under the leadership of an empowered executive, only 36 percent of survey respondents reported their organization has a formal ERM program led by a chief risk officer or equivalent.

Ultimately, Forrester's survey led to several key recommendations. Among them, firms should audit their risk management strategies, the report says, while firms just beginning their ERM journey should focus on removing silos, increasing coordination, and laying the groundwork for automation.

Organizations at an intermediate point in their ERM development should focus on improving strategy and consolidating technology investments, Forrester says. Meanwhile, organizations at an advanced point on their ERM journey should focus on continuous optimization and demonstrating how the business is prepared to respond to evolving risks, the report says.

March 13, 2023