Enterprises report rise in risk events, yet risk management lags

Enterprises around the world are being barraged by risk events, according to a report released Wednesday by Forrester. The State of Risk Management 2022 report, which is based on a survey of 360 enterprise risk management decision makers in North America and Europe, found that 41% of organizations have experienced three or more critical risk events in the last 12 months.

Risk events, incidents and disruptions have become so frequent that the increased level of risk is the “new normal,” Forrester reported. Nearly half the participants in the survey (44%) confirmed that enterprise risk has increased over the last year, although that varies by region. For example, 64% of North American respondents confirmed an increase in risk, while only 37% of European respondents did.

When the enterprise risk management (ERM) pros were asked what risks had the potential to most impact their enterprises, information security risks (32%) topped the list, followed by risks to data privacy (28%). However, Forrester noted, that varied from industry to industry. Industries that depend on supply chains such as retailers and wholesalers picked supply chain risks as their primary concern, while industries targeted by ransomware such as manufacturing say their primary concern is information security.

Risk management can help accelerate innovation

Decision makers participating in the survey identified several challenges to managing risk. Risk management impeding innovation was a primary challenge in 27% of the enterprises in the survey. Almost a quarter of the respondents (24%) say risk management slows down decision-making, while 17% say it doesn’t consider business objectives.

“If you’re thinking about risk management at the very end of the process, it can impact decisions, especially decisions to move forward with something, but when risk management is part of the ideation as well as the execution, it does not slow down innovation,” says Forrester Senior Analyst Alla Valente, one of the authors of the report. “In fact, it can help accelerate it, because you’re not putting out a product that you may need to later fix, patch, or possibly recall.”

Compliance is your floor, not your ceiling

The Forrester report also found that although regulatory compliance remains a critical or high priority for 76% of those surveyed, it falls just behind the “ability to stress-test risk scenarios” (78%) as the top risk priority over the next 12 months.

“Companies are using risk management to become more resilient, not to just meet compliance obligations,” Valente says. “Compliance is your floor, not your ceiling. It’s the minimum you have to do to operate. Risk management is how you maintain your resilience, how you make good on your promises to serve your customers no matter what the crisis.”

Misperception that we manage risk to get rid of risk

As compliance gives way to resilience, the report notes, the ERM pros say their organizations have benefited in a number of ways, including increased responsiveness to incidents or risk events (26%), enabling employees to make faster (26%) or better (24%) day-to-day risk-based decisions (26%), and increased ability to protect assets, environments, and systems that are critical to their business (23%).

“There is a widely held misperception that we manage risk to get rid of risk. That risk is all bad. That’s not the case,” Valente says. “We manage risk so we can understand what are the risks we need to take and at what cost. You don’t want to take a big risk for a small reward.”

“For companies to grow and innovate and be leaders in their markets,” Valente adds, “they need to make big, bold decisions. Those decisions carry risks. So, risk is necessary for growth and innovation.”