According to the 2015 International Business Resiliency Survey, conducted by Marsh and the Disaster Recovery Institute International (DRII), firms consider cyber and IT-related risks to be the most likely to occur and have the greatest potential impact on their operations.
Marsh, in collaboration with DRII, surveyed nearly 200 C-suite executives, risk professionals and business continuity managers from large and medium-sized corporations internationally about their organizations’ attitudes toward business risks and the risk mitigation processes they have in place. The survey results indicate that organizations are better positioned to address traditional than non-traditional risks and that risk managers and CEOs have different perceptions about the severity and control measures in place for various risks facing their organizations.
Among 10 suggested risk scenarios, the top risks in terms of impact and likelihood are: reputational damage from a sensitive data breach (impact 79 percent, likelihood 79 percent); the failure in a main IT data center / centre (impact 59 percent - likelihood 77 percent); and online services being unavailable due to a cyber attack (impact 58 percent - likelihood 77 percent).
According to the survey, CEOs overestimate their levels of protection for the most likely and high-impact risks: 28 percent stated they have dedicated insurance coverage against cyber attacks and 21 percent stated they have dedicated insurance protection for reputation damage after a data breach. However, only 6 percent of risk managers stated that they have dedicated coverage for these risks.
Three out of four respondents considered the failure of IT systems as one of two areas that could have the greatest impact on their organization’s reputation, along with the lack of crisis management planning. Both CEOs and risk managers identified IT system failure prevention (29 percent) as the most important area to invest in, with CEOs also highlighting intellectual property protection (25 percent). However, CEOs placed far less importance on the resiliency of IT systems (60 percent) in relation to reputation management.
In terms of preparedness, the majority of organizations believe they are better positioned to deal with traditional than non-traditional risks: respondents rated the level of resilience of their organizations to be high for natural catastrophes and IT system failure (40 percent and 44 percent respectively), and low for political violence and an activist group attack on social media (both 32 percent).
Read the survey report (PDF).