According to the 2015 International Business Resiliency Survey, by Marsh, an insurance broking and risk management firm, and Disaster Recovery Institute International (DRII), firms consider cyber and IT-related risks to be the most likely to occur and have the greatest potential impact on their operations.
Marsh, with DRII, surveyed nearly 200 C-suite executives, risk professionals and business continuity managers from large and medium-sized corporations internationally about their organisations’ attitudes toward business risks and the risk mitigation processes in place. The survey results indicate that organisations are better positioned to address traditional than non-traditional risks and that risk managers and CEOs have different perceptions about the severity and control measures in place for various risks facing their organisations.
Among ten suggested risk scenarios, the top risks in terms of impact and likelihood are: reputational damage from a sensitive data breach (impact 79 per cent – likelihood 79 per cent); the failure in a main IT data centre (59 per cent – 77 per cent); and online services being unavailable due to a cyber attack (58 per cent – 77 per cent). The risks with the lowest potential impact originate from a product recall event (15 per cent – 21 per cent).
According to the survey, CEOs over-estimate their levels of protection for the most likely and high-impact risks: 28 per cent stated they have dedicated insurance coverage against cyber attacks and 21 per cent stated they have dedicated insurance protection for reputation damage after a data breach. However, only 6 per cent of risk managers stated that they have dedicated coverage for these risks.
David Batchelor, president of Marsh’s International Division, said: “Product innovations in speciality insurance such as cyber make this a good time for organisations to revisit their coverage to make sure that it is properly nuanced to meet the unique needs of their industry and the corporation’s business goals. Additionally, having a well thought out crisis management plan is a critical element in protecting an organisation’s reputation.”
Three out of four respondents considered the failure of IT system as one of two areas that could have the greatest impact on their organisation’s reputation, along with the lack of crisis management planning. Both CEOs and risk managers identified IT system failure prevention (29 per cent) as the most important area to invest in, with CEOs also highlighting intellectual property protection (25 per cent). However, CEOs placed far less importance on the resiliency of IT systems (60 per cent) in relation to reputation management.
In terms of preparedness, the majority of organisations believe they are better positioned to deal with traditional than non-traditional risks: respondents rated the level of resilience of their organisations to be high for natural catastrophes and IT system failure (40 per cent and 44 per cent respectively), and low for political violence and an activist group attack on social media (both 32 per cent).
