Managing & Mitigating Risk: The 2011 IBM Global Business Risk & Resilience Survey
Once again, IBM has published a global business risk and resilience study, this year in partnership with Economist Intelligence Unit on behalf of IBM.
The study was conducted in June of this year, and included responses from 391 senior executives…Thirty-five percent of the respondents were C-level executives…About 39% were from North America,38% from Western Europe, 20% from Asia Pacific, and 3% from Eastern Europe.
Companies with less than U.S. $500M in revenue comprised 39% of the responses, and 48% of the respondents hailed from companies with more than U.S. $1 billion in revenue…The survey also covered a gamut of industries, including financial services (16%), IT and technology (16%), professional services (13%), manufacturing (8%) and healthcare (7%).
Before I dive into the results, here’s the setup: Global organizations are increasingly emphasizing business resilience; that is, the ability to rapidly adapt to a continuously changing business environment. Resilient corproations are able to maintain continuous operations and protect their market share in the face of natural or man-made disasters as well as radical changes in the financial or economic climate. They are also equipped to seize opportunities created by unexpected events.
So, the question is, are they?
It’s a mixed bag.
The research suggests that more and more businesses will adopt a more holistic approach to risk management in the next three years ass they deal with growing uncertainty and the increasing interconnectedness of the varied risks they face.
That’s the good news, aspirational though it may be.
But in terms of today’s reality, the study indicated that only a minority of companies (37%) has implemented an organization-wide business resilience strategy…with 42% saying they’ll do so in the next three years.
Almost two-thirds (64%) say they have a business continuity plan of some sort, and a robust 58% have dedicated contingency plans for dealing with a variety of risks.
That’s the topline…now on to the deeper dive:
- Larger organizations are more likely than smaller ones to have an integrated strategy. They, of course, typically have more to lose, and complexity increase’s an organization’s exposure to risk. Larger firms are more likely to have assigned overall responsibility for enterprise risk management to a single executive (which means, of course, direct accountability). Still, there is a contingent of small companies that have adopted integrated strategies. These companies also rank highly with regard to indicators of success such as revenue growth, profitability, and market share.
- Continuity, IT and compliance risks remain in the foyrefront, but companies are diversifying their strategies to build business resilience. Nearly 40% of respondents say their organization regards business continuity as primarily an IT issue. However, when they’re asked to name their “primary risk management concern,” some name more than one, including disaster recovery (47%), IT security (37%), and regulatory compliance (28%). Though most have started by addressing the largest threats first, they increasingly are expected to turn to such things as communications and training programs designged to build a more resilient culture overall.
- Business resilience planning increasingly involves specialists from across the organization, yet CIOs and IT pros remain the most prominent stakeholders. Hey, what happened to sharing the love…and the risk?? Because a culture that imbues responsibility for risk management at every level enables companies to respond to changes and unexpected events. A solid majority of respondents (60%) say that business resilience is considered a joint responsibility of all C-level execs. Yet as IT penetrates more deeply into every aspect of company operations, CIOs and IT pros remain key players in building more resilient organizations. Fifty-six percent of respondents say the CIO collaborates with top IT strategists much more frequently than three years ago.
How Can I Better Manage Risk Moving Forward?
In most organizations, improving business resilience requires a shift in corporate culture because that is what shapes values and behavior. If a company’s culture blends risk awareness with other corporate values, then people instinctively know the right thing to do when confronted with an unexpected situation, and that reduces risk.
Understanding these principles is a good first step, but in interviews, executives are clear that buy-in from the top is essential to foster broad organizational change. Promoting holistic risk management concepts to peers and employees is also critical.
Taking an incremental approach with broad participation in strategy development can help, because it is easier to promote change if a new initiative is not seen as being pushed by one particular faction.
Senior-level commitment and adequate resources are also needed to develop comprehensive communications and training programs to support integrated risk management. One of the distinguishing features of the most resilient companies is that they are much more likely than other firms to have developed a communications strategy to push the message of resilience out to every corner of the organization.
Companies that embrace these measures are more likely to create an effective business resilience plan. This will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end risk management.
Go here to download the full report.