The findings come from the 2015 International Business Resiliency Survey, conducted by insurance broking and risk management group Marsh and Disaster Recovery Institute International (DRII). Marsh and DRII partnered in a survey of nearly 200 C-suite executives, risk professionals and business continuity managers from large and medium-sized corporations internationally, who were asked about their organizations’ attitudes toward business risks and the risk mitigation processes they have in place.
While primarily addressed to risk professionals, the survey results are also pertinent to financial professionals, as both cyber and reputation risk increasingly look well-established as the primary concerns of many corporates. They also indicate that organizations are better positioned to address traditional than non-traditional risks and that risk managers and chief executive officers (CEOs) have different perceptions about the severity and control measures in place for the various risks facing the business.
Survey respondents were presented with 10 suggested risk scenarios and asked to rank the top risks in terms of impact and likelihood. Those that scored highest, with the respective percentages for impact and likelihood, were reputational damage from a sensitive data breach (both 79%); the failure in a main IT data centre (59%-77%); and online services being unavailable due to a cyberattack (58%-77%).
The risks judged to have the lowest potential impact were those originating from a product recall event (15%-21%), although the survey was conducted before the recent events at Volkswagen and the announcement of a mass vehicle recall.
Among the survey’s other findings was that CEOs often overestimate their levels of protection against the most likely and high-impact risks. Twenty-eight percent of survey respondent believe they have dedicated insurance coverage against cyberattacks and 21% stated they have dedicated insurance protection for reputation damage after a data breach. However, only 6% of risk managers also reported that their company carried dedicated coverage for these risks.
Three out of four respondents considered the failure of IT system as one of two areas that could have the greatest impact on their organization’s reputation, the other being the lack of crisis management planning. Both CEOs and risk managers identified IT system failure prevention (29%) as the most important area to invest in, with CEOs also highlighting intellectual property protection (25%) although they placed far less importance on the resiliency of IT systems (60%) in relation to reputation management.
With the majority of organizations believing that they are better prepared to deal with traditional than non-traditional risks: respondents rated the level of resilience of their organizations to be high for natural catastrophes and IT system failure (40% and 44% respectively), and less so for political violence and an activist group attack on social media (both 32%).
“Product innovations in speciality insurance such as cyber make this a good time for organizations to revisit their coverage to make sure that it is properly nuanced to meet the unique needs of their industry and the corporation’s business goals,” says David Batchelor, president of Marsh’s international division.
“Additionally, having a well thought out crisis management plan is a critical element in protecting an organization’s reputation.”
There has been an uptick of treasurers inquiring about interest rate risk management in recent months as interest rates in the US and UK have started to show a rise in momentum, said Chatham Financial at the annual Bellin treasury conference.
PSD2 is set to remake the EU payments marketplace. This deliberate public policy exercise is going to regulate and demonstrate what next generation financial crime competencies must be and cement the standard going forward.
Europe’s introduction of the General Data Protection Regulation (GDPR) next May will have implications for businesses around the world and US corporates should start getting ready if they haven’t already done so.
The recent NotPetya cyberattack underlined the need for organisations to address their exposure and how to mitigate the risk.