Firms consider cyber and IT-related risks to be the most likely to occur and to have the greatest potential impact on their operations, according to the 2015 International Business Resiliency Survey conducted by Marsh and the Disaster Recovery Institute International (DRII).
Marsh, in collaboration with DRII, surveyed about 200 C-suite executives, risk professionals, and business continuity managers from large and medium-sized corporations internationally about their organisations’ attitudes toward business risks and the risk mitigation processes they have in place.
The survey results indicated that organisations are better positioned to address traditional risks than non-traditional risks and that risk managers and CEOs have different perceptions about the severity and control measures in place for various risks facing their organisations.
Companies are underinsured in most cases
Among 10 suggested risk scenarios, the top risks in terms of impact and likelihood are: reputational damage from a sensitive data breach (impact 79% - likelihood 79%); the failure in a main IT data centre (59% - 77%); and online services being unavailable due to a cyber attack (58% - 77%). The risks with the lowest potential impact originate from a product recall event (15% - 21%).
According to the survey, CEOs overestimate their levels of protection for the most likely and high-impact risks: 28% stated they have dedicated insurance coverage against cyber attacks and 21% stated they have dedicated insurance protection for reputation damage after a data breach. However, only 6% of risk managers stated that they have dedicated coverage for these risks.
“Product innovations in speciality insurance such as cyber make this a good time for organisations to revisit their coverage to make sure that it is properly nuanced to meet the unique needs of their industry and the corporation’s business goals,” said Mr David Batchelor, president of Marsh’s International Division. “Additionally, having a well thought out crisis management plan is a critical element in protecting an organisation’s reputation.”
Failure of IT systems and lack of crisis management planning
Three out of four respondents considered the failure of IT systems as one of two areas that could have the greatest impact on their organisation’s reputation, along with the lack of crisis management planning, the survey found. Both CEOs and risk managers identified IT system failure prevention (29%) as the most important area to invest in, with CEOs also highlighting intellectual property protection (25%).
In terms of preparedness, the majority of organisations believe they are better positioned to deal with traditional than non-traditional risks: Respondents rated the level of resilience of their organisations to be high for natural catastrophes and IT system failure (40% and 44% respectively), and low for political violence and an activist group attack on social media (both 32%).