Risk Readiness for the Top 10 Risks
We investigate an organization's risk readiness every year because it serves as a good barometer of risk management activity, sophistication and dynamism. Mitigants evolve around business risks and the broader environment, so it is no surprise that with the exceptional circumstances the global pandemic has brought since its outbreak in early 2020, risk readiness, which we define as an organization having plans in place to address and manage risks, has increased.
The overall risk readiness for the top 10 risks increased from 51 percent in 2019 to 58 percent in 2021 as awareness of the most important risks increased. The downward trend that emerged in previous surveys has been reversed now that past experiences have become more or less obsolete when trying to manage the present or predict the future.
The nature of risks is changing at an unprecedented speed, so any mitigation plans or solutions are often obsolete by the time they are created or launched.
The key examples we would like to call out in this context are pandemic risk/health crises, cyber attacks/data breach, and damage to reputation or brand, because they highlight very different stages of risk preparedness.
Risk readiness for pandemics and potential health crises showed the biggest increase among the top 10 risks, rising by 25 percent. This reflects the fact that companies have been actively managing their pandemic responses since 2020, giving them ample time to put plans in place by the time this survey took place in 2021. In past surveys, the highest ranking for this risk was 23 (in 2007), before descending to number 60 in 2019, where it had a risk readiness of 45 percent. This is only 6 percent below the average risk readiness for the top 10 risks, which illustrates that while the risk of a pandemic or health crisis might have not been top of mind for risk managers, crisis management plans were still in place. The scale and speed of the pandemic highlighted the gaps in these planned mitigation actions and forced companies to develop more in-depth plans to react, respond and recover in 2020 before focusing on reshaping in 2021. Overall, this likely led to the rise in risk readiness.
Companies reported the highest levels of risk readiness for cyber attacks and data breaches yet again, rising from 79 percent in 2019 to 86 percent in 2021. The extensive media coverage of high-profile cyber attacks and related business interruptions undoubtedly increased awareness, prompting many organizations to implement plans to protect themselves from the possible impact of such events. Additionally, since cyber risk is a relatively new exposure, many businesses feel that the mitigants they have put in place are current and up-to-date. That confidence likely positively influenced their perception of effectiveness.
In contrast to cyber attacks/ data breach, the risk of damage to reputation/brand has remained at the same level as it was 2019 and is the only risk in the top 10 risk list that has not seen increased readiness. We assume this is because this is a very complex risk, and companies are still struggling with it. It has remained on the top 10 risk list since the inception of this survey in 2007, whereas readiness for other risks has been steadily improving as more mitigants become available to manage their impact and associated exposures.
Reported Readiness for Top 10 Risks
When we drill down by industry, we can see that all except one sector have reported an increase in risk readiness. In contrast, in 2019 only one-third showed an increase. It will come as no surprise that the hospitality, travel and leisure sector has reported a decrease in risk readiness; the sector was the hardest hit by the global pandemic and had to face risks that were largely out of their control and for which only limited mitigants are available. There are also some notable disparities. Industries that are heavily regulated, such as life sciences; telecommunications, media and entertainment; and government organizations, trended over 19 percent higher than other sectors, at 68 percent, 74 percent and 59 percent, respectively.
Geographically, the level of reported preparedness also improved across all regions, with North America reporting the highest level at 65 percent and with Middle East and Africa showing the biggest rise, from 49 percent in 2019 to 60 percent in 2021.
In summary, Aon believes that the overall level of risk preparedness, while showing improvement since 2019, is lower than it should be. With the rising number of industries focused on risk management strategies, organizations could do an even better job in improving preparedness, resilience and sustainability to ensure their organizations are able to keep pace with the rapidly evolving risk landscape.