Report OnSolve Failing To Plan Is Planning To Fail
Report OnSolve Failing To Plan Is Planning To Fail
Report OnSolve Failing To Plan Is Planning To Fail
Key Findings 4
Appendix 18
Project Director:
Nicholas Phelps,
Principal Market Impact Consultant
Contributing Research:
Forrester’s Security and Risk research group
Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their
organizations. Ranging in scope from a short strategy session to custom projects, Forrester’s Consulting services connect
you directly with research analysts who apply expert insight to your specific business challenges. For more information,
visit forrester.com/consulting.
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on the
best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®,
Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other
trademarks are the property of their respective companies. [E-51478]
To grow and thrive, entities of all sizes and sectors must have a robust
risk management process, access to timely information and analysis, and
support from the right technologies to help them make better, quicker
strategic decisions. Five competencies drive success in this space: the
ability to identify, evaluate, respond, monitor, and communicate.1 These
enable firms to keep pace with the proliferation of business, ecosystem,
and systemic risks they face (see Figure 1).
While all respondents showed their risk response has room for
improvement (see Figure 2), this study showed that effectiveness
varies depending by industry (see Figure 2a). Respondents in this
study indicated that response effectiveness varies depending on
industry. Averaging the number of respondents within
each vertical who described their firm’s ability to respond
across all the risk incidents indicated that those within the
financial services and insurance industries are most confident
in their firm’s risk response, followed by those in retail and
government. On the other hand, respondents representing
healthcare and education were less likely to rate their
firm’s response as highly.
Base: 469 risk, security, and CEM decision-makers at organizations in North America and the UK
Source: A commissioned study conducted by Forrester Consulting on behalf of OnSolve, October 2021
Figure 2a
Respondents Within Each Industry Who Rate Their Incident
Response As Effective Or Optimized Across All Risk Vectors
Retail 48%
Government 45%
Healthcare 39%
Education 38%
Base: 469 risk, security, and CEM decision-makers at organizations in North America and the UK
Source: A commissioned study conducted by Forrester Consulting on behalf of OnSolve, October 2021
Proactive risk mitigation requires firms to balance the impact of the risks
with the cost of investment in technology and resources. An organization’s
ability to manage critical events as they occur is a key dimension of
resiliency. Sometimes referred to as critical event management, effective
incident response is made up of four core competencies: risk intelligence,
critical communications, incident management, and control-center-level
visibility (see Figure 3).
Figure 3
The Core Competencies Of Critical Event Management
Source: A commissioned study conducted by Forrester Consulting on behalf of OnSolve, October 2021
• Many CEM stacks lack key capabilities. Current security stacks make
it harder to monitor and effectively respond to incidents. Forty-four
percent of respondents said their firm lacks risk intelligence solutions,
“What are the major challenges your organization faces with critical event
management today?”
Base: 469 risk, security, and CEM decision-makers at organizations in North America and the UK
Source: A commissioned study conducted by Forrester Consulting on behalf of OnSolve, October 2021
Figure 5
Most Organizations Show Room To Improve Across Risk Categories
Targeting: Ability to reach the right teams with the critical information
3.26
they need to respond to an event in near real time
Scope: Quickly determining the scope of an event and its potential impact
3.17
to initiate rapid recovery and improve resilience
Base: 469 risk, security, and CEM decision-makers at organizations in North America and the UK
Source: A commissioned study conducted by Forrester Consulting on behalf of OnSolve, October 2021
Figure 6
Most Organizations Show Room To Improve Across Risk Categories
Base: 469 risk, security, and CEM decision-makers at organizations in North America and the UK
Source: A commissioned study conducted by Forrester Consulting on behalf of OnSolve, October 2021
• Are aware of the true scope of risk. Respondents from adept firms
were 152% more likely to agree that proactive risk mitigation is
important than respondents from less capable organizations. They were
also 320% more likely to agree that risks come from anywhere, and
180% more likely to agree that risk management is getting progressively
more complex. They said their organizations are 1.6 times more likely
to monitor information security risk and that they are more likely to
monitor all manner of business risk.
All the respondents in the study agreed that improving CEM would
deliver better business and customer outcomes for their firm, and
they were most likely to say that improving risk intelligence and
critical communications are the two CEM capabilities that would most
improve their firm’s response to recent incidents they experienced. As
we’ve seen, CEM is an important enabler for an organization’s overall
risk management strategy, and firms have a clear opportunity and
requirement to shore up their capabilities to prepare to respond to
today’s events and tomorrow’s threats.
Unfortunately, the job of monitoring risk has no defined finish line. Effective
risk monitoring requires continuous monitoring of threats, risk events, and
changes in the business environment; third-party ecosystems; customer
preferences; and employee sentiment. Risk managers should use a
combination of technologies such as predictive analytics, real-time event
monitoring, AI and machine learning, continuous controls monitoring
capabilities, and third-party risk intelligence to gain a holistic perspective of
new and emerging risks.
Appendix A: Methodology
In April 2021, OnSolve commissioned Forrester Consulting to evaluate the state of risk management
and CEM at midsize to large enterprises in North America and the UK. To explore this topic, Forrester
conducted an online survey with 469 decision-makers in risk, security, and business continuity. Questions
provided to the participants asked about their firm’s current risk management strategies and CEM
capabilities. Respondents were offered a small incentive as a thank you for time spent on the survey. The
study began in April 2021 and was completed in October 2021.
Appendix B: Demographics/Data
GEOGRAPHY ROLE
US 54% Business continuity 40%
UK 30% Critical communications 32%
Canada 16% Risk management 32%
Operational resilience 29%
RESPONDENT LEVEL
Other risk/security role 16%
C-level executive 25%
EVP/SVP/VP 25% NUMBER OF EMPLOYEES
Director 30% 500 to 999 14%
Manager 16% 1,000 to 1,999 14%
2,000 to 4,999 23%
INDUSTRY
5,000 to 9,999 28%
Education 22%
Government 21% 10,000 or more 22%