4 Signs of a Mature Enterprise Risk Management Program

How many disruptive critical events is your organization ready to handle?

Sounds surprisingly high, but 99 percent of risk and security decision-makers surveyed said their organization experienced at least one disruptive incident in the past 18 months, according to a commissioned study conducted by Forrester Consulting on behalf of OnSolve, Failing to Plan is Planning to Fail. But that’s not all. Nearly three-quarters of respondents said their firm experienced at least two types of incidents, more than one-third said their firm had at least three and 12 percent said their firm suffered at least four distinct types of incidents during that timeframe.

Since the pandemic, the greater frequency of incidents isn’t the only thing changing critical event management (CEM) requirements. Risk events have also become increasingly dynamic. In fact, organizations with adept CEM are 320 percent more likely to agree risks can come from anywhere, according to the Forrester study. The dynamic nature of risk means the resulting consequences of a given emergency often manifest differently than initially predicted or cause a secondary (and unforeseen) event to unfold, demanding greater adaptability from security professionals.

While these facts may seem daunting, they’re not insurmountable. A mature enterprise risk management (ERM) program can help your organization maintain business continuity, even while dealing with disaster. As a holistic process, ERM significantly improves your ability to determine, assess and mitigate the greatest risks to your organization’s most important objectives.

During the OnSolve 2022 Nexus Customer Conference, guest speaker Alla Valente, a senior analyst at Forrester, recommended a few steps for rethinking resilience and discussed what success looks like. In her talk, she asked, “How should we define success, or, as you say, get it right when it comes to enterprise risk management?”

In response to this question Valente said, “What success looks like is very unique to different organizations. The key to success, though, is to continue to update your information, use data to help you understand what's happening around you and contextually evaluate the risk environment in your planning.”

So how do you know if you’re truly ready for the next set of disruptions? Research has found organizations with mature ERM practices share these four characteristics.

1. They prioritize proactive risk management. 

Highly capable organizations have a keen sense of the true scope of risk, including both its sources and its complexity. As such, they have a 152 percent higher likelihood of concurring with the importance of proactive risk mitigation, as compared with less capable organizations, according to the Forrester study.

How does this awareness translate? It results in more diligent monitoring of specific areas such as information security risk, as well as overall business risk. When you’re actively surveying the landscape, you’re more likely to recognize signs of a potential incident and take steps to prevent it and mitigate the impact. 

2. They take advantage of technology.

Capable firms are 6.5 times more likely to agree their firm’s risk management program delivers value to the organization, as reported in the study. They recognize the value of a CEM platform that delivers a full spectrum of technologies, including risk intelligence, critical communications and incident management. 

These capabilities enable fast and effective incident response which drives business continuity and supports recovery from all types of incidents. Risk intelligence identifies threats relevant to the organization, while critical communications make it easy to keep everyone connected before, during and after a critical event. Incident management provides the capabilities needed to respond swiftly and adapt in real time, so organizations can handle dynamic risk. Organizations with mature ERM programs use technology to keep operations running when a risk event unfolds.

3. They integrate critical event management into every level of their operations.

The benefits of effective CEM aren’t exclusive to disasters. By putting supportive technology into action during daily operations, organizations receive an enhanced pay-off on their ROI. Not surprisingly, firms with mature CEM were five times more likely to report having thoroughly integrated risk management solutions in place.

At its core, critical event management enables more efficient problem solving, which should be a goal at every level of operations. Well-integrated strategies for collaboration across departments keep everyone focused on a unified objective. An optimized response to all manner of business risk is the endgame, including information security, travel, employee risk, data privacy and risk that impacts customer experiences. They all feed into one another.

4. They are more confident in their ability to deal with more complicated risk.

While it’s impossible to predict the future, with sufficient practice organizations can build the muscle memory required to pivot quickly when unexpected and unprecedented circumstances present themselves. This is why highly capable firms are twice as likely to be confident in their ability to keep up with increasingly complicated risk management in the future, as evidenced in the study.

Having faced difficult scenarios and used supportive technology to prevail, they know both their existing capabilities and their areas of weakness. As a continual process, enterprise risk management feeds into business continuity. With the right technology to support this mindset, the unknown can be a place of opportunity.

Needless to say, the path to a mature enterprise risk management program is filled with tough decisions. However, it’s not an insurmountable task, and it’s worth the time and investment to know you can weather critical events without disrupting operations.

Valente summed it up perfectly at the OnSolve 2022 Nexus Customer Conference when she said, “These organizations prioritize risk and resilience, and they can turn risk events into a competitive advantage. They balance efficiency and cost savings with speed and agility. They’re also able to make good on their values and their brand promise, no matter what the price is.”


OnSolve® proactively mitigates physical threats, allowing organizations to remain agile when a crisis strikes. Using trusted expertise and reliable AI-powered risk intelligence, critical communications and incident management technology, the OnSolve Platform allows organizations to detect, anticipate and mitigate physical threats that impact their people and operations.