The Majority of U.S. Organizations Reportedly Not Prepared to Handle Increasing Risks Events, Broad Disruptions – New KPMG Risk & Resilience Survey

NEW YORK, March 11, 2025 – More than half, 52%, of U.S. organizations have not integrated risk and resilience capabilities, accountabilities, or organizational structure, according to the new KPMG Risk & Resilience survey of 208 U.S. C-Suite leaders.

“The current business environment is marked by unprecedented levels of volatility and rapidly evolving risks,” said Joey Gyengo, U.S. Enterprise Risk Management Solution Leader, KPMG LLP.  “Our survey findings highlight a significant gap between leaders’ recognition of the need for enhanced resilience and the implementation of effective measures to handle broader disruptions. Even though programs to identify and document risk are established, it is still early days for making strides toward genuine and comprehensive organizational resilience.”

Gyengo emphasized, "The interconnectedness and complexity of external risks mean that organizations can't afford to concentrate on risks or processes in isolation. The environment we currently operate in demands a holistic and multifaceted approach to risk management to help ensure resilience across the organization. Failing to acknowledge the interdependencies of these risks may lead to devastating consequences that ripple throughout a company.”  

The survey also shows that cybersecurity continues to be considered the biggest risk challenge for businesses over the next five years at 57%, followed by data privacy risk at 43% and technology risk at 41%. Each of these top risks are critical considerations for strong risk and resilience programs.

“Cross-functional challenges require bolder approaches, bringing together business, risk, operations, and technology leaders to plan, prepare, and respond,” added Gyengo.

Centralized Risk & Resilience Structures Drive Performance:

Survey results indicate that approximately half, 48%, of the organizations have centralized or coordinated structures for managing risk and resiliency.  Most organizations, 51%, also test and update their resiliency plans annually, while a quarter, 23%, are doing so more than once a year.

“The survey results show that organizations with centralized structures for managing risk and resilience are more mature in their capabilities to handle disruption than their counterparts,” said Tim Phelps, Risk Services Leader, KPMG LLP. “Those organizations are also more likely to have specialized tools to manage risk including GRC, risk reporting and risk monitoring technology with advanced analytics.  This leads to greater confidence that their C-suite understands the business risks posed by disruption.”

Growing Use of Specialized Tools and Advanced Analytics Increases Resiliency:

Organizations with centralized risk and resilience structures are using specialized tools for the majority of risk processes, much more frequently than those with decentralized structures. In addition, organizations with centralized risk and resiliency management are twice as likely to have timely data than those with decentralized management structures.

Survey participants indicated that commonly used specialized tools include GRC technologies, risk monitoring tools, and risk reporting technologies. Advanced analytics, such as monitoring and sensing, scenario analysis, and predictive modeling, are also being employed, with about half of the organizations regularly employing these tools.

“In an increasingly complex and volatile ecosystem of risk, bold solutions with a clear strategy and predictive insights are key,” said Samantha Gloede, Trusted Leader, KPMG LLP.  “Stakeholder trust is earned when organizations take a fully integrated approach and a cohesive strategy for managing risk and resilience. An organization’s ability to be agile in proactively identifying and addressing vulnerabilities before they become problems is what truly moves the needle.”

Organizations Still Face Significant Barriers to Effective Risk Management:

Despite the progress, a significant number of organizations - ranging from two-thirds to nearly three-quarters - face moderate to strong barriers in effectively managing risk. These barriers include performing duplicative efforts (71%), cultural resistance (66%), lack of awareness and communication (72%), lack of an integrated view of risks (71%), and inadequate skills and competent resources to keep pace with growing volatility and emerging technologies (66%).

“Organizations with centralized risk and resilience management structures are less likely to cite any risk management barriers, demonstrating the importance of a cohesive strategy and integrated approach to risk and resilience management,” added Gyengo.

About the survey:

KPMG surveyed 208 C-Suite leaders in the U.S. regarding the management of risk and resilience within their organizations, including understanding how organizations are structuring their approaches, integrating risk and resilience management into strategic planning and business functions, and leveraging tools/solutions, data, analytics and reporting to increase the effectiveness of their risk and resiliency processes.

About KPMG LLP
KPMG LLP is the U.S. member firm of the KPMG global organization of independent member firms providing audit, tax and advisory services. The KPMG global organization operates in 142 countries and territories and has more than 275,000 people working in member firms around the world. Each KPMG firm is a legally distinct and separate entity and describes itself as such. KPMG International Limited is a private English company limited by guarantee. KPMG International Limited and its related entities do not provide services to clients.
  
KPMG is widely recognized for being a great place to work and build a career. Our people share a sense of purpose in the work we do, and a strong commitment to increasing access to education and opportunity, advancing mental health, and supporting community vitality. Learn more at www.kpmg.com/us.