Skip to content
Back to all posts
Your Legacy BCM Platform Is Lying to You — And the Risk Landscape Has Moved On
Business Continuity Management

Your Legacy BCM Platform Is Lying to You — And the Risk Landscape Has Moved On

William C Hord
William C HordEnterprise Risk Management Expert

A frank conversation about why staying on old risk technology is now a strategic liability — and what genuinely modern, AI-native platforms change for CROs, CCOs, and resilience leaders.

Let me start with something I don't say enough out loud: The annual BIA process was a ritual more than an insight engine. The recovery plans lived in a folder nobody opened until a regulator asked. Vendor risk sat in a spreadsheet owned by procurement. And the ERM register told the board what happened last quarter, not what's happening right now.

I'm not alone. I've had enough candid conversations with CROs, CCOs, and resilience leaders over the past 30 years to know this is a near-universal experience. We're running sophisticated risk programs on infrastructure designed for a different era — and the gap between what our technology can do and what the threat environment demands is widening fast.

This is my honest, peer-to-peer attempt to unpack that gap. Not a vendor pitch. Not a theoretical framework. Just the case for change, grounded in independent research and shaped by what I've seen working and failing in enterprise risk programs.

If you're comfortable with your current platform, I'd encourage you to read this anyway. The numbers tell a different story.

1. The Numbers That Should Be Keeping You Up at Night

Let's start with the facts — because they are sobering.

30% of all confirmed data breaches in 2025 involved a third party — double the rate from 2024.

Verizon 2025 Data Breach Investigations Report

That is not a gradual trend. It is a step change. In a single year, the share of breaches linked to a vendor, supplier, or partner doubled from 15% to 30%. Verizon's 2025 Data Breach Investigations Report — which analyzed over 12,195 confirmed data breaches, the largest sample in the report's 18-year history — describes this as the defining theme of the year. The research team was unambiguous: third-party interconnectedness is being exploited at an accelerating rate, and organizations must act.

$10.22M Average cost of a data breach for U.S. organizations in 2025 — an all-time record, up 9% from the prior year.

IBM Cost of a Data Breach Report 2025

IBM's 2025 Cost of a Data Breach Report confirms that while global average breach costs declined slightly to $4.44 million (driven by faster AI-assisted detection), U.S. organizations are at an all-time high of $10.22 million per breach. Supply-chain compromises were the second most prevalent attack vector, present in nearly 15% of breaches. Ransomware is now present in 44% of all confirmed incidents, per Verizon. These are not cybersecurity events in isolation — they are business continuity events. And yet most BCM platforms in use today were not built to receive, process, or respond to these signals in real time.

75% of enterprises experienced at least one critical risk event in the past year, yet only 32% rate their risk oversight as mature or robust.

AICPA & NC State University 2025 State of Risk Oversight Report

The AICPA and NC State University's 16th annual State of Risk Oversight Report — based on a survey of 273 U.S. organizations — makes the gap explicit: 61% of senior finance leaders acknowledge that the volume and complexity of risks has changed "mostly" or "extensively" in the past five years. Yet only 35% report having comprehensive ERM processes in place, and only 32% rate their oversight as mature or robust. Those numbers have barely moved in a decade. The environment has changed dramatically; the programs have not.

And perhaps the sharpest data point of all: only 11% of organizations believe their risk management process gives them any meaningful strategic advantage. That is a damning verdict on the state of legacy risk programs — and a direct call to modernize.

2. What "Legacy" Actually Means — And Why It's Costing More Than You Think

I want to be precise about what I mean by "legacy BCM platform," because it's easy to dismiss the label as hyperbole. Legacy doesn't necessarily mean ancient. It means architecturally designed for a world of periodic, siloed, document-centric risk management. If your platform was built primarily to store plans, run annual BIAs, and generate compliance reports — rather than to continuously aggregate, correlate, and act on risk signals across BCM, ERM, and TPRM simultaneously — it is, by any practical measure, legacy.

The Daily Friction Nobody Talks About

Research on outdated enterprise software consistently surfaces the same operational pain points — and risk professionals recognize every one of them:

  • Productivity decay: Legacy platforms run slower than modern cloud-native systems. Analysts spend more time navigating the platform than analyzing what it contains. In risk functions that are already understaffed — IBM found a 26% increase in organizations reporting severe staffing shortages in its 2024 breach research — that friction compounds.
  • Knowledge concentration risk: As a platform ages, fewer people understand how it truly works. When those individuals retire or leave, you pay to maintain and retrain on a shrinking-market skill set. That knowledge dependency is itself an operational risk.
  • Vendor support degradation: When a software vendor downgrades support for older platforms, critical bugs go unfixed. Audit deadlines get missed. Regulatory penalties accumulate. Unmitigated risks grow quietly in the background.
  • Integration incompatibility: Legacy systems frequently cannot communicate with modern platforms using current API protocols. Without integration, you cannot automate control evidence management, feed real-time threat intelligence into risk registers, or connect HR data to plan activation workflows.
  • User experience attrition: New risk professionals expect modern interfaces. When they encounter legacy systems, the learning curve accelerates turnover in functions that already struggle to retain talent. McKinsey's 2025 Global GRC Benchmarking Survey found that 42% of risk function respondents say their use of IT and GRC systems "needs improvement" and 15% describe it as absent or lagging.

The Financial Picture

The compounding cost of legacy infrastructure is well-documented in independent research. ITIC's survey of more than 1,000 organizations found that 90% of mid-to-large enterprises face hourly downtime costs exceeding $300,000, with the average enterprise per-minute downtime cost reaching $14,056. When a BCM platform fails to surface a critical dependency gap before an incident — or cannot activate response workflows automatically — that's the financial exposure on the clock.

IBM's breach research adds a precision data point: organizations using AI extensively in prevention workflows incurred an average of $2.2 million less per breach than those without it, and identified and contained breaches nearly 100 days faster. The economics of AI adoption in risk management are not theoretical. They are documented and quantifiable.

The Regulatory Exposure

The regulatory argument for modernization is becoming harder to ignore. Thomson Reuters' Institute has documented that the financial services sector alone experienced an average of 257 regulatory changes per day — a volume that no manual monitoring process can reliably track.

These regulations do not ask for annual snapshots. They demand demonstrated operational resilience, continuous monitoring evidence, and documented third-party oversight. A platform that generates quarterly reports from manually updated registers cannot satisfy those expectations.

The personal stakes for risk executives are real. Forrester's State of Enterprise Risk Management 2025 research notes that ERM functions are being asked to take on dramatically expanded responsibilities — yet ERM budgets are increasing by only 1–4%, barely keeping pace with inflation. That mismatch between mandate and resource is itself a risk that legacy tooling makes structurally worse.

"Organizations with a robust, enterprise-wide and strategically focused approach to managing risks increase the odds that these risks can be managed proactively so that key strategic initiatives stay on track."

— Mark Beasley, Director, ERM Initiative, NC State University — 2025 State of Risk Oversight Report

3. What AI-Native Actually Means — And Why Architecture Matters More Than Features

This is where I want to be careful, because "AI-powered" has become a marketing term that covers everything from a slightly smarter search bar to genuinely transformative platform architecture. When I talk about AI-native risk platforms, I'm making a distinction that matters for real-world decision-making.

A legacy platform with AI features bolted on is still a legacy platform. What distinguishes a genuinely AI-native system is whether artificial intelligence is architectural — meaning the platform was designed from the ground up to ingest, correlate, and act on risk data continuously, rather than to store documents and generate periodic reports.

KPMG's Future of Risk Survey of 400 global executives captures the direction of travel precisely. In that survey, 98% of respondents confirmed that digital acceleration — AI and advanced analytics specifically — has already improved their organization's approach to risk identification, monitoring, and mitigation. And 61% expect a significant increase in their personal risk responsibilities over the next three to five years. More risk, more expectation, same tools — that is not a sustainable equation.

Tier One: AI-Assisted Capabilities

AI-assisted features augment what risk professionals can accomplish — making existing work faster, more accurate, and better-informed:

  • Intelligent BIA automation: AI distributes surveys, synthesizes responses, maps dependencies, and identifies gaps. Work that took weeks now takes hours. Regulators increasingly expect evidence of dynamic, not static, BIA processes.
  • Natural language plan generation: Large language models convert static recovery plan data into dynamic, executable workflows. The shift from document repository to living operational playbook is qualitative, not just quantitative.
  • Risk scoring and prioritization: Machine learning continuously analyzes risk data across multiple dimensions, providing current rankings rather than last quarter's snapshot. Risk registers stop being historical records and start being live intelligence.
  • Regulatory change monitoring: AI scans regulatory landscapes in real time, automatically flagging changes relevant to your specific industry and geography. With 257 regulatory changes per day in financial services alone (Thomson Reuters Institute), manual monitoring is not a realistic option.
  • AI-driven scenario analysis and stress testing: Deloitte's 2025 Tech Trends Report identifies these as among the highest-value near-term AI applications in risk — simulating interconnected failure scenarios that quarterly reviews can never replicate.

Tier Two: Agentic AI Capabilities

Agentic AI is where the paradigm genuinely shifts. These are not features that help you work better — these are autonomous systems that act independently within governance parameters you define:

  • Continuous vendor monitoring at scale: AI agents autonomously scan cybersecurity ratings, financial filings, regulatory violation databases, media feeds, and external data sources — continuously updating vendor risk scores without human intervention. The EY 2025 Global TPRM Survey found that only 13% of organizations have achieved optimized AI or automation in their TPRM programs. That 87% gap represents a compounding liability.
  • Automated incident escalation: When threshold conditions are crossed, agentic systems trigger response workflows and mobilize teams before a human analyst logs in. Speed of detection and response is the single most reliable predictor of breach cost — IBM found that faster containment drove the first global decline in breach costs in five years.
  • Fourth and fifth-party risk mapping: Autonomous agents map vendor-of-vendor relationships, identifying cascade risks that human teams simply cannot track at scale. Gartner has identified this multi-tier visibility as a defining capability gap in traditional TPRM programs.
  • Continuous compliance monitoring: AI agents gather audit-ready evidence for ISO 22301, SOC 2, DORA, GDPR, and sector-specific frameworks continuously. No more evidence scrambles before examinations. No more gaps between audit cycles.
  • Predictive disruption modeling: AI systems run continuous stress tests and scenario simulations, identifying potential cascade failures before they materialize. This is the shift from "what happened" to "what will happen" that boards have been demanding and risk programs have been unable to deliver.

$2.2M Average breach cost savings for organizations using AI extensively in security prevention workflows, vs. those that don't.

IBM Cost of a Data Breach Report 2024

4. The Integration Imperative: Why Siloed Platforms Are the Real Risk

Here is what I want to say most clearly, because it is what gets lost in feature comparison discussions: the strategic value of a modern AI-native risk platform is not any individual capability. It is the unified data layer — the architecture that allows BCM, ERM, and TPRM to share intelligence in real time rather than existing as parallel programs that communicate through quarterly reports and committee meetings.

Think about what fragmentation actually means in practice. You have a vendor who is simultaneously:

  • A critical technology provider named in three BCM recovery plans
  • A top-20 spend vendor in your TPRM program, due for reassessment next quarter
  • Flagged in your ERM register for concentration risk
  • Showing deteriorating cybersecurity posture in external ratings
  • Under investigation by a regulator in their home jurisdiction

In a siloed architecture, three separate teams see three separate amber flags — at three different points in time — from three different systems. The cascade isn't visible until it's already happening.

In an integrated, AI-native platform, the correlation is automatic. The moment the cybersecurity posture deteriorates, the system cross-references BCM plan dependencies, flags ERM concentration risk, surfaces the regulatory signal, and escalates to the appropriate risk owner — all before anyone picks up the phone.

Only 26% of organizations with centralized risk structures actually have a holistic, cross-functional view of risks.

2025 KPMG Risk and Resilience Survey

KPMG's 2025 Risk and Resilience Survey found that while 48% of organizations have centralized risk and resilience structures, only 26% have strong collaboration and a genuinely holistic, cross-functional view of risks. Nearly half think they're centralized. Three-quarters are still operating in functional silos when it matters.

And Forrester's State of Enterprise Risk Management 2025 adds a harder edge to this: firms without board-level ERM visibility were 20 percentage points more likely to suffer six or more critical risk events in the past year. The connection between siloed risk programs and operational failure is not theoretical — it is statistically documented.

The Data Foundation Problem

There is a related issue that rarely gets addressed directly: AI-native platforms are only as good as the data layer underneath them. Gartner has projected that through 2026, 60% of AI projects will be abandoned if they are not supplied with AI-ready data. Forrester's research makes the same point: most organizations keep data in separate systems, much of it unstructured, lacking the metadata, lineage, and governance that AI depends on to function.

This is why the architecture conversation matters more than the feature conversation. A platform built for integration — with a unified data model, clean API connections to HR, IT, procurement, and external threat feeds — enables AI to work. A platform built for document storage with AI features added on top does not.

"In today's business landscape, defined by uncertainty, disruption, innovation, and constant change, organizations must move beyond reactive risk management and embrace a proactive, enterprise-wide approach. The pace of change demands resilience not just as a concept, but as a capability embedded throughout the organization."

— Tom Hood, EVP, AICPA & CIMA — 2025 State of Risk Oversight Report

5. Third-Party Risk Management: The Discipline That Can't Wait

Of all the risk disciplines where the gap between legacy capability and current need is most acute, TPRM demands the most urgent attention. The Verizon 2025 DBIR is unambiguous: third-party involvement in data breaches doubled in a single year to 30% of all confirmed incidents. The research team flagged this as a trend they will continue to track — because the interconnectedness of modern business is being exploited at an accelerating rate.

The EY 2025 Global Third-Party Risk Management Survey — a survey of 500 executives at major companies — describes conventional TPRM as "slow, siloed and disconnected from business goals even as companies rely more than ever on large numbers of specialized service providers." Their conclusion: TPRM has never been more ripe for transformation, and agentic AI represents the breakthrough capability that makes that transformation possible.

Only 1 in 3 organizations consistently monitor all vendors, according to independent research — meaning two-thirds have unmonitored gaps in their vendor ecosystems at any given time.

Verizon 2025 DBIR; EY 2025 Global TPRM Survey

Traditional TPRM was retrospective by design. You sent questionnaires. Vendors self-reported. You scored the responses. Filed the results. Did it again next year. It was a compliance theater dressed up as risk management — and most experienced professionals know it.

Agentic AI flips this model. Rather than asking vendors what their posture is and hoping they're honest, modern platforms continuously monitor what external data sources actually show: cybersecurity ratings, financial health indicators, regulatory violation records, news feeds, and dark web intelligence. Vendor risk scores update in real time. Alerts fire autonomously when thresholds are crossed. And that vendor intelligence flows directly into BCM plan dependency mapping and ERM scenario analysis — so a deteriorating vendor posture automatically surfaces its implications across the entire risk picture.

Forrester's Business Risk Survey 2025 found that 43% of enterprise risk managers identified cyberattack or data breach as the most common third-party risk event in the past year. Yet third-party risks are not receiving attention proportional to their impact. As Forrester's analyst team has noted, risk teams must prioritize communicating the ROI of investing in mature third-party risk programs — and modern AI-native platforms are the evidence base for that conversation.

6. BCM Modernization: From Compliance Artifact to Operational Intelligence

BCM holds a unique position in this conversation — it is simultaneously the discipline most visibly constrained by legacy platform limitations and the discipline with the most concrete operational benefit from modernization.

Let's be direct about what most BCM programs actually are today versus what they're supposed to be. They are largely documentation programs. Well-intentioned, often carefully maintained — but fundamentally structured around the production and storage of artifacts: BIA surveys, recovery plans, testing reports, exercise summaries. The platform is a document management system with some workflow features and a compliance reporting layer.

The AICPA and NC State's 2025 State of Risk Oversight Report delivers a remarkable finding on this point: 65% of executives believe significant changes are warranted in their organization's approach to business continuity planning and crisis management. That is not a marginal dissatisfaction number. That is a supermajority of leaders acknowledging their current BCM programs are not adequate for the environment they're operating in.

That model served its purpose when the primary audience for BCM was a regulator asking to see the binder. It does not serve its purpose when ransomware is present in 44% of breaches, when a vendor failure can cascade through six interdependent processes simultaneously, and when boards want to know not just "do we have a plan" but "is the plan current, tested, and linked to the actual risk picture we face today."

What Modern BCM Platforms Do Differently

Business Impact Analysis

Modern AI-native platforms automate BIA distribution, intelligently synthesize responses, identify dependency gaps through continuous process mapping, and dynamically update impact assessments as the organization changes. The annual BIA ritual becomes a continuous intelligence feed. Dependencies do not have to be stale. Recovery objectives do not have to reflect last year's organizational structure.

Recovery Plan Management

Static plans stored as documents are not resilience programs — they are compliance artifacts. Modern platforms transform recovery plans into executable workflows with automated task assignment, real-time status tracking, and AI-driven gap identification. When integrated with ERM and TPRM data, recovery plans automatically flag when a strategy depends on a vendor whose risk posture has deteriorated. The plan stays honest because the data behind it is live.

Testing and Exercise

Legacy platforms support annual tabletop exercises with limited automation. Modern platforms support continuous testing through automated scenario simulation, providing ongoing readiness scoring rather than a single annual pass/fail. Deloitte's 2025 Tech Trends report identifies automated testing as one of the highest-value AI applications in resilience management — enabling organizations to surface gaps continuously rather than discovering them during actual incidents.

Crisis Response

When an incident occurs on a legacy platform, it requires manual plan activation, manual team notification, and manual status tracking. Modern AI-native platforms automatically trigger response workflows, mobilize teams through integrated mass notification across SMS, email, and app channels, and provide real-time dashboards showing response progress and gap identification. The research on this is consistent: faster detection and containment are the most reliable predictors of lower breach costs. Architecture that slows response is architecture that increases cost.

65% of senior executives say significant changes are warranted in their organization's approach to business continuity planning and crisis management.

AICPA & NC State 2025 State of Risk Oversight Report

7. ERM in the AI Era: From Quarterly Review to Continuous Intelligence

Enterprise Risk Management has a structural problem that goes beyond any individual platform: it was designed around the assumption that risk moves slowly enough to manage through periodic review cycles. That assumption is no longer valid.

Forrester's State of Enterprise Risk Management 2025 — drawing on surveys across North America, Europe, and Asia Pacific — found that 80% of ERM decision-makers say volatility is either increasing or staying the same. Nearly 75% of enterprises experienced at least one critical risk event in the past year. And firms without board-level ERM visibility were 20 percentage points more likely to suffer six or more critical events. These are not marginal findings. They are systemic signals that periodic risk management is failing.

The KPMG Future of Risk Survey finds that 61% of executives expect a significant increase in their personal risk responsibilities over the next three to five years. Meanwhile, only 37% of ERM decision-makers report that identifying emerging risks is their primary measure of success — meaning the majority are measuring themselves against lagging indicators rather than the forward-looking intelligence their boards actually need.

Only 11% of organizations say their risk management process gives them meaningful strategic competitive advantage.

AICPA & NC State 2025 State of Risk Oversight

Modern AI-native ERM platforms address this structurally, not just operationally:

  • Continuous risk scanning: AI algorithms analyze internal operational data, external news, regulatory databases, and market signals simultaneously — surfacing emerging risks before they appear on a quarterly agenda. Deloitte's 2025 Tech Trends research identifies AI-driven scenario analysis and automated risk reporting as the highest near-term value applications.
  • Cross-domain correlation: When a geopolitical event creates supply chain pressure, which creates concentration risk in a critical vendor, which creates BCM plan gaps, an integrated platform surfaces the entire cascade. A siloed platform shows you one signal at a time, weeks apart.
  • Automated register updates: Risk scores, control status, and issue tracking update continuously based on real-time data inputs. Risk registers stop being historical archives and start being live situational intelligence.
  • Board-ready real-time reporting: Executives and boards access dashboards reflecting today's intelligence, not last quarter's snapshot. This is the shift from reporting what happened to informing what to do next — which is what Forrester's research shows risk functions are increasingly being asked to deliver.

Forrester's analyst team has described what they call "transformational CROs" — risk leaders who see risk management as a competitive differentiator, helping their organizations move quickly into new opportunities while managing the downside intelligently. That transformation requires the technology infrastructure to support it. Legacy platforms are not that infrastructure.

8. The Objections — And My Honest Responses

I've had these conversations. Here are the objections I hear most often and what I actually think about them.

"Our current platform works. We've invested significantly in it."

I understand this at a gut level. But the sunk cost argument only holds if the platform's capability matches the current threat environment. Does your platform give you real-time third-party risk intelligence correlated with your BCM plans? Does it surface emerging risks before your quarterly review? Can it produce continuous monitoring evidence examination?

If the answer is no, then "it works" means it produces compliance artifacts. That is different from managing risk in the environment we now operate in.

"We can't afford the disruption or cost of a major migration."

Here's the financial reality check: enterprise downtime costs average $14,056 per minute (ITIC research), 90% of mid-to-large enterprises exceed $300,000 per hour. IBM's data shows organizations using AI in prevention workflows saved an average of $2.2 million per breach. ERM budgets increasing at 1–4% annually (Forrester) are not keeping pace with the risk environment. The question isn't whether you can afford to modernize. It's whether you can afford the compounding cost of not doing it.

"Our teams don't have AI expertise."

Modern AI-native risk platforms are designed for risk professionals, not data scientists. They use low-code/no-code interfaces, pre-built frameworks aligned with ISO 22301 and NIST, and guided implementation support. KPMG's Future of Risk analysis identifies AI upskilling as a manageable and necessary investment — and notes that the expertise gap is far smaller than most organizations assume once they begin.

"We're concerned about AI governance and data security."

This deserves a serious answer, not dismissal. AI governance frameworks must be established before deployment: clear accountability structures, validation protocols for AI-generated insights, and human oversight processes. The NIST AI Risk Management Framework and sector-specific regulatory guidance provide a roadmap.

But consider the framing carefully: the alternative to governing AI in your risk platform is not a risk-free status quo. IBM's 2025 breach research found that 63% of organizations have no AI governance policies in place — and organizations with shadow AI in their environments paid an extra $670,000 per breach on average. The governance gap creates risk whether you lean into AI deliberately or not.

9. A Practical Evaluation Framework for Platform Modernization

If you're initiating a platform modernization assessment, these are the questions that distinguish genuinely modern platforms from legacy systems with AI marketing added on top.

Architecture Questions

  • Does the platform natively unify BCM, ERM, and TPRM data in a shared intelligence layer, or are they separate modules requiring manual reconciliation?
  • Is the data model built for real-time correlation, or does it rely on batch processing cycles inherited from legacy architecture?
  • Does it support open API integration with current protocols for connection to HR, IT, procurement, and external threat intelligence systems?

AI Capability Questions

  • Does the platform include both AI-assisted features (intelligent analysis, NLP, pattern recognition) and genuinely agentic capabilities (autonomous monitoring, automated workflow execution, self-updating risk scores)?
  • Are AI-generated insights explainable and auditable? Can the platform document how it reached a risk score or recommendation?
  • Was the platform built natively for AI, or is AI functionality retrofitted onto legacy architecture? The answer will determine how the platform evolves as AI capabilities mature.

TPRM Capability Questions

  • Does it support continuous external monitoring of vendors using objective telemetry, not just self-reported questionnaires?
  • Does it map fourth and fifth-party relationships — the cascade dependencies that create your most dangerous invisible concentration risks?
  • Does vendor risk data flow directly into BCM plan dependency mapping and ERM scenario analysis without manual reconciliation?

BCM Functional Questions

  • Does it support dynamic BIA automation with real-time dependency mapping, or does it store static annual BIA documents?
  • Does it enable executable, workflow-driven recovery plans rather than PDF repositories?
  • Is crisis response — automated mass notification, real-time dashboards — natively integrated rather than a third-party bolt-on?

Regulatory Alignment Questions

  • Does it provide pre-built templates aligned with ISO 22301, NIST CSF, and relevant sector-specific standards?
  • Does it support continuous compliance monitoring with automated evidence collection for audit readiness?
  • Does it generate board-level reporting that supports governance obligations in real time, not retrospectively?

10. The Strategic Dimension: Risk Intelligence as Competitive Advantage

I want to close with the argument I find most compelling — not because it's the most urgent, but because it's the one that should resonate most with executive risk leaders thinking about the long-term role of their function.

Risk management has historically been positioned as a cost center. A defensive function. The department that says no, the wet blankets, the killer of dreams. The people who show up after something goes wrong.

That framing is becoming obsolete — and the AICPA/NC State research puts numbers on why it matters: only 11% of organizations believe risk management gives them any strategic advantage. That is not a technology problem. It is a program design problem, deeply connected to the limitations of legacy tooling.

When your risk platform provides real-time, integrated visibility across BCM, ERM, and TPRM, it enables something that legacy platforms structurally prevent: the ability to take calibrated risk in pursuit of strategic opportunity. Organizations with mature, integrated risk intelligence can move faster into new markets. They can onboard new vendors with confidence. They can make capital allocation decisions with a more complete view of risk-adjusted return. They can walk into a board meeting with a live risk dashboard rather than a retrospective slide deck.

Forrester's research on transformational CROs captures this precisely: the risk leaders creating the most value are those who have repositioned risk management from compliance function to strategic capability — helping the organization confidently accelerate into opportunities while managing the downside intelligently.

KPMG's Future of Risk analysis frames the organizational imperative directly: transform risk from the "department of no" into a service that consistently creates value. The technology infrastructure required for that transformation is modern, AI-native, integrated platforms — not legacy systems producing compliance reports.

68% of organizations are now using specialized technology, AI, or advanced analytics to manage risks — up significantly from prior years.

2025 KPMG Risk and Resilience Survey

The market is moving. The 2025 KPMG Risk and Resilience Survey found that 68% of organizations are now using specialized technology, AI, or advanced analytics to manage risks. The organizations building integrated, AI-native risk programs now are creating resilience, regulatory confidence, and decision-making advantages that will be very difficult for laggards to close later.

Closing Thoughts: This Is Not a Technology Decision

I want to end where I started — with candor.

The decision to modernize your risk platform is not a technology procurement decision. It is a strategic choice about whether your risk function will operate at the pace of the threat environment or behind it. It is a governance choice about whether your board receives current intelligence or historical summaries. It is a professional choice about whether you have the tools to fulfill the mandate your organization has given you.

The independent data makes the case plainly. Third-party breaches are doubling. U.S. breach costs are at record highs. Ransomware is present in nearly half of all confirmed incidents. Regulatory expectations now require continuous monitoring evidence, not annual snapshots. Sixty-five percent of executives believe significant changes are warranted in their BCM programs. And only 11% of organizations believe their risk management gives them any strategic edge.

The cost of staying put is not zero. It is compounding. It is increasingly visible to boards, regulators, and audit committees. And it is, for risk executives, increasingly personal.

The question every risk executive needs to answer isn't "can we afford to modernize?" The question is: can we afford not to?

Sources and References

  1. Verizon 2025 Data Breach Investigations Report: Third-party involvement in 30% of 12,195+ confirmed breaches; ransomware in 44%; supply-chain as second-highest attack vector.
  2. Verizon 2025 DBIR Press Release: Third-party involvement doubled year-over-year; defining theme of the 2025 report.
  3. IBM Cost of a Data Breach Report 2025: U.S. record $10.22M; global avg $4.44M; 63% lack AI governance; supply-chain 2nd most prevalent attack vector.
  4. IBM Cost of a Data Breach 2025 – AI Analysis: AI oversight gap; shadow AI adds $670K per breach; faster containment drives first global cost decline in 5 years.
  5. IBM Cost of a Data Breach 2024: $4.88M global avg (largest spike since pandemic); AI prevention saves $2.2M; AI speeds breach containment by ~100 days; 26% increase in staffing shortage reports.
  6. AICPA & NC State University 2025 State of Risk Oversight Report (16th Edition): 273 U.S. organizations surveyed; only 11% see strategic advantage; only 32% mature/robust oversight; 65% say BCM changes warranted.
  7. AICPA Press Release, Sept 2025: 64% see no/minimal competitive advantage from risk management; 61% say complexity increased; 27% say ERM helps manage reputational risk.
  8. NC State ERM Initiative: Full report download and context.
  9. KPMG Future of Risk Survey: 400 executives; 61% expect significant risk increase; 98% say AI/digital acceleration improved risk approach; AI and GenAI top technologies for risk.
  10. KPMG – AI is Revolutionizing Risk Management (2025): Agentic AI emerging; connected AI across risk lifecycle; shift from point-in-time to continuous risk management.
  11. KPMG 2025 Risk and Resilience Survey: 68% using AI/analytics; only 26% have holistic cross-functional risk view; 48% centralized but siloed; 42% say GRC/IT systems need improvement.
  12. Forrester – The State of Enterprise Risk Management 2025: 80% report volatility increasing/stable; 75% experienced critical risk event; firms without board ERM visibility 20pts more likely to suffer 6+ events.
  13. Forrester – Future of Risk Management: 67% of organizations now have a CRO; transformational CRO concept; ERM budget only 1–4% increase.
  14. Forrester Blog – Supply Chain, AI, and Operational Resilience Dominate ERM 2025: Third-party risks under-resourced; AI guardrails needed; only 37% cite emerging risk identification as top measure of success.
  15. Forrester – 12 Top ERM Trends 2025 (TechTarget): Alla Valente on risk ripple effects; transformational CRO model; integrated GRC adoption.
  16. EY 2025 Global Third-Party Risk Management Survey (500 executives): Conventional TPRM 'slow, siloed'; only 13% optimized AI/automation; TPRM 'ripe for transformation'; agentic AI as breakthrough capability.
  17. Deloitte 2025 Tech Trends Report: AI-driven scenario analysis and stress testing; automated risk reporting; integration of risk signals across siloed systems as highest-value ERM applications.
  18. Gartner – 60% of AI projects abandoned without AI-ready data (2025 projection through 2026); data quality as foundational AI requirement.
  19. Gartner – ERM leaders: only 18% express high confidence in ability to identify emerging risks.
  20. Thomson Reuters Institute – Average of 257 regulatory changes per day in financial services sector.
  21. ITIC Research – 90% of mid-to-large enterprises face hourly downtime costs exceeding $300,000; average $14,056 per minute.
  22. McKinsey 2025 Global GRC Benchmarking Survey: 42% say GRC/IT systems need improvement; 15% absent or lagging.

Ready to transform your risk management?

Discover how ERM Pilot can streamline your compliance, automate workflows, and provide real-time insights for your organization.

Request a DemoGet Started

Stay Updated on ERM Pilot

Join our newsletter to receive the latest news, feature updates, and expert insights on all things risk related.

We respect your privacy. Unsubscribe at any time.