OCEG Crisis Readiness

Planning Survey 2020

Sponsor:
OCEG is a nonprofit think tank that is dedicated to achieving a world where every
organization and every person strives to achieve objectives, address uncertainty
and act with integrity. This approach to business, and to life, is what we call
Principled Performance. We were founded in 2002 to promote Principled
Performance® as the universal goal of any organization, team and individual. We
invented the concept of GRC (integration of governance, risk management and
compliance) and the GRC Capability Model as the means to achieve Principled
Performance. We provide standards, resources, and certifications to help key
professions become more effective across all disciplines. Today, OCEG has more
than 85,000 members in countries around the world. For more information
about OCEG visit www.oceg.com

Workiva is the provider of the world's leading connected reporting and

compliance platform. Workiva is used by thousands of enterprises across 180
countries, including 75 percent of the 500 largest U.S. companies by total
revenue, and by government agencies. Our customers have linked over five
billion data elements to build trust in their data, reduce risk, and save time.
For more information about Workiva (NYSE:WK), please visit
www.workiva.com.
Purpose of the Survey
In May of 2020, in the midst of the worldwide COVID-19 pandemic, OCEG conducted a
survey regarding crisis readiness planning, seeking to answer several overarching questions:

1. Had organizations taken ten key steps to prepare to address crises such as
pandemics, geopolitical challenges, and environmental disasters?
2. Had they documented essential plans?
3. Were they confident that planning had been done well and that resources were
in place to respond to future crises?
4. Did their maturity of GRC integration overall, or use of integrated GRC
technology, affect their level of readiness?

Demographics
Overall, 828 respondents participated in the survey (549 complete and 279 partial). 1 Of these,
420 respondents are themselves involved in crisis readiness planning either by participating at
the entity or department level or in an oversight or plan execution role. These participants were
asked about what the planning committee or team had done. The remaining respondents were
asked if they had seen any evidence of the crisis readiness steps being undertaken.
Approximately half of the respondents hold key C-Suite titles, board or senior executive roles at
the VP level or above. Overall, respondents hold a range of responsibilities in strategy,
compliance, ethics, risk management, assurance/audit, training/education, and crisis response.

Geographically, the location of participating organizations is widespread, with 44% in the U.S.
or Canada, 15% in Europe, 17% in Latin America, 13% in Asia, 9% in the Middle East and 3% in
Australia/New Zealand.
Industries are widely represented with the largest participation from Financial Services at 22%.
Other leading sectors include government, healthcare, manufacturing, and consulting.
Organizations of all sizes participated as well, with 22% having 5000 or more employees, 22%
between 1000 and 5000 employees, an 56% having fewer than 1000 employees.

1
The response totals for each question in the survey are included in Appendix A to this report.

©2020 OCEG 1
General Findings
An initial review reveals that a substantial number of respondents had undertaken most of the
key steps of crisis preparedness, with a drop off for the final steps of testing plan designs and
effectiveness or conducting drills to stress test the plans.

57.4% identified critical business objectives that must be addressed with crisis-
specific controls and measures in the case of a global crisis
63.2% outlined the various crisis risks that might impact each objective
72.7% identified crisis controls for each objective
73.9% identified roles responsible for each added control
68.4% prepared communications plans for each type of identified crisis
62.4% identified likely resource needs and pathways to gain resources
61.7% mapped objectives, crisis controls, ownership and information
51.6% planned for audit and testing of the plan designs for effectiveness
48.6% tested to demonstrate effective implementation of plans
50.7% conducted drills, tabletop exercises or simulations to stress test

The survey further reveals that most organizations have documented plans for remote work
and other workforce options, but many fewer have documented plans for financing options,
supply chain alternatives or surge capacity.

86.6% Remote work and other workforce option plans in place

53.0% Financing and insurance option plans in place
48.7% Alternatives in supply chain plans in place
39.8% Surge capacity for product/service demand plans in place
31.9% Surge capacity for call centers plans in place

When asked about their level of confidence, only 25% are very confident that their organization
had planned well for crisis readiness prior to the current pandemic. Only 36% feel very
confident that they have the resources to manage another global crisis in the next 24 months.

©2020 OCEG 2
While these general findings are in and of themselves interesting, a clearer picture of what
helps to drive effective crisis readiness planning emerges when we compare the outcomes for
those organizations that have integrated GRC capabilities across the enterprise against those
with largely siloed governance, risk management and compliance processes.

The Impact of Integrated GRC

Approximately 29% of the survey respondents indicate their organizations have well integrated
GRC processes and technology while approximately 20% indicate they are mostly siloed. The
remainder fall somewhere in between. For purposes of evaluating the impact of integrated GRC
on crisis readiness planning, we compared the two groups on the extremes. The outcome of
this comparison shows an overwhelming difference in crisis readiness planning maturity
between those with integrated GRC capabilities and siloed operations.
For each step outlined in the survey, those with well-integrated GRC capabilities are
substantially more advanced, and often twice as likely to have engaged in the needed activity.

1. Identified critical business objectives to address with crisis controls

Well Integrated 71% Siloed 36%
2. Outlined objective-related crisis risks
Well Integrated 78% Siloed 32%
3. Identified crisis controls for each critical business objective
Well Integrated 83% Siloed 53%
4. Identified roles for implementing and overseeing each control
Well Integrated 87% Siloed 47%
5. Prepared communications plans for each type of identified crisis
Well Integrated 76% Siloed 51%
6. Identified likely resource needs and pathways to gain resources
Well Integrated 73% Siloed 38%
7. Mapped objectives, crisis controls, ownership of each, and information flow
Well Integrated 83.8% Siloed 33.3%
8. Planned audit and testing of crisis plan design effectiveness
Well Integrated 69% Siloed 28%
9. Tested to demonstrate effective implementation of plans
Well Integrated 66% Siloed 19%
10.Conducted drills, tabletop exercises or simulations to stress test plans
Well Integrated 65% Siloed 23%

©2020 OCEG 3
These differences become even more stark when comparing respondents that indicated use of
integrated GRC technology to those using primarily manual methods (e.g. spreadsheets and
filesharing) to conduct needed processes.

1. Identified critical business objectives to address with crisis controls

GRC Technology 76% Manual 24%
2. Outlined objective-related crisis risks and organized by type
GRC Technology 78% Manual 22%
3. Identified crisis controls for each critical business objective
GRC Technology 83% Manual 17%
4. Identified roles for implementing and overseeing each control
GRC Technology 85% Manual 68%
5. Prepared communications plans for each type of identified crisis
GRC Technology 85% Manual 15%
6. Identified likely resource needs and pathways to gain such resources
GRC Technology 76% Manual 24%
7. Planned audit and testing of crisis plan design effectiveness
GRC Technology 78% Manual 22%
8. Planned audit and testing to demonstrate that the crisis plans are
effectively implemented
GRC Technology 75% Manual 25%
9. Tested to demonstrate effective implementation of plans
GRC Technology 77% Manual 37%
10.Conducted drills, tabletop exercises or simulations to stress test plans
GRC Technology 69% Manual 31%

Even beyond these comparisons, the use of integrated GRC technology also enhances
workforce visibility of crisis planning and increases confidence in that planning overall. Within
those organizations using integrated GRC technology, more have seen evidence of each step in
crisis planning (69% - 91% range) as compared to when manual methods are employed (19% -
51% range). When integrated GRC technology is used, 57% feel very confident in the crisis
planning to date and only 6% feel not at all confident, while those in places using manual
methods only 14% feel very confident and 23% are not at all confident.

Returning to the comparison between those with integrated GRC capabilities and those that are
siloed, confidence levels in readiness to address another crisis within the next 24 months are

©2020 OCEG 4
also far apart. While 64% of those with integrated GRC feel very confident, only 6% of those in
siloed operations feel the same way.

Conclusion
This survey identifies a clear relationship between having integrated GRC capabilities and
technology across the enterprise and having more active and mature crisis readiness planning
in place. It also establishes that those within such organizations have a vastly greater level of
confidence in the plans and state of readiness than those in siloed operations. But is this
indication of causation or only a correlation? The survey does not address this question directly
but it is fair to draw some assumptions and conclude that there is a level of causation and that
having mature GRC capabilities and technology architecture supports the ability to engage in
effective crisis readiness planning.
While it is reasonable to assume that those entities with more mature GRC are generally more
organized and oriented toward risk-based strategic planning and tactical execution – leading to
a conclusion of a correlation – it is also likely that those with such capabilities and technology
are using them to advance the crisis readiness planning process as well. With GRC integrated
throughout the enterprise, supported by a strong architecture of GRC technology, several key
steps in the crisis readiness planning process are already at least partially completed.
Key objectives and risks to them are already identified and this should include the various
global crisis risks and outcomes. Controls are mapped to identified risks and are “ready” to
implement when flagged changes in the external environment arise. Role assignments are
already well supported and are easily and automatically flagged for change when individuals
shift in roles or responsibilities. Communication flows are already established and adding new
messaging into these is easily supported. Mapping of everything from objective, to risks, to
controls, to roles, to communications is a central aspect of the integrated GRC capability and
technology. It is safe to say that this state of readiness and support likely is a significant
contributing reason for stronger crisis readiness planning.

©2020 OCEG 5
 APPENDIX A

©2020 OCEG 6
Report for OCEG Crisis Readiness Survey
2020 - All Responses

Response Counts
C o mpletio n Rate: 6 6 .3%

Complete 549

Partial 279

1. In general, how would you best describe your organization's level of integration of
processes and technology for governance, risk management and compliance?
30

20
Percent

10

0
Well integrated across Somewhat integrated Standardized processes We are mostly siloed in
the entity but only in some by and large but not yet processes and use of
departments, divisions using integrated GRC technology
or geographies technology
Value Percent Responses

Well integ rated across the entity 28.5% 230

Somewhat integ rated but only in some departments, divisions or 26.6% 215
g eog raphies

Standardized processes by and larg e but not yet using integ rated GRC 25.4% 20 5
technolog y

We are mostly siloed in processes and use of technolog y 19.5% 157

T o tals : 8 0 7
©2020 OCEG 1
2. Are you part of any committee or team in your organization that is responsible for
planning crisis readiness?
40

30
Percent

20

10

0
Yes for the entity Yes for a I have an oversight No, I have no No, we do not
department or or plan execution relationship to or have (or I am not
geography role detailed aware of) any such
knowledge about committee or team
our crisis
committee

Value Percent Responses

Yes for the entity 26.8% 219

Yes for a department or g eog raphy 11.8% 96

I have an oversig ht or plan execution role 12.9% 10 5

No, I have no relationship to or detailed knowledg e about our crisis 35.7% 291
committee

No, we do not have (or I am not aware of) any such committee or team 12.9% 10 5

T o tals : 8 16

2
3. Has your crisis readiness team outlined the various crisis risks that might impact
each identified critical objective and organized them by type (e.g. pandemic, war,
global technology interruption, etc.)
Value Percent Responses

Yes 63.2% 264

No 36.8% 154

T o tals : 418

4. Has your crisis readiness team identified any additional controls or measures for
each critical business objective that must be implemented in a crisis situation?
Value Percent Responses

Yes 72.7% 30 4

No 27.3% 114

T o tals : 418

5. Has your crisis readiness team identified roles or specific individuals responsible
for implementing and overseeing each added control or measure in a crisis?
Value Percent Responses

Yes 73.9% 30 9

No 26.1% 10 9

T o tals : 418

NOTE: questions 3-12 are answered only by those with a role in crisis
readiness and questions 13-21 are answered by those without such a role

©2020 OCEG 3
6. Has your crisis readiness team mapped the key objectives, related crisis controls
and measures, ownership of each, and information flow requirements to maintain a
clear overview of needs and responsibilities?

Value Percent Responses

Yes 61.7% 258

No 38.3% 160

T o tals : 418

7. Has your crisis readiness team prepared outlines of communications plans for
employees and various stakeholders to use in each type of identified crisis?
Value Percent Responses

Yes 68.4% 286

No 31.6% 132

T o tals : 418

8. Has your crisis readiness team identified likely resource needs and pathways to
gain such resources (e.g. surge capability, substitute suppliers, alternative methods
of delivery) in each type of crisis?
Value Percent Responses

Yes 62.4% 261

No 37.6% 157

T o tals : 418

©2020 OCEG 4
9. Has your crisis management team outlined and planned for audit and testing (or
other methods of assurance) to demonstrate that the design of your crisis plans is
effective to protect your objectives?

Value Percent Responses

Yes 51.6% 215

No 48.4% 20 2

T o tals : 417

10. Has your crisis management team executed or arranged for audit and testing (or
other methods of assurance) to demonstrate that the crisis plans are effectively
implemented?
Value Percent Responses

Yes 48.6% 20 3

No 51.4% 215

T o tals : 418

11. Has your crisis readiness team conducted any drills, tabletop exercises or
simulations to stress test your plans?
Value Percent Responses

Yes 50 .7% 212

No 49.3% 20 6

T o tals : 418

5
12. Please check all of the items that your crisis readiness team has considered and
developed documented plans for:

100

80

60
Percent

40

20

0
Alternatives in Remote work Surge capacity Surge capacity Financing and Other - Write In
supply chain and other for for call centers insurance
workforce product/service (for external options
options demand and internal
users)

13. Have you seen any evidence that any team or individual has been tasked with
identifying critical business objectives that must be addressed with crisis specific
controls and measures in the case of a pandemic or other global crisis scenario?
Value Percent Responses

Yes 59.9% 175

No 40 .1% 117

T o tals : 29 2

14. Have you seen any evidence that any team or individual was assigned
responsibility to outline the various crisis risks that might impact each identified
critical objective and organized them by type (e.g. pandemic, war, global technology
interruption, etc.)?

Value Percent Responses

Yes 55.7% 162

No 44.3% 129

T o tals : 29 1
6
15. Have you seen any evidence that any team or individual had identified any
additional controls or measures for each critical business objective that must be
implemented in a crisis situation, prior to the current pandemic?
Value Percent Responses

Yes 44.8% 130

No 55.2% 160

T o tals : 29 0

16. Have you seen any evidence that assignments have been made to individuals
responsible for implementing and overseeing each added control or measure in a
crisis?
Value Percent Responses

Yes 49.5% 143

No 50 .5% 146

T o tals : 28 9

17. Have you seen any evidence that any team or individual has mapped key
objectives, related crisis controls and measures, ownership of each, and information
flow requirements to maintain a clear overview of crisis needs and responsibilities?
Value Percent Responses

Yes 42.3% 123

No 57.7% 168

T o tals : 29 1

7
18. Have you seen any evidence that there are prepared outlines of communications
plans for employees and various stakeholders to use in each type of identified crisis?
Value Percent Responses

Yes 50 .9% 148

No 49.1% 143

T o tals : 29 1

19. Have you seen any evidence that a crisis readiness team or individual had
identified likely resource needs and pathways to gain such resources (e.g. surge
capability, substitute suppliers, alternative methods of delivery) in each type of
crisis?
Value Percent Responses

Yes 41.0 % 119

No 59.0 % 171

T o tals : 29 0

20. Have you seen any evidence that a team or individual has planned for or
conducted audit and testing (or other assurance methods) regarding
implementation of crisis plans?
Value Percent Responses

Yes 36.6% 10 6

No 63.4% 184

T o tals : 29 0

©2020 OCEG 8
21. Have you seen any evidence of a crisis readiness team conducting any
drills, tabletop exercises or simulations to stress test crisis plans?

Value Percent Responses

Yes 31.0 % 90

No 69.0 % 20 0

T o tals : 29 0

22. Are crisis management plans (and information relevant to the development of
such plans) maintained and communicated through an integrated GRC or
comparable system?
80

60
Percent

40

20

0
Yes No, we use manual methods I don't know
such as spreadsheets, email and
file sharing

Value Percent Responses

Yes 24.5% 150

No, we use manual methods such as spreadsheets, email and file 63.6% 393
sharing

I don't know 11.9% 73

Totals 616

9
23. Are different roles or individuals enabled to access the plans and other
documentation related to crisis readiness with specific access controls in place on a
need to know basis?
Value Percent Responses

Yes, access is on a defined need basis for each person 49.9% 176

No, anyone can access everything 10 .2% 36

No, only a few desig nated people can access and they can g et 34.6% 122
everything

I don't know 5.4% 19

T o tals : 353

24. Are workforce communications and training distributed, tracked and supported
by an integrated GRC technology?
Value Percent Responses

Yes 23.0 % 141

No, we use manual methods such as email, spreadsheets and file 64.9% 397
sharing

I don't know 12.1% 74

T o tals : 6 12

10
25. Is information about external or internal changes or events that may affect the
response in a crisis collected within an integrated GRC technology to enable
notifications and control evaluation?

Value Percent Responses

Yes 20 .6% 126

No, we use manual methods to track and respond to chang es and 64.9% 397
events

I don't know 14.5% 89

T o tals : 6 12

26. Does your organization use any integrated GRC technology or other similar
system to collect and analyze data regarding a crisis as it progresses and ensure
appropriate controls and measures are effective?
Value Percent Responses

Yes 21.7% 133

No 60 .9% 373

I don't know 17.3% 10 6

T o tals : 6 12

27. Has the current pandemic revealed a need for improving technology resources
for predicting and managing a crisis?

Value Percent Responses

Yes 65.4% 40 0

No 19.6% 120

I don't know 15.0 % 92

T o tals : 6 12

©2020 OCEG 12
28. How confident are you that your organization planned well for crisis readiness in
general prior to the current pandemic?

Value Percent Responses

Very 24.9% 150

Somewhat 55.7% 336

Not at all 19.4% 117

T o tals : 6 0 3

29. How confident are you that your organization has the resources (people,
technology and other) in place to manage another global crisis like the current
pandemic if it were to arise within the next 24 months?
Value Percent Responses

Very 36.0 % 217

Somewhat 52.4% 316

Not at all 11.6% 70

T o tals : 6 0 3

30. Is your organization currently engaging in crisis readiness planning for future
events (or planning to do so within the next six months)?

Value Percent Responses

Yes 50 .3% 299

No 23.2% 138

I don't know 26.4% 157

T o tals : 59 4

13
31. Is your organization planning to acquire new technology to better plan for and
manage crises that may arise in the future?
10% Yes within 6 months

37% I don't know

20% Yes within 6-18 months

9% No, we already have strong

GRC technology to use

25% No

Value Percent Responses

Yes within 6 months 9.6% 57

Yes within 6-18 months 19.9% 118

No, we already have strong GRC technolog y to use 8.8% 52

No 25.1% 149

I don't know 36.7% 218

T o tals : 59 4

15
32. Do you have a role in decisions about acquiring or re-purposing technology to
support crisis readiness planning and/or response management?

9% Yes, I am a primary decision-

maker

19% Yes, I am part of a

committee making decisions
46% No I don't have such a role

26% Yes, I provide input to the

decision-makers

Value Percent Responses

Yes, I am a primary decision-maker 8.6% 51

Yes, I am part of a committee making decisions 19.4% 115

Yes, I provide input to the decision-makers 26.1% 155

No I don't have such a role 45.9% 272

T o tals : 59 3

16
33. What is the size of your organization in employees?

Value Percent Responses

1 - 50 0 45.3% 252

50 1 - 1,0 0 0 11.0 % 61

1,0 0 1 - 2,50 0 11.5% 64

2,50 1 - 5,0 0 0 9.9% 55

5,0 0 1 - 10 ,0 0 0 6.8% 38

10 ,0 0 1 - 25,0 0 0 6.3% 35

25,0 0 0 + 9.2% 51

T o tals : 556

17
34. In what aspect or business unit of the organization do you work? Select only
those which represent your department and/or primary role. For example, if you are a
CFO select both Executive Management and Finance. (In the next question, you will
be asked more about your primary responsibilities in certain areas.)

Value Percent Responses

Board Member 8.3% 46

CEO or Chief Operating Officer 8.5% 47

Internal Audit 23.2% 129

Business Continuity 13.7% 76

Communications/Chang e Manag ement 4.9% 27

Corporate Compliance & Ethics 19.3% 10 7

Corporate Risk Manag ement 27.9% 155

Corporate Social Responsibility/Sustainability 3.1% 17

Enterprise Architecture 4.1% 23

Environmental, Health & Safety 3.1% 17

Finance 20 .9% 116

Human Resources 4.3% 24

Information T echnolog y 14.2% 79

Leg al 5.6% 31

Quality 5.8% 32

Security (IT ) 9.2% 51

T hird Party Manag ement 5.0 % 28

Other 12.1% 67

18
35. Do you have any of the following responsibilities within your business unit? For
example, you may have selected IT as your business unit but your own role may have
substantial compliance responsibilities. Select all that represent significant
responsibilities you hold.

Value Percent Responses

Strateg y 38.4% 213

Compliance 57.7% 320

Ethics 27.2% 151

Risk Manag ement 58.2% 323

Assurance/Audit 41.8% 232

T raining /Education 26.3% 146

None of these 8.1% 45

Crisis Response 24.7% 137

Other 10 .1% 56

19
36. In what region is your organization domiciled?

Value Percent Responses

United States or Canada 44.4% 246

Latin America 16.6% 92

Europe 14.6% 81

Asia 12.6% 70

Middle East 8.8% 49

Australia/New Zealand 2.9% 16

T o tals : 554
37. What is your organization's primary industry?
Value Percent Responses

Accounting 3.2% 18

Business / Professional Services 6.3% 35

Consulting 9.0 % 50

Education 4.3% 24

Finance / Banking / Insurance 21.9% 122

20
Value Percent Responses

Government / Military 6.7% 37

Healthcare / Medical 4.9% 27

Manufacturing 7.2% 40

Non-Profit 3.6% 20

Other 7.0 % 39

Advertising 0 .4% 2

Aerospace / Aviation 1.4% 8

Ag riculture / Forestry / Fishing 0 .7% 4

Biotechnolog y 0 .9% 5

Communications 0 .5% 3

Construction 2.2% 12

Eng ineering / Architecture 2.3% 13

Entertainment / Recreation 0 .9% 5

Food Service 1.3% 7

Hospitality 1.1% 6

Internet 0 .4% 2

Leg al 0 .9% 5

Log istics/T ransportation 2.0 % 11

Mining 0 .9% 5

Oil/Gas 1.4% 8

Pharmaceutical / Chemical 0 .2% 1

Real Estate 1.8% 10

T o tals : 556

21
 Value Percent Responses

Retail 0 .9% 5

T elecommunications 2.9% 16

Utilities 2.0 % 11

Wholesale 0 .9% 5

T o tals : 556

38. Are you involved in any of the following activities on an entity-wide basis? Select
all that apply

Value Percent Responses

Enterprise Strateg y 29.2% 162

Enterprise Compliance Manag ement 38.8% 215

Enterprise Ethics Manag ement 19.7% 10 9

Enterprise Risk Manag ement 48.6% 269

Enterprise Business Continuity 29.8% 165

Internal Audit 34.7% 192

None of these 18.2% 10 1

Other 7.2% 40

22