risk management
“No risk, no reward,” may be true, but unnecessary risk is . . . well, unnecessary. Read our insights on risk management and mitigation.
Insights
Blog
Not A Vendor, Still A Breach: Vercel’s Third-Party Risk Failure
Some security incidents are complex. The Vercel incident is more troubling because it was predictable. The attackers did not exploit a procurement gap. They exploited a definition gap. Here’s what happened. A Vercel employee signed up for Context.ai’s AI Office Suite using a corporate Google account and clicked something effectively equivalent to “Allow All,” granting […]
Blog
Today’s Regulatory Intelligence Solutions Replace Drudgery With Confidence
Over the past five years, security and risk (S&R) professionals have experienced a flood of new cybersecurity regulations, with 170 countries now boasting cybersecurity and data protection laws. Leaders are left to decide which regulations apply, identify gaps, and implement controls — an onerous task as regulatory volume and the pace of change accelerate. Manual […]
Blog
Volatility Isn’t Temporary — Account For It In Your Leadership Playbook Going Forward
For many B2B leaders, volatility no longer feels like an interruption to “normal.” It is now the standard operating environment. Economic uncertainty, geopolitical shocks, AI-driven disruption, and shifting buyer behavior are colliding, exposing weaknesses in traditional go-to-market models and leadership assumptions. The good news? Volatility can benefit those who adapt faster, focus harder, and lead […]
Blog
Cyber Risk Ratings Fade Out; Actionable Intelligence Takes The Spotlight
In musical notation, “al niente” means fading until sound is barely perceptible, usually to end a significant piece of music such as the ending of Tchaikovsky’s reflective and somber sixth symphony. And that is how the cybersecurity risk ratings market is likely to proceed over the coming months. Ratings will not fade away to nothing […]
What is risk management?
Risk management is the ongoing practice of identifying, assessing, and responding to uncertainty that could affect an organization’s objectives or value. It spans strategic, operational, financial, technology, and security risks and helps leaders balance potential reward with acceptable levels of exposure.
How does risk management relate to security and risk?
Risk management provides the context for security decisions by treating threats as business risks, not just technical issues. It helps organizations prioritize security investments, integrate controls into governance, and ensure that protection efforts align with enterprise goals and risk tolerance.
What types of risk information should leaders monitor?
Leaders should monitor both quantitative metrics, such as likelihood, impact, and exposure, and qualitative signals like regulatory change, market shifts, and stakeholder sentiment. Tracking trends and emerging risks enables earlier action and better-informed strategic decisions.
What challenges do organizations face in implementing risk management?
Organizations often struggle with fragmented ownership, inconsistent data, and limited visibility across risk types. Siloed teams and immature governance can slow response and undermine confidence. Effective risk management requires coordination, clear accountability, and continuous adaptation as conditions change.
How does Forrester support clients in risk management?
Forrester helps leaders translate risk insight into better decisions. Through research, models, and advisory support, we guide organizations in maturing risk practices, aligning risk with strategy, benchmarking capabilities, and using risk management to enable growth rather than simply limit exposure.
Blog
The Expanding Universe Of GRC For AI: Key Questions From Technology Leaders
In 1929, astronomer Edwin Hubble discovered something unsettling. The universe isn’t static; it’s expanding everywhere, simultaneously, at every scale. His simple equation (Hubble’s law) shows that galaxies are accelerating away from each other, and the farther they are, the faster they recede. Eventually, galaxies become so distant that they cross our observable horizon entirely — […]
Blog
The Mandela Effect In TPRM: Why Companies Still Misremember Their Third-Party Risk Exposure
What do the Monopoly man’s monocle, the Fruit of the Loom cornucopia, and “Luke, I am your father” have in common? None of them actually exist the way you remember. That glitch is the Mandela effect, a collective misremembering of facts or events, and it is the same mental bug that convinces executives that their […]
Blog
2026 Really Is This Risky: Our Top Recommendations For CISOs
Security leaders entered 2026 with little expectation that uncertainty will ease … ever. Economic pressure, geopolitical instability, accelerating artificial intelligence adoption, and renewed technology consolidation have turned volatility into a structural condition rather than a temporary disruption. This is life now, and CISOs are being asked to move faster, support aggressive AI initiatives, and protect […]
Blog
Ready For OpenClaw To Pry Into Your Environment And Grip Your Data
A formidable challenge awaits security leaders as personal tools like Moltbot spread. AI butlers are the next shadow super-user.
Blog
Beyond The Robots: What CES 2026 Really Means For Digital Workplace Leaders
I kicked off 2026 by attending CES for the first time, and I can confirm that everything you’ve heard about this event is true. CES is massive. It’s sprawling. The scale was equal parts energizing and overwhelming — but once I got past the sensory overload, clear and meaningful signals started to emerge. Beneath the […]
Blog
The Real Deal: A Black Friday-Inspired RFP Template For Vetting AI SaaS Vendors
For those of us of a certain generation, “Black Friday” invokes memories of the Cabbage Patch Kid riots of 1983.
Blog
GRC Platforms Enter Their Grad School Era
Governance, risk, and compliance (GRC) platforms are officially old enough to be in grad school. In our 2023 market evaluation, GRC technology turned 20 years old but was still figuring out what it wanted to be when it grew up.
Blog
Cloudflare’s Outage: Another Wake-Up Call For Cloud Resilience
Some of the biggest online platforms in the world were recently knocked offline by an automatically generated configuration file that grew too large. In a world plagued by security threats, operational failures can still happen even in your favorite cloud service. Find out why and how to reduce your risk.
Blog
Introducing Forrester’s OASIS Framework For Outcome-Driven Infrastructure
The infrastructure landscape is at a crossroads. As AI agents and automation reshape business operations, traditional infrastructure — often rigid, slow, and siloed — can no longer keep pace with the demands of modern enterprises. Learn how Forrester's new OASIS Framework for outcome-driven infrastructure platforms can provide the vision for how technology leaders should build infrastructure for the agentic AI era.
Blog
From Veto To Victory: California’s New AI Act Revives The National (And International) Conversation On AI Regulations
At its core, California’s new AI law requires safety protocols, best practices, and key compliance policies, but it stops short of prescribing risk frameworks and imposing legal liabilities. Here’s a closer look at what’s in SB 53.
Blog
Fix Your GRC Blind Spots: Risk Lessons From The Louvre
The Louvre heist is a mirror for today’s governance, risk, and compliance gaps. Recognizing these blind spots can transform your enterprise risk efforts from decorative to defensive art. Find out how.
Blog
Risk Consulting Firms Are Getting Shaken, Not Stirred, By AI
Chief risk officers (CROs) are navigating a risk landscape that’s more volatile, fragmented, and tech-driven than ever. Yet many CROs still rely on advice from risk consulting services providers that are stuck in the audit compliance cottage industry of yesteryear, gently stirring into action. Learn how to select the right risk consulting provider for your organization in this preview of a new report.
Blog
Forrester’s AEGIS Framework: The New Standard For AI Governance
AEGIS is not just another acronym — it’s now a fully cross-referenced, regulation-aware blueprint for building trust in AI systems.
Blog
The AWS US-East Outage: A Wake-Up Call For Cloud Resilience
The fourth outage in five years for AWS’s US-East region was traced to DNS resolution failures that affected many core services. Find out what you should do from both the technology and the supplier risk management side to improve your cloud resilience.
Blog
Declaring Zero Trust Without Testing Is A Lie
Zero Trust without real-world testing is a false sense of security. Learn how MITRE ATT&CK-driven adversarial trials turn Zero Trust from theory into proof.
Blog
The Netherlands Targets Chip Governance: A New Precedent For Cyber And IP Risk Intervention
The Netherlands placing Chinese-owned chipmaker Nexperia under ministerial oversight is a sign that Europe has crossed from passive screening to active control to keep IP and capacity in-region. Find out what this means for CISOs and risk leaders and what steps to take next.
More posts