A recent survey of director and C-level executives divulged the risks that their organizations face in the upcoming year. The top ten common risk themes are ranked in order of priority below.
Protiviti and North Carolina State University’s ERM Initiative have completed our sixth annual survey of directors and C-level executives regarding the risks their organizations face. Some 728 C-level executives and directors participated in this year’s global study, providing perspectives about the potential impact in 2018 of 30 specific risks across three dimensions:
- Macroeconomic risks likely to affect their organization’s growth opportunities
- Strategic risks the organization faces that may affect the validity of its strategy for pursuing growth opportunities
- Operational risks that might affect key operations of the organization in executing its strategy
The respondents rated the impact of each risk on their organization over the next 12 months using a 10-point scale, where 1 reflects “No Impact at All” and 10 reflects “Extensive Impact.” For each of the 30 risks, we computed the average score reported by all respondents and rank-ordered the risks from highest to lowest impact. We also grouped risks based on their average into one of three classifications – 6.0 or higher as “significant impact,” 4.5 through 5.99 as “potential impact” and 4.49 or lower as “less significant impact.”
The study revealed significant issues and priorities that varied by industry, executive position and company size and type, providing interesting insights into changing risk profiles across different regions of the world. Consistent with prior years, there is variation in views among directors and C-suite executives regarding the magnitude and severity of risks for the year ahead relative to prior years. Compared to C-level executives, board members see a riskier environment for 2018, reporting the highest increase in concern relative to their views in the prior year.
Overall, the survey respondents indicated that the overall global business context is slightly less risky in 2018 relative to the two prior years, with respondents in all regions of the world sensing a slight reduction in the magnitude and severity of risks on the horizon in 2018 compared to 2017. Interestingly, respondents indicated that they are likely to devote additional time or resources to risk identification and management over the next 12 months. The overall reality of the riskiness of the global business environment continues to motivate boards and executives to continue their focus on effective risk oversight and management.
While respondents indicated slightly less concern about the overall magnitude and severity of risks for 2018 relative to the two prior years, there are noticeable shifts in what constitutes the top 10 risks for 2018 relative to last year. Two new risks moved into the top 10 for 2018 that were not among the top risks for 2017. Interestingly, concerns about the economy and regulatory scrutiny, which have been the top two risk concerns for the past several years, fell deeper among the top 10 list for 2018. Those risks were topped by concerns related to the rapid speed of disruptive change impacting business models, and concerns over organizational resistance to change restricting efforts to make the necessary adjustments to the business model.
There is even greater concern about operational risk issues, with seven of the top 10 risks representing operational concerns (last year, five of the top 10 related to such issues). Two of the top 10 risks relate to strategic risk concerns, with only one of the top 10 related to concern about macroeconomic risks. This year’s emphasis on operational risks is consistent with our results in the previous two years.
We ranked the common risk themes in order of priority. This summary provides a context for understanding the most critical uncertainties companies are facing as they move forward into 2018:
1. Rapid speed of disruptive innovations and/or new technologies.
With advancements in digital technologies and rapidly changing business models, respondents are focused on whether their organizations are agile enough to respond to sudden developments that alter customer expectations and require a change to their core business models. For most large companies today, it’s not a question of if digital will upend their business, but when. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is not easy to correctly anticipate the nature and extent of change and then decide how to act on that vision.
2. Resistance to change.
Coupled with concerns about the emergence of disruptive innovations, respondents also highlighted a cultural concern related to overall resistance to change within the organization that could restrict it from making necessary adjustments to the business model and core operations. This risk and the risk of disruptive change create a conundrum. On the one hand, there is concern about inevitable disruptive change and, on the other hand, a fear the enterprise will not be agile and resilient enough to adapt to that inevitability. That’s why organizations committed to continuous improvement and breakthrough change are more apt to be early movers in exploiting market opportunities and responding to emerging risks.
3. Managing cyber threats.
Threats related to cybersecurity continue to be of concern as respondents focus on how cyber incidents might disrupt core operations. To no one’s surprise, this risk continues to be one of the most significant top operational risks overall. It is listed among the top five risks in each of the four size categories of organizations we examined. Both directors and CEOs rated this risk as their No. 2 overall risk concern. Cyber risks continue to be a moving target as cloud computing adoption, mobile device usage, creative applications of exponential increases in computing power and innovative IT transformation initiatives constantly outpace the security protections companies have in place.
4. Regulatory change and heightened regulatory scrutiny.
Regulatory risk, which has been one of the top two risk concerns in all prior years that we have conducted this survey, dropped to fourth on the list for 2018. However, it is still a major concern for executives. In fact, 66 percent of our respondents rated this risk as a “Significant Impact” risk. Therefore, the drop in this risk’s position on the 2018 list is more a result of greater concern over the top three risks.
5. The organization’s culture may not encourage the timely escalation of risk issues.
This issue, coupled with concerns over resistance to change, can be lethal if it results in the organization’s leaders losing touch with business realities. If there are emerging risks that have the potential to significantly affect core operations and achievement of strategic objectives and the organization’s leaders are not aware of them, the entity has a problem. The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge impact on the timely escalation of risk issues, particularly those affecting core business processes.
6. Succession challenges and the ability to attract and retain top talent.
Likely triggered by a tightening labor market, this risk is especially prevalent in the consumer products and services, healthcare and life sciences and energy and utility industries. Respondents are concerned that significant operational challenges may arise if their organization is unable to sustain a workforce with the skills needed to implement demanding growth strategies. To thrive in the digital age, organizations need to think and act digital, requiring a different set of capabilities and strengths. This risk indicates that directors and executives believe their organizations must up their game to acquire, develop and retain the right talent. The point is clear: In the digital age, the organizations that win the war for talent win the game.
7. Privacy/identity management and information security risks.
The presence of this risk in the top 10 is somewhat expected given the increasing number of reports of hacking and other forms of cyber intrusion that compromise sensitive personal information. As the digital world evolves and enables individuals to connect, exchange and share information, it presents fresh exposures to sensitive customer and personal information and identity theft, as well as concerns as to whether sufficient resources are being deployed to address them.
8. Economic conditions.
Survey respondents are not as concerned about economic conditions in domestic and international markets restricting growth opportunities in markets their organizations currently serve as they were in prior years. This risk is the only macroeconomic risk included in the top 10 risk list, suggesting respondents seem more positive about macroeconomic issues, and specifically the economy, for 2018 relative to the past several years.
9. Inability to utilize data analytics and “big data.”
The final two risks are new to our top 10 list. Respondent concerns are growing regarding their company’s ability to harness the power of data and advanced analytics to obtain market intelligence, increase operational productivity and efficiency and achieve competitive advantage. They sense that other organizations may be able to capture intelligence that allows them to be more nimble and responsive to market shifts and changing customer preferences than their company. In the digital age, knowledge wins and advanced analytics are the key to unlocking the vital insights that can differentiate companies in the marketplace.
10. Our existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as our competitors.
While this risk applies to any competitor with superior operations, it is especially heightened by the concern that new competitors that are “born digital” and have a low-cost base for their operations may be able to leverage digital capabilities that allow them to introduce new business models more cost-effectively. Hyperscalability of digital business models and lack of entry barriers enable new competitors to emerge and scale very quickly in redefining the customer experience, making it difficult for incumbents to see it coming, much less react in a timely manner to preserve customer loyalty.
Our prior year survey saw an increase in all of the top 10 risks from 2016 to 2017. This year, the respondents rated seven of the top 10 risks higher for 2018 relative to the 2017 ratings, with three of the top 10 risks rated lower for 2018 relative to 2017. This suggests a potential shift in views about the relative riskiness of 2018 compared to 2017.
The above results are global, as 46 percent of the respondents represented companies based in North America and 45 percent were distributed across Europe and the Asia-Pacific region. Across regions, the strategic threat from the rapid speed of disruptive innovations and the operational threat from resistance to change appear to be at the forefront for executives all over the world. But there are differences across regions:
- North American respondents were the only ones to identify cyber threats and succession challenges and the ability to attract top talent as top five risks. Regarding cyber threats, attacks on high-profile companies continue to dominate the headlines in the United States. Talent acquisition and retention have also been a priority in North America for years as the population ages.
- European-based organizations’ top five risks were dominated by macroeconomic risks, with three of the top five risks from that category. For example, the concern over low fixed interest rates is the region’s top concern, perhaps due to central banks transitioning away from the accommodative policies of the past.
- Respondents from the Asia-Pacific region were the only geographic group to identify the risk of uncertainty surrounding key suppliers as a top five risk. Developed at a time when product innovation was slower and forecasting and demand planning capabilities were much less robust than they are today, supply chains in many Asian companies are based on a low-cost model that does not support present-day growth imperatives.
The overall message of this year’s study is that the rapid pace of change in the global marketplace provides a risky environment for entities of all types to operate. The unique aspect regarding disruptive change is that it represents a choice: Which side of the change curve do organizations desire to be on? Does the organization seek to be the disrupter and try to lead as a transformer of the industry? Or, alternatively, does it play a waiting game, monitor the competitive landscape and react only when necessary to defend market share? For those organizations choosing not to be proactive in disrupting the status quo, their challenge is to be agile enough to react quickly as an early mover. Our experience is that not enough organizations are.
The board of directors and executive management may want to consider the above risks in evaluating their risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If their companies have not identified these issues as risks, directors and executives should consider their relevance and ask why not.Conselium Executive Search, the global leader in compliance search.