Companies need useful information to stay abreast, if not ahead, of critical issues looming on the horizon and to prepare for potential opportunities and adverse scenarios. The third annual Executive Perspectives on Top Risks survey, published by Protiviti and North Carolina State University’s ERM Initiative last month, provides just such intelligence. I’d like to highlight the key findings once again because they are informative of the perspectives at the top and the direction in which executives are likely to direct risk management inquiries, effort and resources in the near future.
Globally, more than 275 board members and executives from a variety of industries participated in the survey, which was conducted in person and online in the fourth quarter of 2014. Each participant was asked to rate 27 risks of macroeconomic, strategic and operational nature and assess their potential impact over the next year.
Top issues? Regulatory scrutiny, economic uncertainty, and cyberthreats – not a great surprise.
Interesting among the key findings is an overall perception, based on survey results, that the global business environment in 2015 is somewhat less risky compared the past two years. This, however, doesn’t diminish the significant risks that exist today – or the need for vigilance. Respondents indicated increased likelihood in 2015, compared to both 2014 and 2013, for their organizations to invest additional resources toward risk management, reflecting a rise in expectations for a more effective risk oversight.
The top five risks concerns for 2015, according to the survey, are:
- Regulatory change and heightened regulatory scrutiny – This continues to be the top overall risk for the third consecutive year for most organizations.
- Economic conditions in domestic and international markets – While stabilized at 2014 levels, this risk is again highly ranked as uncertainty still exists.
- Concerns about cyberthreats disrupting core operations – With little surprise, this risk is now a top-five concern for 2015, as well as the top operational risk overall and for the largest organizations.
- Succession challenges and the ability to attract and retain talent – This risk made the top-five risk list for all sizes of organizations. This is likely due to a tightening labor market and a resulting perception among respondents that their organizations might experience significant operational challenges if they can’t attract and retain a workforce with the skills needed for growth.
- Organization’s culture not supporting timely risk identification and escalation – This risk was introduced in the survey this year and was recognized as a top-five risk concern right away.
Other critical risks outside of the top five – but trailing closely – included:
- Lack of resilience – Resistance to change may restrict an organization from making necessary adjustments to its business model and core operations.
- Privacy and security risk – Ensuring privacy/identity management and information security/system protection may require significant resources.
- Inability to manage a crisis – Organizations may not be sufficiently prepared to manage an unexpected crisis significantly impacting their reputations.
- Customer loyalty/retention risk – Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base.
- Performance gap risk – Existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as competitors.
One interesting fact the survey revealed is that board members, CEOs and other members of the executive team hold differing views of the top risks facing their organizations. These findings suggest there is a strong need for dialogue among key stakeholders to ensure there is agreement within the organization about the emerging risks that need to be tackled.
To evaluate their risk assessment process effectively, leaders of organizations need to ask themselves questions such as:
- Is management evaluating changes in the business environment to identify new risks?
- Is the board sufficiently involved and aware of the most critical risks?
- Are risks evaluated in the context of strategy and are they a key consideration in decision-making?
- Does the organization’s risk culture encourage an open, positive dialogue on identifying and evaluating opportunities and risks?
Indeed, asking the right questions in a timely and periodic manner is the central difference between organizations that implement a proactive approach to risk management and those that respond with too little, too late in the face of impending disaster.