Podcast | Executive Perspectives on Top Risks for 2024 and a Decade Later – with Mark Beasley and Jim DeLoach

Kevin Donahue: This is Kevin Donahue, a senior director with Protiviti, welcoming you to a new edition of Powerful Insights. Protiviti and NC State University’s ERM Initiative have conducted the 12th annual Executive Perspectives on Top Risk Survey, in which we poll board members and executives around the world on the risks they see as most significant for their organisations over the next 12 months and the next 10 years. I had the pleasure of speaking with Mark Beasley, professor and director of the ERM Initiative at NC State University, as well as Jim DeLoach, managing director with Protiviti, about some of the key findings and themes that came out of the results. Let’s go right to that conversation.

Jim, it is great to speak with you. Thanks for joining me.

Jim DeLoach: Glad to be here. Thank you, Kevin.

Kevin Donahue: And Mark, once again, great to talk with you. Thanks for being here.

Mark Beasley: Thanks for the opportunity. I look forward to it.

Kevin Donahue: Mark, to get us started, can you give us an overview of our study this year, how we conducted it and the intention behind us conducting this research?

Mark Beasley: Absolutely. I’m excited about this year’s survey. This is our 12th annual survey where we’ve asked executives around the globe what their concerns are when they think about risk for the upcoming year, in this case 2024, and then looking at the long-term view a decade later. I’m excited to report that we had 1,143 executives — and that includes some board members too — provide their perspectives of what they see as the top risk on the horizons for next year and a decade out.

This is a global survey, and we asked each of those executives to look at and rate the significance of 36 risks. Those 36 risks are spread across three categories: macroeconomic issues, strategic issues and operational issues. We used a methodology consistent with all the other prior years where we’re looking at the average score for those 36 risks across all the respondents and they rated them on a 10-point scale, one being this is not a concern at all to 10 being a very significant concern for next year or a decade later. That allows us to rank-order the risk and get a sense for what is on the minds of the executives. We’re able to then provide a lot of sub-analysis, in addition to the full study, looking at it across different sizes of organisations, looking at it across different industries, different geographies where they’re based, as well as different positions — whether they be board members, CEOs, CFOs, etc. It allows us to have a rich set of a lot of different perspectives of what they see as issues that organisations that they work with are facing, both in the short term and the long term.

Kevin Donahue: Thanks, Mark. As we dive into our results, I know one thing we see consistently is differences between these groups and how they view the risk environment. That’s something that we found our audience is truly gravitating toward. In our study this year, we talk about a lot of things, and we could spend the next couple of hours going into those. We’re not going to do that. But what I thought I’d do is focus on several major themes that emerged from the results. One of those is the economy and inflation — no surprise, the top risk issue for the coming year, 2024. Mark, what did you see in some of these findings, and what did they tell you based on what you’re also hearing from organisations out there in the market?

Mark Beasley: As you noted, concerns about the economy, but particularly inflation, is the number one risk concern for next year. And it has been pretty much in the top 10 for most of the years we’ve done this study, and last year it was number two, but it moved into the number one position, and there are concerns about inflation and where the economy is going. Everybody’s still wondering, “Is the recession shoe going to drop?” And that uncertainty is just creating a lot of angst among the executives that responded.  
We got that consistency of response when you look at it across the different ways we analyse this. It’s a top five risk issue for all sizes of organisations that we looked at. It’s a top five risk if you look at what a board member is worried about, what a CEO is worried about, what a CFO is worried about. Except for a couple of positions, it was with the chief strategy officer, chief digital or data officer, where it didn’t make the top five, but it’s in the top five for most everybody else. It was in the top five for every industry group except for energy and, say, government.

It’s a concern at a “Significant Impact” level, which is the highest level of concern, particularly for financial services and consumer products and healthcare. It’s a consistent sort of rating — it doesn’t matter how you slice-and-dice it for that number one.

It’s important also to take a look at the top 10 for 2024. While this is the number one risk, there are a couple of other macroeconomic concerns tied to the current interest rate environment, as well as increasing labor costs. When you look at the economy, particularly inflation, it’s hitting the number one position. But in the top 10 are a couple more macroeconomic-related issues, suggesting an overall concern about where we’re going from an economic perspective. It’s also interesting that that particular risk, the number one risk, still hangs in there for the long term. This is not something that they think is going away in the near term. It’s a 2034 top 10 risk as well. Clearly, concerns about the economy are my conclusion from what we’re seeing.

Kevin Donahue: To confirm for our audience, the top rated risk for 2024, I think it was the seventh-highest rated risk looking out to 2034. Jim, I want to get your thoughts on the economic concerns — what companies are seeing. What are your views on how companies are looking at this and planning for it over the next 12 months?

Jim DeLoach: From the economy standpoint, the word I would add to it is uncertainty. It’s hard to find anyone out there that really has a clear view as to where the economy is going. Recently, it seems that inflation may be cooling, but there’s a lot of potentially different scenarios out there. As a result of that, companies and organisations had best take a multiple view of the future, looking at potentially different scenarios and reality-testing their strategies against those scenarios. That’s the best way to play it — given the uncertainty, using scenario analysis and looking at potential contingency response plans in the event that the economy takes an unexpected nosedive because things are still fragile and events could trigger further uncertainty.

For example, if the war in the Middle East were to expand uncontrollably, there are views out there that oil prices will soar and we’ll be right back to where we are now with respect to inflation. It’s important to keep an open eye and a focus on multiple scenarios and be prepared in the event those scenarios should arise.

Kevin Donahue: Thanks, Jim. We will be talking a little bit more about the geopolitical landscape in a minute. Jim, I want to ask you about another major theme out of our results — arguably, the risk that stands out more than any other when you look at both the next 12 months and next 10 years, and that risk is cyber threats. There are a huge number of concerns there, especially looking a decade out, when it’s the top ranked risk. What did these results tell you?

Jim DeLoach: Mark and I and the other co-authors concluded that cyber threats arguably stand out as the most significant risk issue for boards and C-suite leaders when assessing both near- and long-term outlooks. For the next decade, interestingly, cybersecurity jumped from the 13th-ranked risk in last year’s study to the top-ranked risk looking out 10 years. And for this period, the risk rating for cyber threats increased by more than 11%, by far the largest risk-rating increase noted in our survey. Cyber concerns are also elevated near-term, jumping from the 15th-ranked risk in last year’s survey to the third-ranked risk this year looking at 2024.

As I look at this elevated risk, cybersecurity concerns reflect growing recognition of the complex cyber risk landscape that is impacted by the exponential curve of technological advances, specifically considering the significance with which boards and C-suite leaders view this risk over the next 10 years. It’s possible that technologies such as artificial intelligence, the cloud and even the anticipated emergence of quantum computing, and how organisations will secure their data and operations in a post-quantum world, are raising significant security-related questions and concerns in the boardroom and the C-suite.

But there are, as we concluded, looking at the data, other forces such as increased reliance on third parties and geopolitical tensions, which Mark will talk about in a moment, that also are contributing to the threat landscape. Regarding the geopolitical picture, competing national interests, nation-state territorial aspirations and global terrorism are powerful forces that can affect the cybersecurity risk assessments in particular regions and countries.

Mark Beasley: Jim, you’re highlighting one of the themes that is important for everybody to realise — the interconnectivity of all these risks. You’re highlighting cyber, particularly where its position is number three in the top 10 for next year and number one for a decade out, but you’ve connected it to the other drivers of some of these risks. When you look at the geopolitical issues, there’s a need for a lot of organisations to be more digitally savvy and to embrace innovation, particularly when you see long-term, there’s going to be more and more dependency on technology, which just increases the exposure. You have to look at other risks. The concern that we need to be more digital means I’m now going to increase the cyber issue.

Another related one in the top 10 for next year is number five, a heightened concern about regulatory scrutiny. Here within the United States, particularly, you now have enhanced disclosure requirements for public companies to announce if there’s been an event within a very short window of time. You’ve got a cyber risk concern and now a new regulation that’s heightened. Those both are coming together, and they’re both in the top 10. That’s why you have to look at these from a portfolio perspective, or you’ll miss some of the important connections that are important to realise.

Jim DeLoach: The SEC’s new cybersecurity disclosure requirement, particularly the disclosure of incidents that arise that are deemed material, certainly adds to the assessment issues that companies face when they’re looking at the cybersecurity picture.

Mark Beasley: We’re going to touch a little bit more on the talent side and the labor side, but part of the concern is “I don’t have the right talent to do some of these digital things, which means I may not have the right talent to help protect me.”

Kevin Donahue: We will touch on talent in a minute. Let’s get to this next topic on my list, the geopolitical landscape. Mark, this has already come up a bit in our discussion, but I want to have you touch on what you are seeing in terms of trends driving some of the results from a geopolitical perspective. And I’ll tee this up by saying that in our survey, the events in the Middle East certainly drove some differences in our results where we saw significant jumps in scores in many risks after October 7, when events erupted in Israel and Gaza. As you said, other issues related to geopolitics are driving some changes here. I want to have you comment on this and what you’re seeing. 

Mark Beasley: The unfortunate events of this fall in the Middle East have put the geopolitical risk on everybody’s radar. Although it was already there, it heightened it because of the situation in Ukraine. We already had that in play last year, and that’s continued to be a concern. Then, with the situation in the Middle East, it got that attention even higher. We definitely saw the risk related to geopolitical concerns move up from last year. Last year, it was like in the 28th position. It’s now 20th out of the 36 risks. It did not make the top 10, interestingly.

However, as you noted, we had the survey running during that period, so we’ve done an analysis: What we did observe after October 7, as you noted, was a real bump up in perspectives on a number of risks for those responding after October 7, particularly dealing with the geopolitical concern, but also economic concerns related to inflation, cyber threats. Jim already talked about the connection between geopolitical and cyber that was revealed, and that was a higher-rated risk after October 7, as well as the third-party risk concern. The events in Israel and Gaza are on the radar, and it’s affecting how they’re looking at risk. Before October 7, none of the 36 risks were at what we call the Significant Impact level.

But the post–October 7 ratings, we had a number of that moved into that space, suggesting that the recent events have really caused pause, and, interestingly, that continues for the decade-out view. People are looking at the current environment that we’re seeing ourselves in. You’ve got the background of Europe with Ukraine and Russia. Now we have the Middle East issue, but lurking back there on everybody’s mind is China, Taiwan and what might happen with the uncertainties surrounding Asia. That then gets into concerns about third-party sourcing, supply chain issues, the economy. Geopolitics is a common theme that’s bumping up some of these other concerns.

Jim DeLoach: This is one of the most fascinating topics of the entire discussion, because today’s companies operate in a highly interdependent and competitive global marketplace in which countries and regions are taking a closer look at trade relationships through the lens of national security, and this is contributing to a nuanced and challenging trading environment. The points Mark is making — the wars in Ukraine and the Middle East, the proliferation of disinformation, and the convergence that we’re seeing with China, Russia, Iran and North Korea in opposition to Western democracies — they provide a combustible mix that is impacting how leaders are assessing the global risk landscape. And the October 7 results before and after clearly illustrate that. Where this picture of geopolitical strife is going is anyone’s guess, but evolving global markets and potentially dangerous geopolitical scenarios bear watching by boards and executives in 2024.

Kevin Donahue: Jim, I want to pivot again to a new topic. As you and Mark have pointed out, all these are interrelated. But I want to have you talk about technology-related developments and challenges that we’re seeing in the list of top risks and, more broadly, in some of the issues and concerns that companies have. We see a lot of technology-related issues in the highly rated risks, especially looking out 10 years. This is also our opportunity to talk about the other hot topic this year and certainly next year, which is artificial intelligence.

Jim DeLoach: The interesting aspect on the technology front is that there are myriad technology-related challenges that are linked and interrelated that we noted in our study, and they need to be considered collectively by executives and the board, as exposures in one area may trigger exposures in other areas. It all starts with your point about looking out 10 years.

The fourth-rated risk is rapid speed of technology and disruptive innovations enabled by advanced technologies or other market forces outpacing an organisation’s ability to compete and/or operate successfully without making significant changes to their business model. Everywhere we look, new technologies are impacting businesses, whether you’re talking about artificial intelligence, including all the latest buzz around generative AI, whether you’re talking about automation in all its forms, hyperscalable platforms, faster data transmission and less network latency, quantum computing, blockchain, digital currencies, and the metaverse.

Bottom line, the disruptive change spawned by advancing tech is impacting risk assessments, the risk landscape and other risks. To illustrate that point, as I noted earlier, advancing tech is impacting cybersecurity as it expands the attack surface available to cyber bad actors. And coupled with cyber threat concerns, data privacy made the top 10 for 2024. So as regulations proliferate and expectations surrounding the protection of sensitive private data evolve, business leaders are concerned about how their organisations are collecting, storing, processing, and managing data. That’s all driven by technology, and how that can be exploited creates unintentional exposure. To Mark’s earlier point, greater reliance on third parties to perform critical business services is influencing how leaders are assessing both cyber and data privacy risk.

Another point on the technology front is that as emerging tech is implemented, there is a need to reskill and upskill. This is critical if you’re going to realise fully the value proposition promised by the emerging-tech business case and the ROI that’s anticipated. You’re going to have to have the talent. Unfortunately, the talent you need is not all walking on the street, so you’re going to have to upskill and reskill.

This is not a new conversation. It’s a conversation that’s been going on for a long time. And that conversation has to be addressed right now because the need to upskill and reskill to provide skills that are in short supply in the labor market is the sixth-rated risk for 2024 and the third-rated risk looking out 10 years.

The final point I want to make on the technology front deals with legacy IT systems and existing operations that make it difficult for incumbents to compete with nimbler born-digital competitors or with other incumbents making significant digital investments to make themselves more agile and resilient and able to pivot in the marketplace. Not only do outdated systems create competitive limitations, they also present unintended exposures that may lead to cybersecurity and data privacy concerns. The issues around technical debt and legacy IT systems and existing operations are the seventh and eighth rated risks, respectively, looking out 12 months and looking out 10 years.

Mark Beasley: Tied to all those that you noted too, in the long-term view, is the number 10 risk of the ability to use data analytics and having the skill set to be able to take advantage of the market intelligence that could be gained from that. When you look at the use of technology, that creates a volume of data. Organisations are concerned — for the long term, will they have the talent and the capabilities to get there fast enough, better than their competitors? And of course, as you mentioned earlier, with generative AI, which has become more visible this year, people are still trying to figure out where that’s going to land and how fast that could create an unexpected competitor to my business that is coming out of the blue, and is it going to affect my talent needs?

There’s a connection here to the fact that regulatory concern is a top 10 risk in both the short term and the long term. And we can’t ignore the regulatory question marks surrounding some of these emerging technologies, particularly generative AI. There are a lot of policy discussions going on right now about good and bad — where that can land — and we don’t know the answer yet. Of late, we’re seeing a lot of uncertainty in that market space.

That explains a lot of the concerns about how innovative technology, while it has potential for amazing opportunities, it does create a whole new platform of risk. Again, back to AI risk to my business as my employees and teams start playing around with it, could they accidentally be releasing our proprietary information into the public space now? And now my proprietary confidential data is out there in AI. And “How do I manage that?” is creating a lot of angst among a lot of people.

Jim DeLoach: I like that point. I just got the Blu-ray for Oppenheimer, and included in the special features, at the press interview, the director and a number of physicists were talking about what the meaning of the movie was. They immediately latched on to your point about the unintended consequences of creating new capabilities and how that is impacting the thinking that goes on in Silicon Valley. Related to AI, for example, that was a contemporary example they used.

Kevin Donahue: This all relates to the next topic I wanted to bring up, which is talent and skills gaps. As you mentioned, these are highly interrelated with technology. Jim, I know you have some comments on that that you’ll share. I want to tee up this question, if it helps: I’ve received a couple of questions from people we work with asking if we’re seeing in the results how growth of technology and increased use of AI is indicating any decrease in jobs and skills needs. And I’m saying we’re not seeing those results. In fact, there’s a lot of concerns about having the right talent, having the right skills. How do you see this unfolding right now in terms of the people and talent and skills companies need against the growth of technology?

Jim DeLoach: I noticed that you use the word interrelated, and interconnected, short of using the word correlated, that shows how highly linked all these risks are. When you get to the talent and skills question, it certainly bears that out because amid all the concerns about the economy, the cyber and technology issues, people-related risks are also top of mind and highly interrelated. To that end, there are a number of important themes. The first one is that finding and keeping talent and succession challenges remains a top risk. It’s the second-highest risk both looking out 12 months and looking out 10 years. As I noted earlier, there is the need to reskill and upskill employees, and that is a challenge both now and in the future.

Also, rising labor costs certainly has been a sign of our times and continues to be a persistent concern. Increases in labor costs represent the ninth-rated risk for both 2024 and looking out long-term, mirroring the broader return-to-work trends in the market. However, workplace evolution has not been as significant an issue as it was last year looking out 12 months. There’s more comfort around the conversation of working remotely or as part of a hybrid work environment as leaders are seeing more clearly how to deal with this issue as the workplace continues to evolve. We notice that risk has lessened in relation to other risks.

Also, last year, we had a lot of concerns expressed about culture: resistance to change and the ability to escalate risk concerns promptly within the organisation. Those risks have also lessened in importance relative to other risks, suggesting that companies have been emphasising improved resilience and employee risk awareness in an environment, which, apparent to everyone, is rapidly evolving. Those are some things we noticed. Talent underscores virtually everything when you’re talking about the ability to formulate winning strategies and execute those strategies skillfully in the market.

Mark Beasley: Jim, when you look at them by position, how did the different executives view the risk? Those that lead the talent function, the chief human resource officers, were up there with the chief risk officers as far as the number of risks ranked at what we call the Significant Impact level. Of the 36 risks the chief human resources officers looked at, eight of those were ranked as Significant Impact. Other positions rating risk at the Significant Impact level were the chief risk officers and chief audit executives. Other positions didn’t have them quite that high. The HR leaders are seeing this as a continued concern — maybe not as strong as it was a year ago, when we were coming out of the war for talent. That has to do with the economy.

Things have stabilised a little bit, but a couple of the ones that caught my eye, when you look at them from a talent lens — unfortunately, we’re seeing it particularly here in the university space — is that one of the Significant Impact risks is just meeting expectations in general around protecting health and safety of employees, but particularly their well-being and mental health. That one pops out. I know we’re dealing with that a lot in the university space with our students and the next generation of mental health concerns that are creating some talent issues in that space.

Another one we’ll touch on a little bit is the reliance on third parties. That is one that the chief human resources officers are also raising as a high risk. When I look at that, they’re thinking about it more from outsourced labor versus a supply chain issue, but they’re more looking at it as where they’re getting non-1099 employees, as in here in the United States, where you’re looking at a contract worker and knowing there are risks tied to that if there’s a dependency on those more temporary employee relationships.

Jim DeLoach: Bringing up the role of the CHRO is so key because that role is shifting and changing. You hear more conversation around the importance of winning hearts and minds, more conversation around shifting from jobs and roles to skills, more conversation around emphasising succession planning, leadership development and upward mobility and building technology competencies, as well as differentiating retention strategies for the different generations, and then fostering a culture based on core values and trust that serves as a magnet for talent.

You also hear conversations around improving onboarding effectiveness. All this is dramatically changing and altering the traditional HR function, upgrading its capabilities to be more suitable to current surroundings, and of course, as we see up in Detroit, having to adapt to the emergence of union bargaining power. The world’s changing on the skills front and the CHRO has got to lead the change as opposed to just react to it.

Mark Beasley: And connecting it to generative AI, we’re seeing that as a big, contentious issue in the entertainment space, in some of the labor negotiations, and displacing groups of workers and their talent and trying to manage through that is not easy.

Kevin Donahue: This has been a fantastic conversation, as usual. I want to cover a bit of the topic of third-party risks momentarily. But first, a plug for our report. Executive Perspectives on Top Risks for 2024 and 2034 can be found at erm.ncsu.edu, as well as at protiviti.com/toprisks. The report, among much of the analysis and commentary we have, also includes calls to actions for boards and executives on many of these topics, on cyber, on the economy and inflation, on even addressing the geopolitical landscape. There’ll be a lot of great information for our audience there.

Mark, I did want to touch on third-party risks. In our survey results, cyber stands out, geopolitics stand out, people stand out, yet we see third-party risks rated very highly both for the next year and the next 10 years. Again, we’ve touched on some of this, but I want to have you comment a bit on why you think those are standing out so much right now.

Mark Beasley: This one, as you highlighted, has all of a sudden really come front and center. Last year, it was ranked 17th, and this year, it’s fourth. Among all the 36 risks, it increased the most as far as relative position, and it also jumped for the long term, so this is both a short-term and a long-term issue. It’s in the top 10 in both cases. I there are a lot of reasons for it. This is back to our looking at things from a relationship-portfolio view. The top concern we talked about earlier, about executives being concerned about their legacy systems and not being able to compete with a born-digital enterprise, may mean they’re looking to outsource some of that capability because they don’t have the ability to change their systems that quickly, so they’re going externally to do that.

The talent issue we talked about a minute ago, where we’re looking for talent, one of the positives coming out of the pandemic environment is, now we’re realising, “I can access talent anywhere the talent resides. They don’t have to be at my headquarters’ city or geography to work with us.” There are a lot of ways to tap into that expertise that may not be with a full-time employment perspective.

When you start looking at third-party risk and tying it to geopolitics, as we talked about earlier, the uncertainty in the world, if my third parties are sitting way outside my geography, particularly, for example, on the Asia side, when there’s the lurking concern of Taiwan and China and other things going on there, that puts that third-party exposure front of mind. We saw that come into play, particularly for the chief risk officers and chief audit executives, who rate that as a top five issue. It’s also a top five issue within financial services and technology and media. Those particular industries see it as a big concern. And in the middle range of organisations by size — not the very largest and not the very smallest, but that middle band of organisations — it made the top five.

As you think about looking at reliance on third parties that could be anywhere in the world in the current environment we’re in, they’re worried about managing the risk of that. Even looking out over the last year with the Ukrainian-Russia war and the sanctions of doing business with Russia, considering my third party — and don’t forget, third parties have third parties too, so we’re talking about fourth parties, fifth parties – could I have a sudden exposure from a sixth party that all of a sudden becomes my responsibility? Could it create vulnerabilities that then create a cyber breach? There’s so much interconnectivity to all these, it’s hard to ignore that. The whole third-party space, once it leaves the walls of my organisation, if I don’t have my arms around it, I’m asking, “What is it that I don’t know that I need to know?” And it’s way out there, literally around the world.

Jim DeLoach: The whole concept of a boundaryless organisation — and that is a term that’s been used rather loosely over the last 20-plus, maybe 25-plus years — it continues to rear its head here because the interdependencies organisations have through third parties have continued to expand. This is a highly interconnected world, which brings us back to your point, Mark, about the emphasis on the geopolitical climate, and now you’ve got the West reducing reliance on China in the interest of de-risking, not decoupling, and restrictive laws and regulations around the globe that impact this.

Going forward for 2024, leaders are having to address their third-party risk management framework. This is also as relevant in the boardroom as it is in the C-suite. For example, who are the most important third parties in the company’s ecosystem, and what assets and services within the organisation are delivered through or in some way supported by those third parties? And have those third-party relationships been evaluated against appropriate risk criteria? What significant threats and vulnerabilities have emerged from this evaluation? Has a continuous monitoring programme been established? Those are some of the questions that bear discussion in the C-suite and in the boardroom, particularly as we move into 2024.

Mark Beasley: I want to highlight for our listeners that in the latter part of our report, we have a series of diagnostic questions where we have phrased them as questions that could help tease out what you’re just talking about related to third parties and risk management in general within their organisation. Those could be great discussion starters for risk committees on the management side, risk committees on the board side, and conversations between management and the board that we’ve given you, the listener: Here are a bunch of questions. Try some of these to get the conversation going to see where it may highlight vulnerabilities and how you’re thinking about some of these risks.

Kevin Donahue: Mark, Jim, this has been another fantastic conversation. Thank you both for joining me. Again, for our audience, you, can read our report, Executive Perspectives on Top Risks for 2024 and a Decade Later, at erm.ncsu.edu and at https://www.protiviti.com/de-de/survey/executive-perspectives-top-risks. I also encourage you to subscribe to Protiviti’s Powerful Insights podcast series and to review us wherever you get your podcast content.