North Carolina State University ERM Initiative and Protiviti have completed the latest survey of C-level executives regarding the macroeconomic, strategic and operational risks their organizations face. The top 10 risks for 2015 reflect some marked differences compared to 2014 and provide insight as to what’s on the minds of senior executives and directors.
Derived from a survey of approximately 275 C-level executives (a majority of whom represent organizations that operate globally), the following summary of major business challenges provides a context for understanding the top uncertainties companies are facing as they move forward into 2015.1
While the applicability and prioritization of the following challenges will vary by industry and company size and type, we ranked the risks in order of priority on an overall basis. To provide greater context, last year’s rankings are noted parenthetically; “NR” means the risk was not rated in last year’s survey.
- Regulatory changes and heightened regulatory scrutiny may affect the manner in which our products or services will be produced or delivered (1). This risk has been ranked at the top in each survey we’ve conducted over the past three years. Despite a slight decline in its rating this year, this risk remains top of mind, suggesting that the cost and influence of regulations on business models remain high in many industries and across the globe. Even marginally incremental regulatory change can add tremendous cost to a corporation, and the mere threat of regulatory change can create uncertainty in hiring and investment decisions.
- Economic conditions in current markets may not present significant growth opportunities (2). This risk remains in second place on the list, consistent with prior years. While equity markets saw a strong surge in the third and fourth quarters of 2014, uncertainties continue to exist (for example, the volatility in oil and gas prices; concerns about the impact of economic sanctions in Russia to U.S. and European markets; questions about slowdowns in China; and the effects on U.S. economic policy resulting from the shift in power in the U.S. Senate in January 2015). Potentially, this ranking suggests concern over a “new normal,” with businesses learning to operate in an environment of slower organic growth. As growth across the globe continues to be somewhat uneven from one geographical area to the next, the survey results reflect concerns that prospects for growth in 2015 present a challenge in selected markets. In fact, in rating this risk, executives and directors may be mindful that the pace of economic growth could shift, dramatically and quickly, in any region of the global market. Accordingly, companies may be aggressive in seeking new markets and new ways of serving customers to stimulate fresh sources of growth.
- Cyber threats could significantly disrupt core operations and/or damage the brand; privacy/ identity and information security risks may not be addressed with sufficient resources (6).2 Recent and significant data breaches at major retailers, global financial institutions and other high-profile companies have most executives realizing it is most likely not a matter of if a cyber risk event might impact the business, but when. Most organizations now recognize the significant threat linked to their reliance on technology for executing global strategies. Social business, cloud computing, mobile technologies and other technological developments offer significant opportunities for creating cost-effective business models and enhancing customer experiences. They may also spawn disruptive change, increased privacy and security risks, and further exposure to damaging cyber attacks launched by adversaries with increasingly sophisticated skills and clever schemes. The fresh challenges presented by these technologies create, in effect, a “moving target” for companies to manage.
- Succession challenges and the ability to attract and retain top talent may constrain efforts to achieve operational targets (4). This risk also held its position on the list, but its overall rating was higher this year than in prior years. As companies pursue their growth strategies, they need people with the requisite knowledge, skills and mutuality of interests to execute those plans; however, a significant shortfall of skilled workers is looming on the horizon in many developed countries. This risk translates into succession issues that organizations must address; they need to emphasize grooming younger managers who have the potential to lead and focus on retaining their most promising employees – the “A players.” Some organizations are considering alternative staffing models that provide more flexibility, such as part-time arrangements and contractors, for retaining or replacing talent.
- The organization’s culture may not sufficiently encourage the timely identification and escalation of significant risk issues (NR). This risk was added this year. Despite the recognition that there are a number of top operational, strategic and macroeconomic risk concerns, there appears to be an overall lack of confidence that processes are in place for individuals to raise risk concerns to the organization’s leadership. The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge effect on timely escalation of risk issues to the right people in the organization. That is likely why this risk was rated as highly as it was, as timely identification and escalation of key risks are not easy.
- Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations (7). Senior executives are placing high priority on positioning their organizations as agile, adaptive and resilient in the face of change. They instinctively know that early movers that exploit market opportunities and respond to emerging risks are more likely to survive and prosper in a rapidly changing environment. But making an organization an early mover is a challenge, pushing this risk up a notch compared to last year.
- An unexpected crisis could impact the organization (10). The rating for this risk increased significantly compared to last year, possibly due to the continued occurrence of proud, established global brands facing unexpected crises and subsequently experiencing significant reputational impact. Senior executives and directors are realizing there isn’t an organization on the planet immune to being tested by a crisis. This makes an understanding of the risks and the need for preparedness especially vital. With the speed and global reach of the media, especially social media, reputations built over decades can unravel overnight.
- Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base (NR). This is another risk we added to our latest survey that we did not include in prior years. The rapid pace of change and disruptive innovations are leading to dramatic changes in the marketplace. In reaction to those changes, customer preferences are shifting rapidly, making it difficult to retain customers in an environment of slower growth. Not only is preserving customer loyalty more cost-effective than acquiring new customers, but loyal customers are also more likely to purchase higher-margin products and services over time. Loyal customers reduce marketing costs, as well as costs associated with educating customers. That is why sustaining customer loyalty and retention is a high priority for customer-focused organizations.
- Existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as competitors do (10). Performance gaps can be deadly if left unaddressed over a long period. Poor performance in relation to competitors is simply not sustainable.
- New technologies may disrupt the organization’s business model (10). This risk also moved up a notch, tied for the tenth spot on last year’s list with other risks. It deals with disruptive innovation and/or new technology within the industry outpacing an organization’s ability to compete without making significant changes to its business model. While the velocity of this risk is typically not as immediate as a catastrophic event, it is potentially lethal if the organization finds itself on the wrong side of the change wave.
Several risks reported last year fell out of the top 10 risks for 2015. For example, uncertainty surrounding political leadership limiting growth opportunities was third on the list last year. This risk fell a long way in this year’s survey, possibly because business leaders have grown accustomed to the geopolitical tensions and political gridlock realities of the current era.
Anticipated volatility in global financial markets and currencies creating challenges was eighth last year, and uncertainty surrounding costs of complying with healthcare reform legislation in the United States limiting growth was ninth. With respect to the latter, the risk declined in significance largely because many employers have grown comfortable with methods for capping their exposure to healthcare reform costs; however, the healthcare provider industry in the United States will likely continue to face challenges due to healthcare reform in the coming years.
One other notable survey finding: Compared to last year, there was an uptick in the number of respondents reporting that their organizations will devote additional time and/or resources to risk identification and management over the next 12 months.
Questions for Boards
The board of directors may want to consider the above risks in evaluating its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations.
How Protiviti Can Help
Protiviti can assist the board of directors and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We assist public and private companies with integrating their risk assessment process with their core business processes, including strategy-setting and business planning. We provide an experienced, unbiased perspective on issues separate from those of company insiders to help organizations improve their risk reporting to better inform the risk oversight process.
1Executive Perspectives on Top Risks for 2015: Key Issues Being Discussed in the Boardroom and C-Suite, Protiviti and North Carolina State University’s ERM Initiative, available at protiviti.com/toprisks.
2As in the prior two years, our survey rated cyber threats separately from privacy/identity and information security risks. Also, as in the past, both were top 10 level risks. For purposes of this article, we combined the two risks because both are driven by uncertainties arising from the complexities of changing technology. Interestingly, both risks were included in the top five risks for companies with revenues of US$10 billion or more.
Board Perspectives: Risk Oversight (Issue 64)