North Carolina State University’s ERM Initiative and Protiviti have completed their latest survey of C-level executives and directors regarding the macroeconomic, strategic and operational risks their organizations face. The top risks for the next 12 months reflect interesting differences compared to the prior year and provide insight as to what’s top of mind currently among senior executives and directors around the globe.
More than 500 board members and C-level executives participated in this year’s study.1 Approximately 70 percent represented companies with operations outside of the United States, with roughly a 50-50 split representing companies headquartered in and outside of the United States. These executives reported that their respective organizations faced significant issues and priorities that varied by industry, executive position, and company size and type. Noting some common themes, we’ve ranked the risks in order of priority on an overall basis below.
Last year’s rankings are included in parentheses.
This summary provides a context for understanding the most critical uncertainties companies worldwide are facing as they move forward:
- Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which organizations’ products or services will be produced or delivered (1). This risk has been ranked at the top in each of the surveys we’ve conducted over the past four years, with an increased rating this year. The cost of regulation and its impact on business models remain high in many industries. Compliance costs are embedded within prices consumers must pay and affect employee compensation.
The top risk in many industry groups, regulation and its high costs can contribute to an unlevel playing field in the global marketplace that can affect a company’s competitiveness and lead to lower levels of economic growth. Thus, policymakers must grapple with the question of the appropriate regulatory balance, while business leaders must make investment and hiring decisions in the face of the uncertainty imposed by continued and, in some cases, heightened regulatory mandates.
- Economic conditions in markets the organization currently serves may significantly restrict growth opportunities (2). Declining oil and gas prices, equity markets, and commodity prices, in general, have contributed to economic uncertainty. Short-termism is a concern as business investment has yet to catch up with pre-financial crisis levels. As we’ve suggested in the past, a “new normal” may be unfolding as businesses adapt their operations to an environment of slower organic growth. As expansion across the globe continues to be some- what uneven from one geographical area to the next, the survey results reflect concerns that prospects for growth in 2016 present a challenge in selected markets. Therefore, we expect companies to seek new markets and new ways of serving customers as part of their efforts to stimulate fresh sources of growth – while keeping a sharp eye on preserving profitability and sufficient returns.
- The organization may not be sufficiently prepared to manage cyberthreats that have the potential to significantly disrupt core operations and/or damage its brand (3). Third and sixth on the list in 2015 and 2014, respectively, cybersecurity risk continues to escalate as an issue of concern. The harsh glare of the public spotlight on high-profile breaches at major retailers, global financial institutions and other organizations, including government entities, has led executives and directors to realize it is most likely not a matter of if a cyber risk event might occur, but when.
With the increasing sophistication of cyberperpetrators, many organizations recognize the threat linked to their reliance on social business, cloud computing, mobile technologies, data analytics and other technologies as they execute their global strategies. While these technologies and tools offer significant opportunities for creating cost-effective business models and enhancing customer experiences, they may also spawn disruptive change and increase exposure to cyberattacks. Therefore, directors and executives alike seek an edge in getting ahead of the pace of technological change by focusing on protection of the organization’s “crown jewels” (e.g., intellectual property and critical information assets the organization cannot afford to lose), understanding the threat landscape, and ensuring that effective incident response plans are in place.
- Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets (4). This risk also held its position on the list, but its overall rating was higher this year than in previous years. As roundtables facilitated by the National Association of Corporate Directors and Protiviti in 2015 indicated, directors understand that talent strategy is inexplicably tied to overall business strategy.
Companies need talented people with the requisite knowledge, skills and core values to execute challenging growth and innovation strategies.
With changing demographics in the workplace due to an aging workforce and the increasing influence of millennials, organizations are increasing their focus on acquiring, retaining and developing talent. This risk must be addressed through succession plans, with an emphasis on building executive bench strength through grooming younger, strong- performing managers who have the potential to lead.
- Privacy/identity and information security risks may not be addressed with sufficient resources (7). The technological complexities giving rise to cybersecurity threats also spawn increased privacy/identity and other information security risks. As the digital world enables individuals to connect and share information, it presents fresh exposures to loss of sensitive customer and private information and identity theft. As with cybersecurity, increased sensitivity of the public and changing technologies create, in effect, a “moving target” for companies to manage.
- Rapid speed of disruptive innovations and/ or new technologies within the industry may outpace the organization’s ability to compete and/or manage the risk appropriately, without making significant changes to the business model (11). Innovation can dramatically improve quality, time and cost performance to create superior products and services for customers.
It also can create new markets, extend a product range or replace products and services. And it can be disruptive if it improves the customer experience in ways that the market does not expect, typically by lowering the price significantly, or by designing a product or service that transforms the way in which the consumer’s needs are fulfilled.
What organizations are facing today is disruptive change to business models and even entire industries. Whereas disruptive innovations may have once taken a decade or more to transform an industry, the elapsed time frame is compressing significantly, leaving very little time for reaction. Sustaining a business model in the face of digitally enabled competition requires constant innovation to stay ahead of the change curve.
- Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations (6). Positioning the organization as agile, adaptive and resilient in the face of change is top of mind for many executives and directors. It’s a smart move. Early movers that exploit market opportunities and respond to emerging risks are more likely to survive and prosper in a rapidly changing environment. The challenge of making an organization an early mover keeps this risk top of mind for executives.
- Anticipated volatility in global financial markets and currencies may create significantly challenging issues for our organization to address (17). Many forces are at work contributing to this increasing risk (e.g., high asset prices, slowing global growth, China’s approach to foreign exchange, declining commodity prices, uncertainty associated with central bank policies, and less confidence in policymakers’ ability to respond to market issues quickly and effectively). For these and other reasons, survey participants see increased risk of volatile financial markets.
- The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues (5). The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge effect on timely escalation of risk issues to the people who matter. This is a cultural issue requiring constant attention by management and oversight by the board. This risk continues to be rated highly likely because of the pace of change and the challenges of executing timely identification and escalation of key risks. For that reason, it is a topic in which some regulators (e.g., in financial services) are taking a greater interest.
- Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base (9). The rapid pace of change and disruptive innovations continue to drive significant changes in the marketplace. Customer preferences are subject to rapid shifts, making it difficult to retain customers in an environment of slower growth. Sustaining customer loyalty and retention is a high priority for customer-focused organizations because senior executives know that preserving customer loyalty is more cost-effective than acquiring new customers.
Two risks reported last year fell out of the top 10 looking forward to 2016. The risk that an unexpected crisis could impact the organization was rated seventh last year and fell to 11th this year. In addition, the risk that existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as competitors was rated ninth last year and ranked 15th this year.
One other notable survey finding: Respondents reported that the risks their organizations will be facing with respect to reaching or exceeding profitability (or funding) targets over the next 12 months are greater in terms of magnitude and severity than the assessment reported in last year’s survey (in which the participating respondents looked forward into 2015). Also, respondents noted that the likelihood their organization will devote additional time and/or resources to risk identification and management over the next 12 months was at about the same level as reported last year.
Questions for Boards
The board of directors may want to consider the above risks in evaluating its risk oversight focus for the next 12 months in the context of the nature of the entity’s risks inherent in its operations. If the company has not identified these issues as risks, directors should consider asking why not.
How Protiviti Can Help
We assist boards and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. In addition, we assist public and private companies with integrating their risk assessment process with their core business processes, including strategy-setting, business planning and performance management. We provide an experienced, unbiased perspective on issues separate from those of company insiders to help organizations improve their risk reporting to better inform the board’s risk oversight process.
Board Perspectives: Risk Oversight (Issue 78)