North Carolina State University’s ERM Initiative and Protiviti have completed the latest survey of C-level executives and directors regarding the macroeconomic, strategic and operational risks their organizations face. The top risks for 2017 provide insight as to what issues are currently top of mind for leaders around the globe.
A recent survey conducted by the National Association of Corporate Directors (NACD) reported that, according to the vast majority (96 percent) of directors, “big picture” risks are overseen at the full board level. This view of risks includes those with broad implications for the organization’s strategic direction, as well as issues that can create significant reputational damage.
More than 700 C-level executives participated in our annual study of the top risks for the upcoming year. Conducted in the fall of 2016, 55 percent of respondents were U.S.-based, with the balance distributed between Europe and the Asia-Pacific region. These executives revealed that their respective organizations face significant issues and priorities that vary by industry, executive position, and company size and type. They also indicated that the overall global business context is noticeably riskier than in the two previous years, with respondents in the United States indicating it’s about the same as in prior years. For the top 10 risks identified in this survey, as discussed below, the assessment of the severity of each risk is higher than in prior years; this suggests executives perceive that the level of risk is increasing across several dimensions.
Using our survey methodology, the common risk themes were ranked in order of overall priority. In presenting the top 10 risks below, the previous year’s rankings were noted parenthetically. This summary provides context for understanding the most critical uncertainties companies face as they move forward into 2017:
- Economic conditions in markets the organization currently serves may significantly restrict growth opportunities (2). This issue moved to the top risk spot for 2017, which is not surprising given that myriad factors continue to cloud the global economic outlook. There are many sources of economic uncertainty in the global marketplace. Financial market volatility, Brexit, massive immigration pressures in Europe, a strong U.S. dollar, central bank monetary policies in many countries, the aftermath of the U.S. 2016 national elections, sluggish growth rates in various global markets, rising global debt and the threat of deflation are examples. Survey participants may have concerns about a “new normal” for businesses operating in an environment of slower organic growth as they search for new markets, products and services to stimulate fresh growth opportunities.
- Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which organizations’ products or services will be produced or delivered (1). Ranked at the top in each of the prior surveys we’ve conducted over the past four years, this risk fell to the second spot for 2017 despite receiving an increased rating. Whether ranked first or second, companies continue to have anxiety about regulatory challenges potentially affecting their strategic direction, how they operate and their ability to compete with global competitors on a level playing field. This risk may be particularly relevant in 2017, given uncertainty concerning the new U.S. administration and its likely influence on the role of government and the business environment, particularly with respect to trade policy with other nations, healthcare reform, financial services regulation and environmental issues. The cost and influence of regulation on business models remain high in many industries and any major change — positive or negative — is of significant interest to executives and directors.
- The organization may not be sufficiently prepared to manage cyberthreats that have the potential to significantly disrupt core operations and/or damage its brand (3). This risk has been rising steadily in our annual surveys over the past several years, despite the enhanced efforts companies have been undertaking to address it. These results are not surprising because cyber risks have evolved into a moving target. Many factors are driving change: the ongoing digital revolution, new innovations to enhance the customer experience, cloud adoption, social media, mobile device usage and increasingly sophisticated attack strategies, among others. The harsh reality is clear: new technology offerings and developments in organizations are quickly extending beyond the security protections that they currently have in place. High-profile data breaches affecting politicians, global financial institutions and major retailers, among others, and the growing presence of state-sponsored cyberterrorism have C-level executives recognizing the need for “cyber resiliency.” In short, it is not a matter of if a cyber-risk event might occur, but when. Organizations therefore must be prepared to reduce the impact and proliferation of a cyber-risk event.
- Rapid speed of disruptive innovations and/or new technologies within the industry may outpace the organization’s ability to compete and/or manage the risk appropriately, without making significant changes to the business model (6). Inability to respond in a timely manner to changing market expectations can be a major competitive threat for organizations that lack agility in the face of new market opportunities and emerging risks. As the speed of change can accelerate and emerging innovative technologies can occur in any industry or organization, this risk manifests itself in far broader ways than in retail marketplaces. Disruption affects all industries; no company is immune. The half-life of business models is constantly shrinking, and board members and executive management cannot become complacent with the status quo.
- Privacy/identity and information security risks may not be addressed with sufficient resources (5). The technological complexities giving rise to cybersecurity threats also spawn increased privacy/identity and other information security risks. As the digital world evolves and connectivity increases, new opportunities emerge for identity theft and for the compromise of sensitive customer information. Recent hacking attacks that exposed tremendous amounts of identity data involving a number of large companies and the federal government in the United States highlight the harsh realities of this growing risk concern.
- Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets (4). A number of factors are driving this risk — changing demographics in the workplace, slower economic growth, increasingly demanding customers and growing complexity in the global marketplace, among others. As a result, organizations are being forced to elevate their game to acquire, develop and retain talent with the requisite knowledge, skills and core values to execute challenging growth strategies. Multiple trends are transforming the global talent landscape, as well as creating the need for altering talent management strategies. These trends include globalization, digitization, increasing mobility, worker shortfalls in many developed countries over the long term, and growing opportunities in emerging markets. As they expand their global reach, boundary less organizations must “think global” as they build diverse and collaborative teams that will be resilient in a rapidly changing and increasingly digital world.
- Anticipated volatility in global financial markets and currencies may create significant, challenging issues for our organization to address (8). Given questions in Europe surrounding the United Kingdom’s eventual exit from the European Union and uncertainties in other world markets, including China, it is not surprising that this risk remains a top 10 risk for 2017. Factors we’ve indicated earlier — including rising public debt, falling commodity prices, sluggish economic growth, the strong U.S. dollar and uncertainty regarding monetary policies — all contribute to uncertainty in global financial markets and currencies.
- The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues (9). The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge impact on the manner in which risk issues are brought to the attention of decision-makers, when there is still time to act. Given the overall higher levels of risk-impact scores for all risks in 2017 relative to 2016, this cultural issue may be especially concerning to senior management and boards.
- Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations (7). The cultural issues surrounding the escalation of top risk concerns noted above combined with a lack of organizational resiliency can be lethal in these uncertain times. It makes sense to enhance the organization’s ability and discipline to act decisively in revising strategic and business plans in response to changing market realities. Organizations committed to continuous improvement and breakthrough change are more apt to be early movers in exploiting market opportunities and responding to emerging risks than those clinging to the status quo.
- Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base (10). Customer preferences can shift rapidly, making it difficult to retain customers in an environment of modest growth in certain sectors. Sustaining customer loyalty and retention is about increasing profitability through superior top-line performance and reduced marketing costs and costs associated with educating customers. But that’s not easy in today’s highly competitive environment of disruptive change. This may be what is on the minds of the survey participants rating this risk.
Three risks fell just short of a spot in the top 10. They are (a) uncertainty surrounding political leadership in national and international markets; (b) anticipated increases in labor costs impacting the ability to meet profitability targets; and (c) the inability to utilize data analytics and “big data” to achieve market intelligence and increase productivity and efficiency. Although not in the top 10, these risks remain significant for many companies.
The above results are global. U.S. respondents noted similar risks but ranked them differently. One other notable survey finding: Respondents in the Asia-Pacific region and in Europe reported that the risks their organizations will be facing with respect to reaching or exceeding profitability (or funding) targets over the next 12 months have increased slightly in terms of magnitude and severity compared to the assessment reported in last year’s survey (in which participating respondents looked forward to 2016). In the United States, the perceived level of risk is about the same year-over-year.
Questions for Boards
The board of directors may want to consider the above risks in evaluating its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If the company has not identified these issues as risks, directors should consider their relevance and ask why not.
How Protiviti Can Help
We assist boards and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. In addition, we assist public and private companies with integrating their risk assessment process with their core business processes, including strategy-setting and execution, business planning, and performance management. We provide an experienced, unbiased perspective on issues separate from those of company insiders to help organizations improve their risk reporting to better inform the board’s risk oversight process.
Board Perspectives: Risk Oversight Issue 87