Protiviti and North Carolina State University’s ERM Initiative have completed the latest survey of directors and C-level executives regarding the macroeconomic, strategic and operational risks their organizations face. The top risks for 2018 provide interesting insight into changing risk profiles across the globe.
Overall, 728 C-level executives and directors participated in this year’s global study, with 46 percent representing companies based in North America and 45 percent distributed across Europe and the Asia-Pacific region. The study participants revealed that their respective organizations faced significant issues and priorities that varied by industry, executive position, and company size and type. Consistent with prior years, there is variation in views among boards and C-suite executives regarding the magnitude and severity of risks for the year ahead relative to prior years. Interestingly, compared to C-level executives, board members see a riskier environment for 2018, reporting the highest increase in concern relative to their views in the prior year.
We ranked the top risk themes in order of priority, noting the previous year’s top 10 rankings parenthetically. This summary provides a context for understanding the most critical uncertainties companies are facing as they move forward into 2018:
- Rapid speed of disruptive innovations and/ or new technologies within the industry may outpace the organization’s ability to compete and/or manage the risk appropriately, without making significant changes to the business model (4). This strategic risk soared to the top for 2018. With advancements in digital technologies and rapidly changing business models, respondents are focused on whether their organizations are agile enough to respond to developments that alter customer expectations and require change to their core business models. For most large companies today, it’s not a question of if digital will upend their business but when. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult for them to have both the vision to anticipate the nature and extent of change and the decisiveness to act on that vision.
- Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations (9). Coupled with concerns about the emergence of disruptive innovations, respondents also highlighted a cultural concern related to overall resistance to change within the organization. As many companies have discovered in recent years, strategic error in the digital economy can be lethal. If business model disruptors emerge in the industry, respondents are concerned that their organization may not be able to adjust core operations in time to make changes to the business model that will help the company compete. This risk and the risk of disruptive change create a conundrum of sorts. On the one hand, there is concern about inevitable disruptive change and, on the other hand, a fear the enterprise will not be agile and resilient enough to adapt to that inevitability. That’s why organizations committed to continuous improvement and breakthrough change are more apt to be early movers in exploiting market opportunities and responding to emerging risks.
- The organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage its brand (3). Threats related to cybersecurity continue to be of concern as respondents focus on how events might disrupt core operations. To no one’s surprise, this risk continues to be one of the most significant top operational risks overall. It is also listed among the top five risks in each of the four size categories of organizations we examined. Both directors and CEOs rated this risk as their No. 2 risk concern. None of these findings are surprising as technological advancement is an unstoppable force. Cyber risks continue to be a moving target as cloud computing adoption, mobile device usage, creative applications of exponential increases in computing power, and innovative IT transformation initiatives constantly outpace the security protections companies have in place.
- Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which organizations’ products or services will be produced or delivered (2). Regulatory risk, which has been one of the top two risk concerns in all prior years that we have conducted this survey, has dropped to fourth on the list for 2018. However, it is still a major concern for executives. In fact, 66 percent of our respondents rated this risk as a “Significant Impact” risk. Therefore, the drop in this risk’s position on the 2018 list is more a result of higher concern over the top three risks.
- The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues that have the potential to significantly affect core operations and achievement of strategic objectives (8). This issue, coupled with concerns over resistance to change, can be lethal if it results in the organization’s leaders losing touch with business realities. If there are emerging risks and the organization’s leaders are not aware of them, the entity has a problem. The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge impact on timely escalation of risk issues, particularly those affecting core business processes.
- Succession challenges and the ability to attract and retain top talent may limit ability to achieve operational targets (6). The risk of succession challenges and the ability to attract and retain talent continues to be an overall top 10 risk, likely triggered by a tightening labor market. It is especially prevalent for entities in the consumer products and services, healthcare and life sciences, and energy and utilities industries. The bottom line: Respondents are concerned that significant operational challenges may arise if their organization is unable to sustain a workforce with the skills needed to implement demanding growth strategies. To thrive in the digital age, organizations need to think and act digital; that requires a different set of capabilities and strengths. Talented people aspire to be contributors in a contemporary and digitally focused business with its best days ahead of it rather than bound to an organization that is not structured to be innovative and dynamic — even though it may have a strategy that asserts it will be. This risk indicates that directors and executives believe their organizations must up their game to acquire, develop and retain the right talent. The organizations that win the war for talent win the game.
- Privacy/identity management and information security risks may not be addressed with sufficient resources (5). The presence of this risk in the top 10 is somewhat expected given the increasing number of reports of hacking and other forms of cyber intrusion that compromise sensitive personal information. As the digital world evolves and enables individuals to connect, exchange and share information, it presents fresh exposures to sensitive customer and personal information and identity theft.
- Economic conditions in markets the organization currently serves may significantly restrict growth opportunities (1). Survey respondents are not as concerned about economic conditions in domestic and international markets as they were in prior years. This risk is the only macroeconomic risk included in the top 10 risk list, suggesting respondents seem more positive about macroeconomic issues, and specifically the economy, for 2018 relative to the past several years.
- Inability to utilize data analytics and “big data” to achieve market intelligence and increase productivity and efficiency may significantly affect core operations and strategic plans (13). The final two risks are new to our top 10 list. Respondent concerns are growing regarding their company’s ability to harness the power of data and advanced analytics to achieve competitive advantage and manage operations. They sense that other organizations may be able to capture intelligence that allows them to be more nimble and responsive to market shifts and changing customer preferences than their company. In the digital age, knowledge wins and advanced analytics are the key to unlocking insights that can differentiate companies in the marketplace.
- Our existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as our competitors, especially new competitors that are “born digital” and have a low cost base for their operations, or established competitors with superior operations (15). This risk is especially heightened by the concern that new competitors may be able to leverage digital capabilities that allow them to introduce new business models more cost-effectively. Hyperscalability of digital business models and lack of entry barriers enable new competitors to emerge and scale very quickly in redefining the customer experience, making it difficult for incumbents to see it coming at all, much less react in a timely manner to preserve customer loyalty.
Two of last year’s top 10 risks fell off the list for 2018. The first is anticipated volatility in global financial markets and currencies creating significant issues for organizations to address, which was the seventh-rated risk last year. The second is increased difficulty in sustaining customer loyalty and retention due to evolving customer preferences and/or demographic shifts in the existing customer base, which was the tenth-highest risk last year.
The above results are global. Across North America, Europe and the Asia-Pacific region, there are similarities and differences. All three regions have in common the strategic threat from the rapid speed of disruptive innovations and the operational threat from resistance to change. These two concerns appear to be at the forefront for executives all over the world. But there are differences:
- European-based organizations’ top five risks were dominated by macroeconomic risks, with three of their top five risks from that category. To illustrate, the concern over low fixed interest rates is the region’s top concern, perhaps due to central banks transitioning away from the accommodative policies of the past.
- North American respondents were the only ones to identify cyber threats and succession challenges and the ability to attract top talent as top five risks. Regarding cyber, attacks on high-profile companies continue to dominate the headlines in the United States. Talent acquisition and retention has also been a priority in North America for years as the population ages.
- Respondents from the Asia-Pacific region were the only geographic group to identify the risk of uncertainty surrounding key suppliers as a top five risk. Developed at a time when product innovation was slower and forecasting and demand planning capabilities were much less robust than they are today, supply chains in many Asian companies are based on a low cost model that does not support present-day growth imperatives.
The overall message of this year’s study is that the rapid pace of change in the global marketplace provides a risky environment for entities of all types to operate. The unique aspect regarding disruptive change is that it represents a choice: Which side of the change curve do organizations desire to be? Does the organization seek to be the disrupter and try to lead as a transformer of the industry? Or, alternatively, does it play a waiting game, monitor the competitive landscape and react only when necessary to defend market share? For those organizations choosing not to disrupt the status quo actively, their challenge is to be agile enough to react quickly as an early mover. And as we’ve noted before, not enough organizations are.
Questions for Boards
The board of directors may want to consider the above risks in evaluating its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If their companies have not identified these issues as risks, directors should consider their relevance and ask why not.
How Protiviti Can Help
We assist boards and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. In addition, we assist public and private companies with integrating their risk assessment process with their core business processes, including strategy-setting and execution, business planning, and performance management. We provide an experienced, unbiased perspective on issues separate from those of company insiders to help organizations improve their risk reporting to better inform the board’s risk oversight process.
 Executive Perspectives on Top Risks for 2018, Protiviti and North Carolina State University’s ERM Initiative, December 2017, available at www.protiviti.com/toprisks.
(Board Perspectives: Risk Oversight - Issue 99)