Audit and Risk
February 10, 2015
The Most Important Risks for 2015
February 10, 2015
North Carolina State University ERM Initiative and Protiviti have completed their third annual survey of C-level executives regarding the macroeconomic, strategic and operational risks their organizations face. Compared to last year, the top 10 risks for 2015 reflect some marked differences and provide insight into what’s on the minds of senior executives and directors. Approximately 275 C-level executives, the majority of whom represent organizations that operate globally, participated, providing an understanding of the top uncertainties companies are facing as they move forward into 2015.
While the applicability and prioritization of the following challenges will vary by industry and company size and type, we ranked the risks in order of priority on an overall basis. To provide greater context, last year’s rankings are noted parenthetically; risks that were not rated in last year’s survey are noted by “NR.”
- Regulatory changes and heightened regulatory scrutiny may affect the manner in which our products or services will be produced or delivered (1). This risk has been ranked at the top in each survey we’ve conducted over the past three years, suggesting that the cost and influence of regulations on business models remain high in many industries and across the globe. Even marginally incremental regulatory change can add tremendous cost to a corporation, and the mere threat of regulatory change can create uncertainty in hiring and investment decisions.
- Economic conditions in current markets may not present significant growth opportunities (2). This risk remains in second place on the list, consistent with prior years. While equity markets saw a strong surge in the third and fourth quarters of 2014, considerable uncertainties remain, including:: the volatility in oil and gas prices; concerns about the impact of economic sanctions in Russia to U.S. and European markets; questions about slowdowns in China; and the effects on U.S. economic policy resulting from the shift in power in the U.S. Senate. This ranking suggests concern over a “new normal,” with businesses learning to operate in an environment of slower organic growth. As growth across the globe continues to be somewhat uneven from one geographical area to the next, the survey results reflect concerns that this year’s growth prospects present a challenge in selected markets. In rating this risk, executives and directors may be mindful that the pace of economic growth could shift dramatically and quickly in any region of the global market. Accordingly, companies may be aggressive in seeking new markets and new ways of serving customers to stimulate fresh sources of growth.
- Cyber threats could significantly disrupt core operations and/or damage the brand; privacy/ identity and information security risks may not be addressed with sufficient resources (6). Recent, significant data breaches at major retailers, global financial institutions, and other high-profile companies have most executives realizing it is most likely not a matter of ifa cyber event might impact the business, but when. Most organizations now recognize the significant threat linked to relying on technology for executing global strategies. Social business, cloud computing, mobile technologies, and other technological developments offer significant opportunities for creating cost-effective business models and enhancing customer experiences. They may also spawn disruptive change, increased privacy and security risks, and further exposure to damaging cyberattacks launched by adversaries with increasingly sophisticated skills and clever schemes. The fresh challenges presented by these technologies create, in effect, a “moving target” for companies to manage.
- Succession challenges and the ability to attract and retain top talent may constrain efforts to achieve operational targets (4). This risk also held its position on the list, but its overall rating was higher this year than in prior years. As companies pursue their growth strategies, they need people with the requisite knowledge, skills, and mutuality of interests to execute those plans; however, a significant shortfall of skilled workers is looming on the horizon in many developed countries. This risk translates into succession issues that organizations must address: they need to emphasize grooming younger managers who have the potential to lead and focus on retaining their most promising employees – the “A players.” Some organizations are considering alternative staffing models that provide more flexibility, such as part-time arrangements and contractors, for retaining or replacing talent.
- The organization’s culture may not sufficiently encourage the timely identification and escalation of significant risk issues (NR). This risk was added this year. Despite the recognition that there are a number of top operational, strategic and macroeconomic risk concerns, there appears to be an overall lack of confidence that processes are in place for individuals to raise risk concerns to the organization’s leadership. The collective impact of the tone at the top, tone in the middle, and tone at the bottom on risk management, compliance, and responsible business behavior has a huge effect on timely escalation of risk issues to the right people in the organization. That is likely why this risk was rated as highly as it was, as timely identification and escalation of key risks are not easy.
- Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations (7). Senior executives are placing high priority on positioning their organizations as agile, adaptive and resilient in the face of change. They instinctively know that early movers that exploit market opportunities and respond to emerging risks are more likely to survive and prosper in a rapidly changing environment. But making an organization an early mover is a challenge, pushing this risk up a notch compared to last year.
- An unexpected crisis could impact the organization (10). The rating for this risk increased significantly compared to last year, possibly due to the continued occurrence of proud, established, global brands facing unexpected crises and subsequently experiencing significant reputational impact. Senior executives and directors are realizing there isn’t an organization on the planet immune to being tested by a crisis. This makes an understanding of the risks and the need for preparedness especially vital. With the speed and global reach of the media, especially social media, reputations built over decades can unravel overnight.
- Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base (NR). This is another risk we added to this year’s survey. The rapid pace of change and disruptive innovations are leading to dramatic changes in the marketplace. In reaction to those changes, customer preferences are shifting rapidly, making it difficult to retain customers in an environment of slower growth. Not only is preserving customer loyalty more cost-effective than acquiring new customers, but loyal customers are also more likely to purchase higher-margin products and services over time. Loyal customers reduce marketing costs, as well as costs associated with educating customers. That is why sustaining customer loyalty and retention is a high priority for customer-focused organizations.
- Existing operations may not be able to meet performance expectations related to quality, time to market, cost, and innovation as well as competitors do (10). Performance gaps can be deadly if left unaddressed over a long period. Poor performance in relation to competitors is simply not sustainable.
- New technologies may disrupt the organization’s business model (10). This risk tied for tenth on last year’s list with other risks, but now has a definitive hold on this spot. It deals with disruptive innovation and/or new technology within the industry outpacing an organization’s ability to compete without making significant changes to its business model. While the velocity of this risk is typically not as immediate as a catastrophic event, it is potentially lethal if the organization finds itself on the wrong side of the change wave.
Several risks reported last year fell out of the top 10 risks for 2015. For example, uncertainty surrounding political leadership limiting growth opportunities was third on the list last year. This risk fell a long way in this year’s survey, possibly because business leaders have grown accustomed to the geopolitical tensions and political gridlock realities of the current era.
Anticipated volatility in global financial markets and currencies creating challenges was eighth last year, and uncertainty surrounding costs of complying with healthcare reform legislation in the United States limiting growth was ninth. With respect to the latter, the risk declined in significance largely because many employers have grown comfortable with methods for capping their exposure to healthcare reform costs; however, the healthcare provider industry in the United States will likely continue to face challenges due to healthcare reform in the coming years.
Another notable survey finding: Compared to last year, there was an uptick in the number of respondents reporting that their organizations will devote additional time and/or resources to risk identification and management over the next 12 months.
Questions for Boards
The board of directors may want to consider the above risks in evaluating its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations.
Jim DeLoach is a managing director with Protiviti and works closely with companies to improve their board risk oversight, including the communications between management and the board.