The top risks for 2018 provide interesting insight into changing risk profiles across the globe. Protiviti and North Carolina State University’s Enterprise Risk Management Initiative have completed the latest survey of 728 directors and C-level executives regarding the macroeconomic, strategic, and operational risks their organizations face.
We ranked the top risk themes in order of priority, providing a context for understanding the most critical uncertainties companies are facing as they move forward into 2018.
1. The rapid speed of disruptive innovations and new technologies within the industry may outpace the organization’s ability to compete or manage risk appropriately. With advancements in digital technologies and rapidly changing business models, are organizations agile enough to respond to developments that alter customer expectations and require change to their core business models? Disruption of business models by digital innovations is a given in this environment. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult for them to have the vision to anticipate the nature and extent of change and the decisiveness to act on that vision. In this environment, emotional attachment to the business model can be dangerous because significant adjustments to it are inevitable.
2. Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. This risk and the risk of disruptive change present a dilemma to companies. On the one hand, there is concern about inevitable disruptive change and, on the other hand, a fear the enterprise will not be agile and resilient enough to adapt to that inevitability. This resistance could lead to failure to innovate and force reactionary responses when it’s far too late.
3. The organization may not be sufficiently prepared to manage cyber threats that could significantly disrupt core operations and damage its brand. To no one’s surprise, this risk is listed among the top five risks in each of the four size categories of organizations we examined. Both directors and CEOs rated this risk as their second highest risk concern. Technological advancement is constantly outpacing the security protections companies have in place.
4. Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. Regulatory risk, which has been one of the top two risk concerns in all prior years that we have conducted this survey, has dropped some in 2018. However, it is still a major concern for executives and directors. Sixty-six percent of our respondents rated it as a “Significant Impact” risk.
5. The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues that could notably affect core operations and achievement of strategic objectives. This issue, coupled with concerns over resistance to change, can be lethal if it leads to the organization’s leadership losing touch with business realities. If there are emerging risks and the organization’s leaders are not aware of them, the entity has a problem.
6. Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. Likely triggered by a tightening labor market, this risk is especially prevalent for entities in the consumer products and services, healthcare and life sciences, and energy and utilities industries. To thrive in the digital age, organizations need to think and act digital, requiring a different set of capabilities and strengths. This risk indicates that directors and executives believe their organizations must up their game in acquiring, developing, and retaining the right talent.
7. Privacy, identity management, and information security risks may not be addressed with sufficient resources. Given the high-profile reports of hacking and other forms of cybersecurity intrusion reported in 2017, this risk is somewhat expected. As the digital world evolves and enables individuals to connect and share information, fresh exposures to sensitive customer and personal information and identity theft also spring up.
8. Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. However, the drop in this risk’s ranking from prior years suggests that respondents seem more positive about macroeconomic issues going into 2018.
9. Inability to utilize data analytics to achieve market intelligence and increase productivity and efficiency may significantly affect core operations and strategic plans. Respondent concerns are growing regarding their company’s ability to harness the power of data and advanced analytics to achieve competitive advantage, manage operations, and respond to changing customer preferences. In the digital age, knowledge wins. Advanced analytics are the key to unlocking insights that can differentiate companies in the marketplace.
10. Companies that were not “born digital” face significant operational challenges. Companies that are not steeped in digital operational culture may not be able to meet performance expectations related to quality, time to market, cost, and innovation. Competitors with superior operations—and those digital companies with low operations costs—present notable risk that is only heightened in the digital economy. Hyperscalability of digital business models and lack of entry barriers enable new competitors to emerge and scale redefined customer experiences very quickly, making it difficult for incumbents to see change coming, much less react in a timely manner to preserve customer loyalty.
The overall message of this year’s study is that the rapid pace of change in the global marketplace creates a risky operating environment for entities of all types. The board of directors may want to evaluate its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If their companies have not identified these issues as risks, directors should consider their relevance and ask why not.
Jim DeLoach is managing director of Protiviti.