The top risks for 2018 provide interesting insight into changing risk profiles across the globe. Protiviti and North Carolina State University’s Enterprise Risk Management Initiative have completed the latest survey of 728 directors and C-level executives regarding the macroeconomic, strategic, and operational risks their organizations face.
1. The rapid speed of disruptive innovations and new technologies within the industry may outpace the organization’s ability to compete or manage risk appropriately. With advancements in digital technologies and rapidly changing business models, are organizations agile enough to respond to developments that alter customer expectations and require change to their core business models? Disruption of business models by digital innovations is a given in this environment. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult for them to have the vision to anticipate the nature and extent of change and the decisiveness to act on that vision. In this environment, emotional attachment to the business model can be dangerous because significant adjustments to it are inevitable.
2. Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. This risk and the risk of disruptive change present a dilemma to companies. On the one hand, there is concern about inevitable disruptive change and, on the other hand, a fear the enterprise will not be agile and resilient enough to adapt to that inevitability. This resistance could lead to failure to innovate and force reactionary responses when it’s far too late.
3. The organization may not be sufficiently prepared to manage cyber threats that could significantly disrupt core operations and damage its brand. To no one’s surprise, this risk is listed among the top five risks in each of the four size categories of organizations we examined. Both directors and CEOs rated this risk as their second highest risk concern. Technological advancement is constantly outpacing the security protections companies have in place.
4. Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. Regulatory risk, which has been one of the top two risk concerns in all prior years that we have conducted this survey, has dropped some in 2018. However, it is still a major concern for executives and directors. Sixty-six percent of our respondents rated it as a “Significant Impact” risk.
5. The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues that could notably affect core operations and achievement of strategic objectives. This issue, coupled with concerns over resistance to change, can be lethal if it leads to the organization’s leadership losing touch with business realities. If there are emerging risks and the organization’s leaders are not aware of them, the entity has a problem.
6. Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. Likely triggered by a tightening labor market, this risk is especially prevalent for entities in the consumer products and services, healthcare and life sciences, and energy and utilities industries. To thrive in the digital age, organizations need to think and act digital, requiring a different set of capabilities and strengths. This risk indicates that directors and executives believe their organizations must up their game in acquiring, developing, and retaining the right talent.
7. Privacy, identity management, and information security risks may not be addressed with sufficient resources. Given the high-profile reports of hacking and other forms of cybersecurity intrusion reported in 2017, this risk is somewhat expected. As the digital world evolves and enables individuals to connect and share information, fresh exposures to sensitive customer and personal information and identity theft also spring up.
8. Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. However, the drop in this risk’s ranking from prior years suggests that respondents seem more positive about macroeconomic issues going into 2018.
9. Inability to utilize data analytics to achieve market intelligence and increase productivity and efficiency may significantly affect core operations and strategic plans. Respondent concerns are growing regarding their company’s ability to harness the power of data and advanced analytics to achieve competitive advantage, manage operations, and respond to changing customer preferences. In the digital age, knowledge wins. Advanced analytics are the key to unlocking insights that can differentiate companies in the marketplace.
10. Companies that were not “born digital” face significant operational challenges. Companies that are not steeped in digital operational culture may not be able to meet performance expectations related to quality, time to market, cost, and innovation. Competitors with superior operations—and those digital companies with low operations costs—present notable risk that is only heightened in the digital economy. Hyperscalability of digital business models and lack of entry barriers enable new competitors to emerge and scale redefined customer experiences very quickly, making it difficult for incumbents to see change coming, much less react in a timely manner to preserve customer loyalty.
The overall message of this year’s study is that the rapid pace of change in the global marketplace creates a risky operating environment for entities of all types. The board of directors may want to evaluate its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If their companies have not identified these issues as risks, directors should consider their relevance and ask why not.
Few organizations or boards are capable of answering this question with any degree of certainty. Yet, the question is being raised with greater frequency and urgency due to actions by investors, regulators, customers, supply-chain partners, and competitors.
Click to enlarge in a new window.
Across every industry the increased focus on climate change is accelerating other megatrends such as disruptive technologies, digitization, urbanization, and evolving demographics. Underpinning these megatrends are a combination of technological leaps and upheavals in global society and the environment that will reshape economies, businesses, and lifestyles. For example, over $1 trillion worth of new markets for manufacturers are expected to develop over the next decade as industries transform. This shifting landscape creates many uncertainties, risks, and opportunities for new products, services, supply-chain structures, and improvements in resource management, among many others.
Taken as a whole, these pressures are driving companies to better assess, define, and enact strategies to increase their climate resilience. In their strategic oversight role, boards need better insights on the direct impacts of climate change on the organization as well as the indirect risks and opportunities associated with transitioning to a lower-carbon economy.
Yet, recent NACD corporate governance survey data suggests that many boards need a rethink on this issue. Six percent of respondents indicated that climate change would have the greatest impact on their businesses over the next year. The previous year’s report found that over 90 percent of public company directors believe that climate change would have negligible impact over the next five years.
Companies that focus primarily on climate change’s projected physical impacts expected to play out over the coming decades will have “blind spots” to the indirect risks associated with the transition to a lower-carbon economy. Companies must to go on the offensive to build climate resilience in order to gain competitive advantage.
Climate resilience has the capacity to adapt and succeed in the face of direct and indirect impacts of climate change. In addition to addressing and managing risks, it encompasses the ability to capitalize on the strategic opportunities presented by the shift to a lower-carbon and resource-constrained economy.
To provide boards with a line of sight into its organization’s climate resiliency, management teams can undertake one or more of the following actions:
assess climate vulnerability of operations and facilities;
embed climate impacts into enterprise risk management programs; or
undertake scenario analysis to enhance decision making around risks and opportunities.
As a start, companies can model the risk of physical assets to identify location-level risk exposure and the vulnerability of properties and assets to evolving weather events and climate change. A geographic portfolio review can also help map demographic and infrastructure vulnerabilities to natural hazards to better understand how supply chains may be impacted by weather events.
Existing enterprise risk management (ERM) and risk assessment processes can be used to increase awareness of climate risks and better assess resilience across the organization. Leading organizations are using their ERM processes to identify how direct and indirect climate impacts—including regulatory and technology developments—serve to accelerate or otherwise change the velocity of other trends and risk events. Framing climate as a risk driver helps to align the timeframe of the risk and opportunity assessment to that of most corporate planning cycles.
Scenario analysis is recommended by the Financial Stability Board’s Task Force on Climate-related Financial Disclosures as a technique to assess climate impacts. Modeling different environmental scenarios (such as warming by a margin of 2 degrees Celsius and associated changes) gives form to the amorphous problem of climate change and provides mechanisms to discuss potential future states of operation. In selecting and devising scenarios, companies should consider the appropriate trade-offs in quantification, but also avoid excess complexity and optionality. When assessing for operational climate-risk resilience, it is critical to include a minimum of one favorable and unfavorable scenario respectively. This empowers organizations to make informed decisions regarding their longer-term strategies.
Overall, it is clear that the dialogue on climate change within boardrooms and among C-suites of companies across all sectors must evolve to a focus on how climate change will impact their businesses. The real measure of a climate-competent board is one that can address this critical question: how climate-resilient is the organization?
Lucy Nottingham is a director in Marsh & McLennan Companies’ Global Risk Center and leads research programs on governance and climate resilience. All thoughts expressed here are her own.
In recent years, ERM implementations have generally focused on three questions:
Do we know what our key risks are?
Do we know how they’re being managed?
How do we know?
In responding to these three questions, executive management and boards in some companies have made progress in differentiating the truly critical enterprise risks from the risks associated with day-to-day business operations.
While seeking these answers is a useful exercise, is it enough? Directors should also ask:
Is our ERM approach helping us identify flaws and weaknesses in our strategy on a timely basis?
Is our organization able to recognize the signs of disruptive change, and is it agile and resilient enough to adapt?
Do we truly consider risk and return in our decision-making processes or do we blindly follow the herd and remain emotionally invested in the comforts of our business model?
Do we seek out what we don’t know? Are we prepared for the unexpected?
Is everyone competing for capital and funding with rose-colored glasses, making the resource and budget allocation process a grabfest?
Yes, companies have made progress in various ways with enterprise risk management, but depending on the answers to the above questions, more needs to be done.
Adoption and application of COSO’s Framework could alter the conversation by clarifying the importance of integrating risk, strategy, and enterprise performance. While a stand-alone process may be worthwhile and useful, it is not ERM as defined by COSO. The framework introduces five interrelated components and outlines 20 relevant principles arrayed among those components, offering a benchmarking option for companies seeking to enhance their ERM approach.
Four observations frame what COSO is looking for:
Integrate ERM with strategy. There are three dimensions to integrating ERM with strategy-setting and execution:
risks to the execution of the strategy;
implications from the strategy (meaning each strategic option has its unique risk-reward trade-off and resulting risk profile); and
the possibility of the strategy not aligning with the enterprise’s mission, vision and core values.
All three dimensions need to be considered as part of the strategic management process.
Integrate risk with performance. Risk reporting is not an isolated exercise. Operating within the bounds of an acceptable variation in performance provides management with greater confidence that the entity will achieve its business objectives and remain within its risk appetite.
Lay the foundation for ERM with strong risk governance and culture. The board and CEO must be vigilant in ensuring that pressures within the organization are neither excessive nor incentivizing unintended consequences. Such pressures may be spawned by unrealistic performance targets, conflicting business objectives of different stakeholders, disruptive change altering the fundamentals underlying the business model, and imbalances between rewards for short-term financial performance and stakeholders focused on the long term.
Tie risk considerations into decision-making processes. COSO defines “relevant information” as information that facilitates informed decision-making. The more information contributes to increased agility, greater proactivity, and better anticipation of changes to the enterprise, the more relevant it is and the more likely the organization will execute its strategy successfully and achieve its business objectives.
Boards should urge the executives within their companies to consider the principles embodied by the COSO framework to advance their current ERM approach. In this regard, we suggest organizations focus on three keys:
Position the organization as an early mover. When a market shift creates an opportunity to create enterprise value or invalidates critical assumptions underlying the strategy, it may be in an organization’s best interests to recognize that insight and act on it as quickly as possible. The question is: When the entity’s fundamentals change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or will it be looking at the emerging risk of an outdated strategy? The organization attains time advantage when it obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options for its leaders before that knowledge becomes widely known.
Address the challenges of risk reporting. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile and nimble in responding to a changing business environment. To truly impact decision-making, risk reporting must address three questions:
Are we riskier today than yesterday?
Are we entering a riskier time?
What are the underlying causes?
Risk reporting is often not actionable enough to support decision-making processes. Once risk reporting is designed to answer these three questions, it becomes the key to evolving ERM to a “risk-informed” decision-making discipline.
Preserve reputation by maximizing the lines of defense. How do organizations safeguard themselves against reputation-damaging breakdowns in risk and compliance management? The widely accepted lines-of-defense model consists of three lines of defense. The first line consists of the business unit management and process owners whose activities give rise to risk. The second line consists of the independent risk and compliance functions, and internal audit is the third line. Also important is the tone of the organization—the collective impact of the tone from the top, the tone from the middle, and the tone at the bottom on risk management, compliance, and responsible business behavior. The proper tone lays the cultural foundation for the effective functioning of each of the three lines of defense. Arguably, the final line of defense is senior management and the board. For example, top management acts on risk information on a timely basis when significant issues are escalated and involves the board when necessary.
These three keys offer a focused line of sight for companies and their boards seeking to advance their ERM approach consistent with the principles and guidance in the updated COSO framework. The relationship of ERM to the processes the CEO values most can be compared to the contribution of salt, pepper, and other seasonings to a sumptuous meal. The objective is to enhance the outcomes that the organization is attempting to achieve by enabling it to be more adaptive in a volatile, complex, and uncertain world.