North Carolina State University’s Enterprise Risk Management Initiative and Protiviti have completed their latest survey of C-level executives and directors regarding the macroeconomic, strategic, and operational risks their organizations face. More than 500 board members and C-level executives participated in this year’s study. Noting some common themes, we’ve ranked the risks in order of priority on an overall basis below. Last year’s rankings are included in parentheses:
No. 1 (previously No. 1)—Regulatory changes and scrutiny may increase, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. This risk has been ranked at the top in each of the surveys we’ve conducted over the past four years, and is the top risk in many industry groups. The cost of regulation and its impact on business models remain high in many industries.
No. 2 (previously No. 2)—Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. Declining oil and gas prices, equity markets, and commodity prices, in general, have contributed to economic uncertainty. Short-termism is a concern as business investment has yet to catch up with pre-financial crisis levels. A new normal may be unfolding as businesses adapt their operations to an environment of slower organic growth.
No. 3 (previously No. 3)—The organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage its brand.This risk continues to be an issue of escalating concern. The harsh glare of the public spotlight on high-profile breaches at major retailers, global financial institutions and other organizations has led executives and directors to realize it is most likely not a matter of if a cyber risk event might occur, but when.
No. 4 (previously No. 4)—Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. As roundtables facilitated by the National Association of Corporate Directors and Protiviti in 2015 indicated, directors understand that talent strategy is inexplicably tied to overall business strategy. Companies need talented people with the requisite knowledge, skills, and core values to execute challenging growth and innovation strategies.
No. 5 (previously No. 7)—Privacy, identity, and information security risks may not be addressed with sufficient resources. The technological complexities giving rise to cybersecurity threats also spawn increased privacy/identity and other information security risks. As the digital world enables individuals to connect and share information, it presents more opportunities for companies to lose sensitive customer and private information, in effect, creating a “moving target” for companies to manage.
No. 6 (previously No. 11)—Rapid speed of disruptive innovations and/or new technologies within the industry may outpace the organization’s ability to compete and/or manage the risk appropriately, without making significant changes to the business model. Innovation can be disruptive if it improves the customer experience in ways that the market does not expect, typically by lowering the price significantly, or by designing a product or service that transforms the way in which the consumer’s needs are fulfilled. Whereas disruptive innovations may have once taken a decade or more to transform an industry, the elapsed time frame is compressing significantly, leaving very little time for reaction. Sustaining a business model in the face of digitally enabled competition requires constant innovation to stay ahead of the change curve.
No. 7 (previously No. 6)—Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. Positioning the organization as agile, adaptive, and resilient in the face of change is top-of-mind for many executives and directors. It’s a smart move. Early movers that exploit market opportunities and respond to emerging risks are more likely to survive and prosper in a rapidly changing environment.
No. 8 (previously No. 17)—Anticipated volatility in global financial markets and currencies may create significant, challenging issues for an organization to address. There are many forces at work that intensify this risk, e.g., high asset prices, slowing global growth, China’s approach to foreign exchange, declining commodity prices, uncertainty associated with central bank policies, and less confidence in policymakers’ ability to respond to market issues quickly and effectively.
No. 9 (previously No. 5)—The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues. The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge effect on timely escalation of risk issues to the people who matter. This is a cultural issue requiring constant attention by management and oversight by the board.
No. 10 (previously No. 9)—Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base. Disruptive innovations and the rapid pace of change continue to drive significant changes in the marketplace. Customer preferences are subject to rapid shifts, making it difficult to retain customers in an environment of slower growth. Sustaining customer loyalty and retention is a high priority for customer-focused organizations because senior executives know that preserving customer loyalty is more cost-effective than acquiring new customers.
A board of directors may want to consider the above risks in evaluating its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If the company has not identified these issues as risks, directors should consider asking why not.
Jim DeLoach is a managing director with Protiviti, a global consulting firm.