The latest global survey of C-level executives and directors of the macroeconomic, strategic and operational risks that organizations face indicates an increasingly risky year ahead. Protiviti’s Jim DeLoach discusses the risks keeping executives up at night.
Overall, 825 C-level executives and directors participated in this year’s global study, with 45 percent representing companies based in North America. As with our prior studies, the survey results captured significant uncertainties by industry, executive position, company size and type and geographic area. The important message is that the survey participants noted increasing risks looking forward to 2019 compared to last year.
Consistent with prior years, there is variation in views among boards and C-suite executives regarding the magnitude and severity of risks for 2019. This finding suggests the need for dialogue at the highest levels of the organization to ensure everyone agrees as to the critical enterprise risks.
Below, we rank the common risk themes in order of priority, noting the previous year’s top 10 rank parenthetically. This summary provides a context for understanding the most critical uncertainties companies face over 2019.
Leading Risks Organizations Face This Year
- Existing operations and legacy IT systems may not be able to meet performance expectations related to quality, time to market, cost and innovation, as well as competitors, especially “born digital” and/or low-cost-base competitors or established competitors with superior operations (#10 in 2018). This risk is a composite of several significant uncertainties: the company’s digital readiness, its lack of resiliency and agility in staying ahead of or keeping pace with changing market realities, the restrictive burden of significant technical debt, the lack of out-of-the-box thinking about the business model, fundamental assumptions underlying the strategy and the existence or threat of more nimble competitors. With the reduction of entry barriers, established incumbents are leery of new competitors that can grow quickly by leveraging hyperscalable digital capabilities that enable them to operate more efficiently, digitize new products and services, enhance the customer experience and/or transform the business model.
- Succession challenges and the ability to attract and retain top talent in a tightening talent market may limit ability to achieve operational targets (#6 in 2018). Labor markets continue to tighten as unemployment declines to levels at which economists debate the theoretical point where full employment is reached. Vital specialized knowledge and subject matter expertise are becoming harder to acquire and retain on a cost-effective basis. What’s at stake is sustaining the workforce with the requisite talent and skills needed to think out of the box in a rapidly changing digital marketplace, execute high-performance business models and implement increasingly demanding growth strategies.
- Regulatory changes and scrutiny may heighten, noticeably affecting the way products or services will be produced or delivered (#4 in 2018). For each of the seven years we have conducted this global survey, regulatory risk has been a top five risk. That it increased in comparison to last year is likely due to increased scrutiny at federal, state and local levels on a variety of regulatory fronts, particularly in Europe. Uncertainty over the results of the forthcoming U.S. midterm elections may have also weighed on the minds of respondents from the United States (our survey was conducted in September-October 2018).
- Lack of preparedness to manage cyberthreats that have the potential to significantly disrupt core operations and/or damage the brand (#3 in 2018). This risk is no surprise. There are two categories of companies: those that have been breached and know it, and those that have been breached but don’t know it yet. Cybersecurity is a moving target, as innovative digital transformation initiatives, cloud computing adoption, mobile device usage, machine learning and other applications delivering exponential increases in computing power continue to outpace the security protections companies have in place. Increasingly sophisticated attacks on the human perimeter by perpetrators of cybercrime add to the uncertainty. As advanced persistent threats (APTs) spread, public disclosure requirements tighten and reputation hits from significant breaches increase in severity, the stakes for effective cybersecurity spiral upward.
- Resistance to change may restrict ability to make necessary adjustments to the business model and core operations (#2 in 2018). Enabling change continues to be a significant priority for just about every organization on the planet, for change is becoming a way of life for most companies. Whether covert or overt, resistance to necessary change spawned by disruptive innovations that alter business fundamentals can be lethal. Strategic error in the digital economy can result in the ultimate price if a company continues to play a losing hand in the marketplace, ultimately suffering what a well-known CEO refers to as “stasis, followed by irrelevance, followed by excruciating, painful decline, followed by death.” Board members and C-suite executives recognize the importance of positioning their organization as early movers in exploiting market opportunities and responding to emerging risks.
- Rapid speed of disruptive innovations and/or new technologies within the industry may outpace ability to compete and/or manage the risk appropriately, without making significant changes to the business model (#1 in 2018). The top risk last year, this strategic risk remains important. With the onslaught of advances in digital technologies and rapidly changing business models, organizations must be agile and resilient in elevating their customers’ experiences, digitizing new products and services, increasing the velocity of quality decision-making and sustaining operational excellence. The big challenge with disruptive change is that even when executives are aware of emerging technologies that obviously have disruptive potential, it isn’t easy deciding how to respond. This risk is especially a concern for board members and CEOs, with both groups of respondents rating it as a top five risk concern.
- Privacy/identity management and information security risks may not be addressed with enough resources (#7 in 2018). Holding its own at the seventh spot, this risk is likely to remain a top 10 risk for a long time. The proliferation of legislation to protect privacy of personal information has created enormous complexities for businesses, with the teeth of potential fines, penalties and reputation loss that cannot be ignored. As the expanding digital economy enables businesses and third-party organizations to house sensitive information obtained in many ways, fresh exposures to sensitive customer and personal information and identity theft present themselves.
- Inability to utilize data analytics and “big data” to achieve market intelligence and increase productivity and efficiency may significantly affect core operations and strategic plans (#9 in 2018). Respondents continue to be concerned with their ability to harness the power of data and advanced analytics to achieve competitive advantage and manage operations more effectively. The prevailing view is that knowledge differentiates in the digital marketplace, as the winners will be those companies that capture and analyze the insightful, clarifying intelligence that positions them to be nimbler and more responsive to market shifts and changing customer preferences than competitors.
- The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues that have the potential to significantly affect core operations and achievement of strategic objectives (#5 in 2018). The effectiveness of formal and ad hoc upward communication processes is of vital importance to keeping an organization’s leaders in touch with business realities. Coupled with concerns over resistance to change, the presence of this risk reflects on the strength of the organization’s culture, including its tone at the top, mood in the middle and buzz at the bottom.
- Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base (not ranked in 2018). Companies with highchurn rates incur significant costs in replacing lost customers. Sustaining customer loyalty and retention is about increasing profitability through superior top-line performance and reduced marketing costs and other costs associated with educating new customers. Customer preferences can shift rapidly in the digital age, but companies must keep pace with such shifts and retain customers in an environment where growth rates are modest in certain sectors.
One risk – economic conditions in markets the organization currently serves significantly restricting growth opportunities – fell from eighth on last year’s global top 10 risks list to the 11th spot this year, continuing the trend of declining macroeconomic risks noted by our risk surveys over recent years. Interestingly, board members and CEOs rated economic conditions as a top five risk, ranking it in the third and fourth spots, respectively. In addition, while most survey respondents do not rate concerns about economic conditions in domestic and international markets as a top 10 risk, developments occurring since our survey period ended on October 3 could be altering those perceptions.
Geographically, the results varied. Board members and executives from North America ranked the same top five risks as reported globally, with resistance to change and cyber risk in the fourth and fifth spots, respectively. Europe ranked regulatory risk at the top spot and economic conditions as the fourth-highest risk, with cyber risk, competitor risk and talent risk rounding out the top five. Respondents from Asia reported big data and supply chain issues as top five concerns, along with people risk, regulatory risk and competitor risk. Respondents from Australia/New Zealand, Latin America, the Middle East and India reported the same top risks as the global results, except for cyber risk; in its place was the risk of disruptive innovation.
Looking forward, the message is that digital disruption is a main driver of risk impacting uncertainty over business model viability, customer preferences, the competitive landscape, workplace dynamics and the war for talent and even regulatory demands. Clearly, organizations must align their culture, people, processes and intelligence gathering to embrace this rapidly changing business environment. Risks have increased, both individually and overall, pointing to a perceived higher risk environment over the next 12 months. The mix of the top 10 risks is largely unchanged, but the ranking order has shifted. Seven of the top risks are operational in nature and the other three, strategic. The top risks also vary in different regions across the globe. It all adds up to exciting times ahead.
Senior executives and their boards may want to consider the above risks in evaluating their risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If their companies have not identified these issues as risks, directors should consider their relevance to the company’s business and ask, “Why not?”
 Executives Perspectives on Top Risks for 2018, Protiviti and North Carolina State University’s ERM Initiative, available at www.protiviti.com.
 Jeff Bezos’s letter to Amazon shareholders, April 2017, available at https://blog.aboutamazon.com/company-news/2016-letter-to-shareholders.