Leaders of organizations of virtually every size, industry and geographic location are reminded all too frequently that they operate in an increasingly risky world. Protiviti’s Jim DeLoach provides an update from the ERM Initiative of the various risks organizations face relative to two years ago.
Overall, 1,063 C-level executives and directors participated in this year’s global study, with 39 percent representing companies based in North America, 22 percent in Europe, 18 percent in Asia and Australia/New Zealand and the remaining 21 percent from Latin America, the Middle East, India and Africa.
Conducted online in the fall of 2019, the survey asked each respondent to rate 30 individual risk issues using a 10-point scale, where a score of 1 reflects “No Impact at All” and a score of 10 reflects “Extensive Impact” to their organization over the next year. For each of the 30 risk issues, we computed the average score reported by all respondents. Using mean scores across respondents, we rank-ordered risks from highest to lowest impact.
Below, we rank the common risk themes in order of priority, noting the previous year’s rankings parenthetically. This summary provides a context for understanding the most critical uncertainties companies face in 2020.
The Top Risks This Year
1. Regulatory change and heightened regulatory scrutiny impacting operational resilience and production and delivery of products and services (4)
Over the eight years we have conducted this survey, this risk has been in the #1 or #2 spot each year — except for the last two years, when it was slightly lower, but still in the list of top five risks. It continues to represent a major source of uncertainty among the majority of organizations, given that 70 percent of respondents rated it as a significant risk issue.
The overarching concern relates to how different types of regulatory requirements and oversight may lead to disruptions in business models and constrict companies’ ability to innovate in certain areas. For example, shifts in regulations related to privacy, product development and approval, trade and tariff policies, the environment, social issues and broader governance expectations have been happening and continue to happen around the world, impacting any organization that wishes to do business both within and outside its home-country borders.
2. Economic conditions restricting growth prospects in relevant markets (11)
This is a concern for most respondents, with some exceptions noted below. Over 70 percent of respondents rated this concern as a significant risk issue for 2020. While the overall global economy remains relatively strong, there has been growing speculation – particularly in the United States – that the long streak of economic growth may stall in the near term. While no one knows that for sure, economic growth has, in fact, declined in the U.S., China and other countries.
In addition, volatility in equity markets, changes in the U.S. federal funds rate, actions by other central banks, multiple tariff and trade policy disputes and negotiations and the continued uncertainty surrounding the United Kingdom’s break from the European Union have executives on the edge of their seats, wondering if an economic downturn is on the near-term horizon. Interestingly, economic concerns are in the top-five list of risks for all regions of the world, except in North America.
3. Succession challenges and talent acquisition and retention (2)
The risk of succession challenges and the ability to attract and retain talent remains among the top five risks for 2020, in light of continued record-low unemployment in many regions of the world. To thrive in the digital age, organizations need to think and act digitally and have the capabilities to execute digital plans. This vital specialized knowledge and subject-matter expertise are in high demand and becoming harder to acquire and retain on a cost-effective basis. Respondents continue to perceive that significant operational challenges may arise if organizations are unable to build and sustain a workforce with the skills needed to implement their growth strategies, forcing them to consider alternative forms of labor. Shifts in how individuals want to work, their ability to be nimble enough to adjust to the changing nature of work and their lifestyle preferences are straining the ability of organizations to attract and retain the talent needed. What’s at stake is sustaining a workforce with the requisite talent and skills needed to think creatively in a rapidly changing digital marketplace, execute high-performance business models and implement increasingly demanding growth strategies.
4. Existing operations, infrastructure and digital capabilities unable to adjust to “born digital” competitors or those with superior performance (1)
Respondents remain noticeably concerned about the ability of their organizations — relative to competitors — to adjust their existing operations, IT infrastructure and digital capabilities to meet performance expectations. That risk concern raced from the number 10 position in 2018 to the number one position for 2019.
While dropping slightly to the number four position for 2020, it is nonetheless a significant risk concern for 67 percent of our respondents. This concern may be a composite of several significant uncertainties — the company’s digital readiness, its lack of resiliency and agility needed to stay ahead of or keep pace with changing market realities, the restrictive burden of significant technical debt, the lack of out-of-the-box thinking about the business model and fundamental assumptions underlying the business strategy and the existence or threat of more nimble or “born digital” competitors.
For most companies today, it’s not a question of whether digital will upend their business, but when. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult to clarify the implications of the vision or foresight that anticipates the nature and extent of change — particularly if the organization does not think or act digitally at its core.
5. Resistance to change (5)
As major business model disruptors emerge — whether from technology advancements, competitor actions, regulations or other sources — respondents are growing even more focused on their organizations’ potential unwillingness or inability to make necessary timely adjustments to the business model and core operations that might be needed to respond to change.
Executives continue to be concerned about their ability to enact change, despite the reality that change has become a way of life for most companies. Whether covert or overt, resistance to changes necessary to deal with disruptive innovations or regulatory constraints that alter business fundamentals can be catastrophic. Strategic error in the digital economy can result in a company paying the ultimate price if it continues to play a losing hand in the marketplace. For example, the blending of this risk with the fourth-ranked risk above — the inability to adjust existing operations, IT infrastructure and digital capabilities to compete with more nimble competitors — creates a potentially lethal combination.
6. Managing cyber threats (4)
Cybersecurity continues to be a moving target as innovative digital transformation initiatives, cloud computing adoptions, mobile device usage, robotics, machine and deep learning and other applications of exponential increases in computing power continue to outpace the security protections many companies have in place. Increasingly sophisticated attacks by perpetrators of cybercrime add to the uncertainty. There are two categories of organizations: those that have been breached and know it and those that have been breached but don’t know it yet. Respondents recognize that reality, with two-thirds of our respondents rating this risk as a significant impact risk concern for 2020.
7. Privacy and identity management (7)
The proliferation of data gathered and stored for long periods by all types of organizations across international borders is exponentially increasing operational challenges related to the tracking, warehousing and protecting of that data. Accidental missteps in how organizations handle these operations may inadvertently reveal information deemed to be private or proprietary. The proliferation of legislation to protect the privacy of personal information initiated in the European Union and spreading to the United States and elsewhere across the planet has created enormous complexities for business, with companies facing potential fines, penalties and reputation loss that cannot be ignored. As the expanding digital economy enables businesses and third-party organizations to house sensitive information obtained in many ways, the potential exposure of that information raises such questions as how much data is too much data, does the organization need effective guardrails around data collection to manage its risk, and is the monetizing of the data collected delivering a return on investment that makes the risk of collecting and managing the data worthwhile?
8. Culture may not encourage timely escalation of risk issues (9)
Respondents continue to highlight the need to give attention to the overall culture of the organization to ensure it is sufficient to encourage the timely identification and escalation of risk issues. This risk issue was added to our 2015 risk survey, and it has been ranked in the top 10 risks each year since that time.
It is a risk that executives may want to focus their attention on, as it signals a noticeable concern that employees across the organization may be aware of risks, but for whatever reason, are reluctant to escalate them to executive management or the board. That reluctance may be triggered by a lack of knowledge among employees about the process for escalating risk concerns and when to use it. If so, that problem can be solved through education and constant communication.
Alternatively, the reluctance may stem from a dysfunctional culture that reflects employees’ fear about potential retribution if they were to escalate a risk concern. Whatever the reason, the number of instances in which an organization’s leaders are unaware of internally caused, reputation-damaging risks and surprises until the point of revelation is troubling. The presence of this risk, coupled with concerns over resistance to change, reflects on the state of an organization’s overall culture.
9. Sustaining customer loyalty and retention may be becoming increasingly difficult (10)
Younger generations who have grown up in a technology-centric world view digital technologies as native, transforming the traditional ways organizations deliver products and services. The growing presence of app-based platforms, digital marketing and other online ordering and delivery services is shocking many businesses used to the traditional forms of customer interactions. If organizations cannot adjust their operations, legacy IT infrastructure and digital capabilities (as discussed above), they may not meet the expectations of their core customers in a manner sufficient to retain their loyalty. Sustaining customer loyalty and retention is about driving continued superior top-line performance and reduced marketing costs and other costs associated with educating new customers.
10. The adoption of digital technologies in transforming the business may require new skills that the organization may not be able to attract or retain (NEW)
Added to our 2020 survey, this risk debuted in the top 10, reflecting an overall concern among survey respondents that the adoption of digital technologies — such as artificial intelligence (AI), robotics and natural language processing — in their organizations may require new skills that either are in short supply or require significant efforts to upskill and reskill existing employees.
AI-enabled technologies will greatly influence — often by enabling and sometimes by making more complex — how companies design and manage their labor models. As the future world of work evolves, organizations need to optimize their mix of internal, contracted and interim human talent and electronic workers (machines and algorithms). This task entails changing the entity’s current job structures — potentially displacing a significant number of existing job roles — and reorganizing these structures in a different framework of discrete, deconstructed units deploying a range of approaches, relationships and technologies.
This framework might include, on the human side, outsourcing and offshoring, consulting partnerships, interim staffing, business process as a service (BPaaS) relationships, managed services and a variety of “human cloud” arrangements. But it also includes a technological side, such as robotic process automation and AI-enabled technologies that both displace existing skills and demand new skills. Simply stated, technology is expected to support and shape the components of the workforce by offering additional capabilities that, if applied intelligently, will increase quality, compress elapsed time, reduce costs and enhance scalability. This reality is one that no management team or board can ignore. Without access to the talent that understands the technologies and how they can be used, organizations face being left behind competitors who can react quickly to assimilate innovations into the business.
One risk that dropped out of the top 10 this year is the concern that the rapid speed of disruptive innovations and/or new technologies within the industry may outpace the organization’s ability to compete and/or manage the risk appropriately without making significant changes to the business model. However, the nature of the top 10 risks this year — which include risks associated with the ability to adjust operations, IT infrastructure and digital capabilities to fend off threats from “born digital” players, resistance to change, talent acquisition and retention challenges, uncertainty over cyber and privacy issues, customer loyalty concerns, regulatory disruption and the effect of AI-enabled technologies on the future of work — indicates that this drop likely occurred because respondents in prior surveys were concerned about the potential for disruptive change, whereas now they are concerned about the disruption that is already upon them.
The Protiviti report includes an in-depth analysis of the risk concerns recorded in the survey. As with our prior surveys, our results offer snapshots by industry, executive position, company size and type and geographic area. We also pose key questions as a call to action for board members and executive management to consider — questions that can serve as a diagnostic to evaluate and improve their organization’s risk assessment and management processes.
One important observation, consistent with prior years, is that there is variation in views among boards and C-suite executives regarding the magnitude and severity of risks for 2020. This finding suggests the need for dialogue at the highest levels of the organization to ensure everyone agrees on the most critical enterprise risks.
Questions for Executives and Boards of Directors
Senior executives and their boards may want to consider the above risks in evaluating the risks inherent in their organization’s operations and the board’s risk oversight focus for the coming year. If the company’s risk assessment processes have not identified these issues as priority risks, executives and directors should ask why not — and consider the relevance of these issues to their business.
 “Executive Perspectives on Top Risks 2020,” Protiviti and North Carolina State University’s ERM Initiative.
 “The Implications of Technical Debt to Your Company’s Competitiveness,” by Jim DeLoach, Corporate Compliance Insights, January 23, 2020, available at www.corporatecomplianceinsights.com/implications-technical-debt/.