Fasten Your Seatbelts; It’s Going to Be a Bumpy Year

Key findings from a recent global survey of board members and C-suite leaders reveal a number of notable concerns. Near term, continued economic uncertainty is causing executives to elevate their risk management focus on multiple fronts (e.g., cyber, third-party exposure) while increasing organizational resilience. Long term, executives remain on guard for what comes next — as illustrated by the uptick in risks following several geopolitical conflicts around the world.

Protiviti and NC State University’s ERM Initiative conducted a global survey in September and October 2023 to capture perspectives on 36 risks across three dimensions — macroeconomic, strategic and operational — on the minds of 1,143 directors, CEOs and other C-level executives as they looked into the future, identifying risks they believe will have a significant impact.

This year’s survey results point to multiple sources of uncertainty, painting a cloudy picture. Analysis of the churn in the near-term risk profile (2024) and the escalation of the importance of multiple near- and long-term risks convey the stark reality of today’s dynamic times: Company risk profiles are sensitive to events and risks that can emerge rapidly and sometimes unexpectedly.

In the near term, continued economic uncertainty is causing executives to sharpen their focus on managing external risks (inflation, cyber threats, interest rates, third-party exposures and regulatory risk) and increasing employees’ risk awareness. As for the long term, executives remain on guard for what comes next — as clearly illustrated by the outbreak of war in the Middle East and China’s turning up the volume on reunification of Taiwan.

Geopolitical events drive notable changes in risk perceptions

A notable trend in our global results this year is what the findings reveal before and after Oct. 7, 2023, when events in Israel and Gaza suddenly erupted. Based on the responses submitted prior to this date, no risks were rated at the “significant” level for 2024, but after this date, four risks are rated at this level: economic conditions (including inflationary pressures), cyber threats, ability to attract and retain talent and third-party risks. In addition, the scores for most risk issues increased post-Oct. 7, including the risk related to geopolitical shifts, regional conflicts and instability in governmental regimes, or expansion of global terrorism.

What’s even more telling are the risk scores in the 10-year outlook. Among responses submitted prior to Oct. 7, five risk issues were rated at the “significant” level, 12 were rated at this level among responses collected after this date. Clearly, events in the Middle East elevated long-term concerns among directors and C-suite leaders in regard to the impact on their businesses.

The economy is the top risk for 2024

The risk of economic conditions (including inflationary pressures) significantly restricting growth opportunities, impacting margins or requiring new skill sets is the top-rated risk overall for 2024, up from second overall in 2023.

This risk is the seventh-rated risk looking out 10 years — up from eighth last year — suggesting that economic headwinds remain a concern over the long term. Underlying the economy are concerns around the current interest rate environment significantly affecting the organization’s capital costs and operations — that risk is rated eighth overall for 2024 and 19th overall for 2034.

Uncertainty continues in the market over central bank policies amid persistent inflation being fueled by rising labor costs and robust employment, outsized government stimulus, the West’s de-risking its reliance upon China, regional conflicts and increasing shelter, food and energy prices. The open question is whether these policies will lead to some form of soft landing or to either a mild or severe recession; or worse, a sustained period of stagnant growth.

Cybersecurity may be the most pressing risk

The risk that organizations may not be sufficiently prepared to manage disruptive cyber threats that could impact core operations and/or damage the brand jumped from the 13th-ranked risk looking out 10 years last year to a top-rated risk this year. The risk rating for cyber threats increased 12%, by far the largest risk rating increase noted in the survey. Cyber concerns were also elevated near term, jumping from 15th last year to third this year looking out 12 months. Elevated cybersecurity concerns reflect growing recognition of a complex cyber risk landscape that is impacted by the exponential curve of technological advances, increasing reliance on third parties and expanding geopolitical tensions. 

People-related risks remain top of mind, but culture has taken a back seat

Several important themes related to people are discussed below:

• Finding and keeping talent is the second highest risk. This finding applies to both 2024 and 2034.
• The need to reskill and upskill employees is a challenge both now and in the future. The state of labor markets and the expected adoption of artificial intelligence, automation in all of its forms and other technologies are such that significant efforts will be necessary to upskill and reskill existing employees over the next decade. This is the sixth- and third-rated risk, respectively, for 2024 and 2034.  
• Rising labor costs continue to be a persistent concern. The risk of higher labor costs affecting the organization’s ability to meet profitability targets was the ninth-rated risk for both 2024 and 2034. 
• Workplace evolution is less of an issue. Concerns over whether the organization can manage ongoing demands on or expectations of a significant portion of the workforce to work remotely or be a part of a collaborative hybrid work environment fell to the 24th-rated risk for 2024, down from ninth for 2023. Leaders are seeing more clearly how to deal with this issue as the workplace continues to evolve.
• Culture-related risks fell in relative importance to other risks. Resistance to change restricting organizations from making necessary adjustments to their business models and core operations on a timely basis fell from the fourth-rated risk in both the 12-month and 10-year outlooks in last year’s survey to 14th and 18th, respectively, this year. The organization’s culture not sufficiently encouraging the timely identification and escalation of emerging risk issues and market opportunities that have the potential to significantly affect core operations and achievement of strategic objectives fell from eighth to 17th in the 12-month outlook and from 16th to 21st in the 10-year outlook. These declines may be due to companies’ emphasis on increasing employees’ risk awareness in a rapidly evolving business environment. Preserving culture in a dynamic environment continuously over time is a challenge for any business; however, this year’s survey results suggest that there are other risk issues that are more top of mind at the present time.

Third-party risks are now a top 10 risk

Interestingly, relative to other risks, third-party risks increased from 17th and 15th for 2023 and 2033, respectively, to fourth and sixth for 2024 and 2034, respectively. Escalation of this risk is likely due to increasing reliance on outsourcing and strategic sourcing arrangements, ecosystem partners, IT vendor contracts, and other partnerships/joint ventures to achieve operational and go-to-market objectives. But it may also be attributable to the geopolitical climate, e.g., the West de-risking its reliance on China, laws and regulations restricting business activities and operations in certain countries, and other developments having implications that extend to a company’s reliance on third parties.

The specter of regulatory changes and scrutiny looms both near- and long-term

The risk of the regulatory environment significantly affecting the processes, products and services of the business increased relative to other risks, both near-term and long-term. This risk is the fifth-rated risk overall for both 2024 and 2034, up from 16th and ninth overall for 2023 and 2033, respectively. As continued economic uncertainty increases the likelihood that governments and various agencies will interfere with market functions through regulatory overreach and even excess, survey participants appear to perceive uncertainty over the likelihood and magnitude of forthcoming changes in the regulatory landscape that will affect their organizations.

With the regulatory environment already complex in multiple industries, regulatory developments cutting across industry lines relating to data privacy, climate disclosures, sustainability reporting, cyber breach disclosures, expanded attestation requirements and other matters are adding further complexity to the mix. Prior to the Covid-19 pandemic, regulatory risk was almost always rated a top 10 risk since our global survey began 11 years ago. Now that the pandemic is in the rearview mirror for most observers, regulatory uncertainty appears to have reclaimed its “rightful place” in the risk profile — especially for companies in the financial services, healthcare, energy and technology sectors.

The 10-year top risks outlook: Disruptive times lie ahead

Long-term, the top risks landscape includes the usual suspects, as eight of the top risks last year are on this year’s list. Likewise, eight of the top risks for 2024 are also on the top 10 list for 2023. In addition:

• Mean average ratings for nine of the top 10 2034 risks are higher this year compared to last year looking out 10 years.
• Six of the top risks are rated as “Significant Impact” risks (versus three last year).

The top 10 risks looking out 10 years include concern over evolving cyber threats, attracting and retaining top talent and skilled labor and succession challenges, the need for new skills to fully deploy newly adopted digital technologies, rapid speed of disruptive innovation, evolving regulatory issues, the impact of third-party risks on business performance and brand image, uncertain economic conditions, the limiting obstruction of aged technical architecture and legacy systems in competing with “born digital” players, anticipated labor cost increases and inability to deploy advanced data analytics (the “big data” problem).

The elevated risk levels sustain the ongoing narrative that the 2020s are indeed a decade of disruption. With continued advances in artificial intelligence, automation in all of its forms, ever-increasing connectivity, quantum computing, blockchain and digital currencies, and the metaverse, the market is likely to experience dramatic waves of disruption over the next 10 years. This disruption will likely manifest itself in many ways, e.g., new business models, reimagined customer experiences, disintermediation or displacement within value chains and increased competition for scarce skills. Leaders in every company must ask themselves: Are we being disrupted, and, if so, how and when would we know?

Data privacy and ‘big data’ vie for the 10th spot

Risks associated with data privacy are rated 10th for 2024 and 11th for 2034. The complexity of the data privacy regulatory environment continues to make it a priority for companies. Conversely, the risk of inability to utilize advanced data analytics and “big data” to achieve market intelligence, gain insights on the customer experience, and increase productivity and efficiency significantly affecting how core operations and strategic plans are managed is rated 10th overall looking out 10 years but was the 11th-rated risk for 2024. Organizations successful in deploying forward-looking lead indicators and integrated analytics are likely to be more anticipatory and less reactive than those that aren’t. These capabilities generate the information and insights so essential to arming decision-makers with time advantage in disruptive markets.

Climate change and sustainability risks have elevated

Growing focus on climate change and other sustainability issues and related ESG policies, regulations and expanding disclosure requirements, as well as expectations and emerging regulations of governments, current and potential employees, and other stakeholders about “green” initiatives, supply chain transparency, fairness in reward systems and other governance issues increased from the 31st-rated risk looking out 12 months last year to the 22nd-rated risk this year. Looking out 10 years, these risks increased from the 20th-rated risk last year to the 13th-rated risk this year. Typically associated with planetary threats, these risks are garnering more attention at a micro level by individual companies relative to other risks.

In closing

In commenting on last year’s survey, I wrote the following: “Organizational resiliency is a strategic imperative … It is a safe bet that the winners over the long term will be more agile than the losers.”

Given today’s optics, I doubt many will argue the continued relevance of this point. I also stated that a “look back” 10 years from now will disclose that the most successful companies attribute their innovative and resilient cultures as the key to their effectiveness in acting with intention at the speed of the market or upon the onset of disruptive events. Their seatbelts were fastened because they were prepared for the ride.