Survey: Big Enterprise Risks in 2020
Protiviti has just released its annual survey of enterprise risks that worry corporate leaders. Economic conditions and regulatory change topped the list, and apparently CFOs, chief risk officers, and internal auditors see bigger risks afoot this year than CEOs and board directors do.
The survey, Executive Perspectives on Top Risks 2020, comes out every year right around now as a joint project of Protiviti and North Carolina State University. They polled more than 1,000 senior executives and corporate board directors, asking those folks to rank 30 different risks on a scale of 1 to 10. Anything with an average score above 6.0 is considered a significant risk.
The good news: overall, executives expect 2020 to be somewhat less risky than 2019 — but that’s marginally good news at best. Seven of the top 10 risks for 2020 still fall into that “significant” category, and even though 2020 risk levels are lower than 2019, they’re still well above risk levels from 2018. So risk assurance functions can still expect to be quite busy throughout next year.
As you can see from the accompanying chart, “impact of regulatory change and scrutiny on operational resilience, products, and services” tops the 2020 list. Translation: executives worry that they’ll spend more time responding to the regulatory climate, and that the regulatory climate might force changes to business operations that the executives weren’t expecting.
Risk No. 2 is uncertainty about economic conditions. That’s interesting because this risk didn’t make the Top 10 list last year, and now it’s back with a vengeance.
Well, why? GDP growth in most large economies has pretty much poked along as usual this year — nothing great, but it hasn’t tanked either. Which tells me that unease about economic conditions is related more to governments’ self-imposed wounds: tariffs, trade wars, botched Brexit negotiations, and so forth.
So really, corporations right now are trapped in a bizarro world where uncertainty is greater in the short term than in the long term. For example, will Brexit and the U.S.-China trade war be resolved five years from now? Probably. Do we have any sense of what those resolutions will look like, or when they’ll arrive? Nope. (If you believe Boris Johnson’s victory or President Trump’s supposed deal resolve these issues — sigh, you’re so cute.)
Those are macro-economic forces well above the pay grade of compliance and audit professionals. We’ll talk about them no further. But they are forces affecting your world, and they’ll be here for a while yet.
Digital Transformation Risks
More relevant to us here in the Second Line of Defense are risks related to the digital transformation of business processes. That’s the theme in at least six of those Top 10 risks — everything from ability to compete with born-digital rivals (No. 4) to new skills necessary to adopt emerging technologies (No. 10, and a new entrant on the Top 10 list this year).
Those concerns are quite similar to what we saw in last year’s survey of enterprise risks. It’s a testament to how pervasively technology is changing the corporate world, and how anxious we all are that our risk management systems aren’t keeping pace with that change.
It’s a precarious situation, because better technology empowers employees to do more things, and be more responsive to changing market conditions. That’s good. At the same time, however, better technology also allows for more complicated operating structures that work more quickly — which means greater ability to screw up, more quickly, in more severe ways.
We’ve all seen that. Employees in some far-flung operating division falsify accounting records and keep secret spreadsheets of bribes to foreign government officials. Or the company goes on an acquisition binge for 10 years, ends up with two dozen legacy software systems, and nobody can track high-risk customers worth a damn. Or you rely on third-party tech vendors for critical services, and a ransomware attack against them disables your business.
What becomes more important in this world is a thoughtful, risk-aware approach to governance: of employees, technology, third parties, and operations. Alas, that more thoughtful approach to governance is really hard to achieve in practice — especially in times of great regulatory and economic uncertainty, as outlined in risks No. 1 and 2.
Differences of Opinion
The Protiviti survey is also interesting because it shows that senior corporate executives disagree about how severe enterprise risks are. Consider this excerpt from the report:
There is variation in views among board members and C-suite executives regarding the magnitude and severity of risks for 2020 relative to prior years… Out of the 30 risks examined, CIOs/CTOs rate 13 of the 30 risks as “significant impact” risks. In contrast, CEOs only rated one of the 30 risks at that level, while CROs rated four at that level. Board members rated six of the 30 risks at the level. CFOs rated eight of the 30 risks at the “significant impact” level.
Hmmmm. For chief audit executives in particular that can leave you in a delicate position. If you’re working for the audit committee to help them understand the severity of enterprise risks, and with other business functions to manage risk; but consensus is lacking on how severe those risks actually are — you might need to defend your enterprise risk assessment and audit plan more vigorously.
I also wonder why this difference of opinion exists. Where are executives getting their information, to reach these different conclusions? How much depends on their instincts and experience, versus hard data someone presents to them?
Don’t forget, we recently saw a survey from the Institute of Internal Auditors that suggested board directors are more confident in their organization’s risk management systems than the executives doing the actual risk managing. That’s an alarming statement.
If that statement is correct, however, it could explain some of what we see here.
Regardless, the survey as a whole shows a lot of challenging risks out there. It’s good food for thought between the risk assurance functions and the C-suite and board, so let’s get to it.