Executive Perspectives on Top Risks for 2013 Key Issues Being Discussed in the Boardroom and C-Suite
May 17th, 2013For further inquiries, please contact:
Keith Keller, Managing DirectorProtiviti, Inc.
3343 Peachtree Road NESuite 600
Atlanta, Georgia 30326Phone: 404.443.8224
© 20132
Introduction
• Protiviti and North Carolina State University’s ERM Initiative surveyed more than 200 board members and C-suite executives on risks likely to affect their organizations over the next 12 months
• The survey provides perspectives on the potential impact of 20 specific risks across three dimensions:
– Macroeconomic Risks: Likely to affect organization’s growth opportunities
– Strategic Risks: Likely to affect the validity of the organization’s strategy for the pursuit of growth opportunities
– Operational Risks: Likely to affect key operations of the organization in executing its strategy
© 20133
Survey Methodology
• Respondents were asked to rate 20 individual risk issues using a 10-point scale:
− A score of 10 reflects Extensive Impact to their organizations over the next year
− A score of 1 reflects No Impact at All
• Based on average scores, the risks were categorized into one of three classifications:
– Significant Impact: Risks with an average score of 6.0 or higher
– Potential Impact: Risks with an average score of 4.5 through 5.9
– Less Significant Impact: Risks with an average score of 4.4 or lower
© 20134
Survey Respondent Breakdown
Organization Size Revenues $10 billion or greater 15%Revenues $1 billion to $9.99 billion 34%Revenues $100 million to $999.99 million 36%Revenues less than $100 million 12%
Executive Position (Top 5 Respondent Groups)Board Member 9%Chief Financial Officer 14%Chief Risk Officer 20%Chief Audit Executive 26%Other C-Suite 21%
Industry (Top 5 Respondent Groups)Financial Services 28%Consumer Products and Services 19%Industrial Products 13%Healthcare and Life Sciences 12%Technology, Media and Communications 11%
Top 10 Risks
© 20136
Top 10 Risks
4.0 4.5 5.0 5.5 6.0 6.5 7.0 7.5
Regulatory risk
Economic conditions
Sovereignty risk/political gridlock
Organic growth concerns
Succession/talent
Financial markets/currencies
Cyber threats
Security/privacy
Resiliency
Performance gap risks
S
M
M
S
O
M
O
O
O
O
M MacroeconomicRisk Issue
O OperationalRisk Issue
S StrategicRisk Issue
© 20137
#1 – Regulatory risk
Regulatory changes and heightened regulatory scrutiny may affect the manner in which our products or services will be produced or delivered.
© 20138
#2 and #3 – Economic Conditions and Sovereignty risk/political gridlock
Economic conditions in markets we currently serve will significantly restrict growth opportunities for our organization.
Uncertainty surrounding political leadership in national and international markets will limit growth opportunities.
© 20139
#4 and #5 – Organic growth concerns and Succession/Talent
Organic growth through customer acquisition and/or enhancement presents a significant challenge.
Succession challenges and the ability to attract and retain top talent may limit our ability to achieve operational targets.
© 201310
#6 – Financial markets/currencies
Anticipated volatility in global financial markets and currencies will create challenging issues for our organization to address.
© 201311
#7 – Cyber threats
Cyber threats have the potential to significantly disrupt core operations for our organization.
© 201312
#8 – Security/Privacy
Ensuring privacy/identity management and information security/system protection will require significant resources for us.
© 201313
#9 and #10 – Resiliency and Performance gaps risk
Resistance to change will restrict our organization from making necessary adjustments to the business model and core operations.
Our existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as our competitors.
Industry Analysis
© 201315
Analysis Across Industry – Top 5 Risks*
Risk Issues OverallConsumer Products
and ServicesEnergy and
UtilitiesFinancial Services
Healthcare and Life Sciences
Industrial Products
Technology, Media and Communi-
cations
Regulatory risk
Economic conditions
Sovereignty risk/political gridlock
Organic growth concerns
Succession/talent
Financial markets/currencies
Cyber threats
Security/privacy
Resiliency
Performance gap risk
Technological Innovation risk
Significant Impact – Rating of 6.0 or higher Potential Impact – Rating of 4.5 – 5.9 * Includes ties as well as differences among industry groups
Analysis Across Respondent Role
© 201317
Analysis Across Respondent Role – Top 5 Risks*
Risk Issues Overall Board Member
Chief Financial
OfficerChief Risk
OfficerChief Audit Executive
Other C-Suite
Regulatory risk
Economic conditions
Sovereignty risk/political gridlockOrganic growth concerns
Succession/talent
Financial markets/currencies
Cyber threats
Security/privacy
Significant Impact – Rating of 6.0 or higher Potential Impact – Rating of 4.5 – 5.9 * Includes ties as well as differences among respondent roles
Analysis Across Organization Size
© 201319
Analysis Across Organization Size – Top 5 Risks*
Risk Issues OverallOrganizations
$10B or Greater
Organizations Between $1B and $9.99B
Organizations $100M and $999.99M
Organizations Less than
$100M
Regulatory risk
Economic conditions
Sovereignty risk/political gridlockOrganic growth concerns
Succession/talent
Financial markets/currencies
Cyber threats
Security/privacy
Trade restrictions/ government sanctions
Significant Impact – Rating of 6.0 or higher Potential Impact – Rating of 4.5 – 5.9 * Includes ties as well as differences among organization sizes
Plans to Deploy Resources to EnhanceRisk Management Capabilities
© 201321
Additional Resources to Risk Management – By Industry
All Respondents
Consumer Products
and ServicesEnergy and
UtilitiesFinancial Services
Healthcare and Life Sciences
Industrial Products
Technology, Media and Communi-
cations
Likelihood the organization plans to devote additional resources to risk management over the next 12 months
5.8 5.7 4.5 7.0 5.5 5.4 5.5
On a scale of 1-10, respondents rated whether the organization plans to devote additional resources to risk management over the next 12 months. (1 – “Unlikely to make changes”; 10 – “Extremely likely to make changes”)
© 201322
Additional Resources to Risk Management – By Organization Size
All Respondents
RevenuesLess than
$100M
Revenues$100M – $999.99M
Revenues$1B – $9.99B
Revenues $10B
or higher
Likelihood the organization plans to devote additional resources to risk management over the next 12 months
5.8 6.1 5.8 5.3 6.7
© 201323
Additional Resources to Risk Management – By Organization Type
All Respondents Publicly Traded Companies
Private, For-Profit
Enterprises
Not-for-Profit and
GovernmentalOrganizations
Likelihood the organization plans to devote additional resources to risk manage-ment over the next 12 months
5.8 5.6 5.8 6.4
© 201324
Additional Resources to Risk Management – By Respondent Role
All Respondents
BoardMembers
Chief FinancialOfficers
Chief RiskOfficers
Chief AuditExecutives
OtherC-Suite
Likelihood the organization plans to devote additional resources to risk management over the next 12 months
5.8 5.1 6.0 6.3 5.4 5.9
© 201325
Calls to Action
Ensure there is sufficient focus on the implications of a changing environment
• Is management periodically evaluating changes in the business environment to identify the risks inherent in the corporate strategy?
• Is the board sufficiently involved in the process, particularly when such changes involve acquisition of new businesses, entry into new markets, the introduction of new products or alteration of key assumptions underlying the strategy?
Ensure the risk assessment is sufficiently robust to inform board/management communications
• Does management apprise the board in a timely manner of significant risks or significant changes in the organization’s risk profile?
• Is there a process for identifying emerging risks?
• Does it result in consideration of response plans on a timely basis?
© 201326
Calls to Action
Ensure the board is knowledgeable of the key enterprise risks and the capabilities in place for managing those risks
• Is the board aware of the most critical risks facing the company? • Does the board agree on why these risks are significant? • Do directors understand the organization’s responses to these risks? • Is there an enterprise wide process in place that directors can point to that answers these
questions and is that process informing the board’s risk oversight?
Enrich the strategy setting process with a risk appetite dialogue between management and the board
• Is there a periodic board-level dialogue regarding management’s appetite for risk and whether the organization’s risk profile is consistent with that risk appetite?
• Is the board satisfied that the strategy-setting process appropriately considers a substantive assessment of the risks the enterprise is taking on as it formulates and executes its strategy?
Q&A
Thank you!For more information and to download the full report
Executive Perspectives on Top Risks in 2013
visit:
www.protiviti.com/toprisks
and
www.erm.ncsu.edu