Cyber risks near top of boardroom agendas

Cybersecurity has come to the forefront of risk oversight for board members and C-suite executives, according to the third annual survey of business executives by global consulting firm Protiviti and the Enterprise Risk Management Initiative at the North Carolina State University Poole College of Management.

More than half of the 277 global survey respondents (53%) indicated that insufficient preparation to manage cyber threats is a risk that will “significantly impact” their organizations this year. Following a string of data breaches in the past year, cyber threats jumped to No. 3 in the current survey, up three rank positions in year-over-year survey results, reflecting increased concern about operational and reputational damage associated with potential breaches.

“Our survey findings indicate that operational risk issues are keeping many senior executives up at night,” says Mark Beasley, Deloitte Professor of Enterprise Risk Management and NC State ERM Initiative director.

For the third consecutive year, regulatory changes and heightened regulatory scrutiny ranked as the No. 1 risk on the minds of board members and corporate executives; 67% indicated that it will “significantly impact” their organizations.

The survey findings suggest that while the business environment in 2015 will be somewhat less risky than in the previous two years, most of the business leaders surveyed indicated that they are more likely to invest in additional risk management resources in 2015.

The survey also identified differing perceptions between boards and executives regarding the current risk environment; CEOs and directors reported more optimism about risk issues while CFOs and chief audit executives perceived a riskier business environment.

Survey’s top 10, ranked

Following are the top ten risks identified in the annual risk survey, along with the percentages of respondents who identified each risk as having a “Significant Impact” on their business. This list reflects five new risk categories added to the survey this year, reflecting input from members of the survey sample audience.

1. Regulatory changes and heightened regulatory scrutiny may affect the manner in which our products or services will be produced or delivered (67%)

2. Economic conditions in markets we currently serve may significantly restrict growth opportunities for our organization (56%)

3. Cyber risks. Our organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt our core operations and/or damage our brand (53%)

4. Succession, recruitment, retention. Our organization’s succession challenges and ability to attract and retain top talent may limit our ability to achieve operational targets (56%)

5. Failure to anticipate risk. Our organization’s culture may not sufficiently encourage the timely identification and escalation of risk issues that have the potential to significantly affect our core operations and achievement of strategic objectives (51%)

6. Resistance to change may restrict our organization from making necessary adjustments to the business model and core operations (49%)

7. Cost of ID protection. Ensuring privacy/identity management and information security/system protection may require significant resources for us (52%)

8. Reputation risk. Our organization may not be sufficiently prepared to manage an unexpected crisis significantly impacting our reputation (46%)

9. Holding onto core customers. Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in our existing customer base (48%)

10. Failing to keep up. Our existing operations may not be able to meet performance expectations related to quality, time to market, cost, and innovation as well as our competitors (46%)

The survey was conducted in the fourth quarter of 2014. Respondents represent both U.S.-based and non-U.S. organizations and public and private companies.