“Everybody talks about the weather, but nobody does anything about it.” That popular quote, often credited (incorrectly) to Mark Twain, could be modernized by replacing Mother Nature with cyber-security threats and reputation risk.

EisnerAmper – an audit, tax, and advisory firm – has released its fifth annual survey of board members about the risks that confront them. Seventy-two percent identified reputational risk as their primary concern and cyber-security/IT risk was second at 62 percent, rising almost 10 percent from last year. Surprisingly, regulatory compliance risk, the third most highly ranked concern, dropped six percentage points to 50 percent in 2014.

Boards may know they need to worry about cyber-security, but many have not taken action to mitigate the risk or decided who will ultimately direct their organizations’ course of action, the survey found, raising concerns about how well-equipped companies are to address it. The survey also found sparse implementation of comprehensive enterprise risk management programs.

“Despite strong concerns about reputational risk and cyber and data security, we saw little in the survey showing support for the resources necessary to address it,” Steven Kreit, a partner in EisnerAmper’s Public Companies practice, says. “With many organizations admitting that they had no plans or relatively unsophisticated plans to address these top rated risks, there is a need for boards to focus some of their strategic planning time on reevaluating how they will effectively handle concerns as they arise.”

In this week’s podcast, we talk to Kreit about why compliance risk is slipping from boards’ radar and how they may shore up their approach to the double-headed threat of reputation and IT risks.

Listen to the podcast. (9 min., 8 MB)

Click here for more podcasts.