Volatile markets, digital disruptions in the risk landscape, growing cyber-attacks, and the ever-escalating war for talent are just a few significant risk drivers on the minds of boards of directors and executives today, according to a comprehensive 113-page report, “Executive Perspectives on Top Risks for 2020,” recently published by consulting firm Protiviti and North Carolina State University’s Enterprise Risk Management Initiative.

The survey highlights the perspectives of 1,063 board members and C-suite executives globally concerning the potential impact in 2020 of 30 risks across the following three dimensions:

  • Macroeconomic risk: External factors affecting markets—such as financial markets and currency markets—and geopolitical risk, like trade policy;
  • Strategic risks: Risks affecting the validity of a company’s strategy for pursuing growth opportunities, like competitor moves and the digitization of products and services; and
  • Operational risks: Risks affecting operations of the organization in executing strategy, such as people, processes, and technology.

Respondents were asked to rate each risk area on a 10-point scale. Risks with an average score of six or higher were classified as having a “significant impact” on the organization, whereas risks with an average score of 4.5 through 5.9 were classified as “potential impact” risks. Risks with an average score of 4.49 or lower were classified as having a “less significant impact.”

Mark Beasley, a professor of enterprise risk management at North Carolina State University, said in a recent Webinar discussing the findings companies often will use the report to benchmark their own risk assessment processes: “‘What’s on the mind of other executives that maybe we’re not thinking about?’”

“Six of the top 10 risks reflect operational concerns, suggesting on the surface that respondents continue to be focused on operational issues to a greater extent than strategic or macroeconomic issues.”

Jim DeLoach, Member, Protiviti Solutions Leadership Team

Risk themes

One key theme that runs through many of the top 10 risks has to do with digital transformation initiatives. “One could argue that all 10 of the risks have a digital link,” said Jonathan Wyatt, global head of Protiviti Digital.

Listed as the fourth top risk, for example, is “ability to compete with ‘born-digital’ and other competitors.” When weighed against the top-cited risk, “impact of regulatory change and scrutiny on operational resilience, products, and services,” it indicates concerns around regulatory pressure are causing companies to be more cautious about implementing changes needed to remain competitive today.

“They recognize that many of the born-digital companies are taking a lot of risk,” Wyatt said. “They recognize the challenges associated with competing with those companies.” But if they take a more risk-averse position, taking into consideration the regulatory environment, they struggle to compete, he said.

Risk management often focuses on risk avoidance and risk mitigation. “Yet, digital leaders often take risks and understand how to take risks,” Wyatt said. “Innovation is all about taking risks and accepting failure and requires a fundamental change in culture.”

Moving forward, Wyatt anticipates more chief risk officers and chief audit executives will ask, “‘Is the business taking enough risks?’” Some companies are failing for not taking risks they should’ve taken. “It’s not just about risk mitigation and risk avoidance but also about asking the question, ‘Are we taking enough risks in certain areas?’ ” he said.

Top risks for 2020

  1. Impact of regulatory change and scrutiny on operational resilience, products, and services
  2. Economic conditions impacting growth
  3. Succession challenges; ability to attract and retain top talent
  4. Ability to compete with “born digital” and other competitors
  5. Resistance to change operations
  6. Cyber-threats
  7. Privacy/identity management and information security
  8. Organization’s culture may not sufficiently encourage timely identification and escalation of risk issues
  9. Sustaining customer loyalty and retention
  10. Adoption of digital technologies may require new skills or significant efforts to upskill/reskill existing employees (new in 2020)

Source: Protiviti; University of North Carolina

Another key theme to come from the report was the emphasis placed on operational risks. “Six of the top 10 risks reflect operational concerns, suggesting on the surface that respondents continue to be focused on operational issues to a greater extent than strategic or macroeconomic issues,” said Jim DeLoach, a member of Protiviti’s Solutions Leadership Team.

A deeper dive into the report, under operational risks, highlights a growing emphasis on “talent and culture,” which made up four of the top 10 risks. For example, “succession challenges and the ability to attract and retain top talent” was cited as the third highest risk for 2020.

Many of these operational issues have strategic underpinnings, moreover, “meaning they represent multiple considerations and strategies or may be perceived as a threat to successful execution of the strategy or even uncertainty surrounding the competitiveness of the organization’s infrastructure and cooperation,” DeLoach said.

For example, the report showed a strong link between talent and culture and technology and innovation. Respondents cited as the No. 10 risk “adoption of digital technologies may require new skills or significant efforts to upskill/reskill existing employees.”

Many respondents indicated they are concerned they don’t have the talent in place to leverage emerging technologies and innovations like artificial intelligence, advanced learning, and robotic process automation, Beasley said. “If we don’t have the right talent or tone-from-the-top, we’re going to fail to meet some key strategic objectives,” he said.

Cultural issues are another big concern, as cited by the fifth top risk on the list (“resistance to change operations”). Such resistance might impede the business from making necessary changes to its business model it needs to make in order to keep pace with new born-digital businesses, Beasley said.

Relative to the risk of being resistant to change operations is No. 8: ”The organization’s culture may not encourage timely identification and escalation of risk issues.”

“What that signals is that people in the organization are aware of the risks, but are not escalating it to those at the top,” Beasley said.

That might indicate a process problem, where people don’t know how to escalate risks, or it might indicate a cultural issue, where employees are fearful to do so. “It’s important to really assess and really ponder, ‘Is our organization’s culture prohibiting or restricting employees’ willingness to escalate top risk concerns? Is that potentially an issue?’ ” Beasley said.

DeLoach said, “The point is that executives rating these matters as ‘significant-impact risks’ are likely not dealing with them as narrowly as day-to-day blocking and tackling issues, but as matters requiring careful consideration in deciding and executing strategy.”


On a positive note, the report also found that—except for the financial services industry and energy and utilities—most industries perceive the magnitude and severity of risks affecting their organizations will be lower in 2020 compared to 2019. Additionally, just two of the 30 risk areas were ranked as “significant impact” risks across all five industry groups: “restrictive/disruptive regulatory change/scrutiny” and “succession challenges and the ability to attract and retain top talent.”

Except for the technology, media, and telecommunications industry, concerns about the company’s operations, legacy IT systems, and not being able to compete with “born-digital” companies were also rated as “significant impact” risks.

The report further highlighted varying views among board members and executives about the magnitude and severity of risks expected in the coming year. Chief financial officers and chief audit executives, for example, reported the highest overall score regarding the magnitude and severity of risks in 2020, relative to board members, chief executive officers, and chief risk officers.

Taken as a whole what this points to is “a strong need for discussion and dialogue to ensure everyone is in agreement at the highest level of the organization as to what the most important risk exposures are and whether the organization is focused on them appropriately,” notes the report. It ends with a call to action by listing more than two dozen questions to assist companies in “defining their risks and assessing the adequacy of the processes informing their risk management and board risk oversight.”