Board members and executives in the c-suite continue to identify the regulatory environment as their top business risk heading into 2015, but cyber-security is fast rising on the list of risk priorities.

In a recent poll by Protiviti and North Carolina State University of 277 board members and top executives, 67 percent identified regulatory risk as the most serious risk facing their particular organizations. It’s the third year Protiviti and NC State have conducted the poll, and the third time regulatory risk topped the list of risk worries. “The overall perspective of risk seems to be improving somewhat,” says Mark Beasley, director of ERM Initiatives at NC State. “But the regulatory pressure and the scrutiny over how people do business continues to be top of mind, no matter which way you slice this across people, size of company, or industry.”

The findings should give government policy makers some pause, says Jim DeLoach, managing director at Protiviti. “The fact that this is so top of mind and has been for each of the three years we have done this study suggests the cost of regulation on business models is quite high,” he says. “Even marginally incremental regulatory change can add tremendous cost to organizations. The mere threat of regulatory change can create uncertainty in terms of hiring and investing.”

Behind regulatory risk, economic conditions and the risk that they might hamper growth ranked second, with 56 percent of respondents identifying it as a significant risk facing the organization. Equally concerning, 56 percent said the ability to attract and retain the right talent presents a significant risk to achieving operational targets.

Then comes cyber-security, with 53 percent of board members and executives indicating they worry their organizations may not be sufficiently prepared to manage cyber threats that could seriously disrupt core operations or damage the brand name. “That went way up this year,” says Beasley. “People are now looking at a cyber threat not in terms of if it will happen to us, but when. And when it happens, are we going to be able to manage it and handle it?”

DeLoach says the silver lining for those responsible for corporate governance is the overall dip in risk concerns reflected in the survey results compared with a year earlier. “In general, the survey respondents thought while there are still some significant issues, they perceive a somewhat less risky environment looking into 2015.” Still, despite a suggestion that overall risk concerns have diminished somewhat, the survey also suggests organizations are planning to invest more in 2015 in their risk management capabilities, he says.