EXECUTIVE PERSPECTIVES ON

TOP RISKS
Research Conducted by North Carolina State University’s
ERM Initiative and Protiviti

Key issues being discussed

in the boardroom and C-suite
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Introduction
Overall Risk Concerns for 2019

Leaders of organizations in virtually every viewpoints, the upward trajectory of interest of global boards of directors and executives.
Three-Year Comparison of Risks
industry, size of organization and geographic rates, ease with which information can This report contains results from our seventh
location are reminded all too frequently that go viral via social media and other digital annual risk survey of directors and executives
Analysis Across Different they operate in what appears to many to platforms, and ongoing negotiations to settle to obtain their views on the extent to which a
Sizes of Organizations
be an increasingly risky global landscape. Brexit are a few of the drivers of uncertainty broad collection of risks is likely to affect their
Escalating concerns about the rapidly affecting the 2019 global business outlook. organizations over the next year.
Analysis Across Executive
Positions Represented
changing business environment and the Insufficient focus on and attention to the Our respondent group, comprised primarily of
potential for unwelcome surprises vividly web of complex enterprisewide risk events board members and C-suite executives from
illustrate the reality that organizations of of varying velocity are likely to threaten all major regions of the world, provided their
Industry Analysis
all types face risks that can disrupt their an entity’s brand, reputation, business perspectives about the potential impact in 2019
business model over time and damage model and, in some instances, its very of 30 specific risks across three dimensions:1
Analysis of Differences Between reputation almost overnight. The constantly survival. Boards of directors and executive
Public and Non-Public Entities ■■ Macroeconomic risks likely to affect their
evolving geopolitical landscape that is management teams cannot afford to manage
organization’s growth opportunities
trending toward nationalism, ever-present risks casually on a reactive basis, especially
Analysis of Differences Among
concern of cyber disruptions, increasing considering the rapid pace of disruptive ■■ Strategic risks the organization faces that
Geographic Regions
market disruptions caused by born-digital innovation and technological developments may affect the validity of its strategy for
organizations, effects of tightening labor in an ever-advancing digital world. pursuing growth opportunities
Analysis of Differences
Between Organizations With markets, devastating impact of hurricanes Protiviti and North Carolina State University’s ■■ Operational risks that might affect key
and Without Rated Debt and other natural disasters, volatility in ERM Initiative are pleased to provide this report operations of the organization in executing
energy prices, recurring shocks of terrorism its strategy

Protiviti
focusing on the top risks currently on the minds
Plans to Deploy Resources to Enhance around the globe, polarization of political
Risk Management Capabilities

A Call to Action: 1
Two new risks were included in the 2019 survey. They replaced two risks we asked about in prior years. See Table 1 for a list of the 30 risks addressed in this study.
Questions to Consider

1
Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

In presenting the results of our research,

Executive Summary
we begin with a brief description of our
methodology and an executive summary of
Looking forward, the message is that digital transformation is a main
Overall Risk Concerns for 2019 the results. Following this introduction, we driver of risk impacting uncertainty over business model viability,
discuss the overall risk concerns for 2019,
Three-Year Comparison of Risks including how they have changed from
customer preferences, the competitive landscape, workplace dynamics
2018 and 2017, followed by a review of and the war for talent, and even regulatory demands. Clearly, organizations
results by size of organization and type of
Analysis Across Different
Sizes of Organizations executive position, as well as a breakdown
must align their culture, people, processes and intelligence gathering to
by industry, type of ownership structure embrace this rapidly changing business environment.
Analysis Across Executive (i.e., public company, privately held, not-
Positions Represented for-profit and government), geographic — Pat Scott, Executive Vice President, Global Industry Program, Protiviti
location, and whether they have rated debt
Industry Analysis outstanding. We conclude with a discussion
of organizations’ plans to improve their
Analysis of Differences Between
capabilities for managing risk.
Public and Non-Public Entities

Analysis of Differences Among

Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:
Questions to Consider

2
Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Methodology
Overall Risk Concerns for 2019

We are pleased that participation from and a score of 10 reflects “Extensive Impact” ■■ Risks with an average score of 4.49
Three-Year Comparison of Risks
executives was strong again this year. Globally, to their organization over the next year. or lower are classified as having a
825 board members and executives across a For each of the 30 risk issues, we computed “Less Significant Impact” over the
Analysis Across Different variety of industries participated in this survey. next 12 months.
Sizes of Organizations the average score reported by all respondents.
We are especially pleased that we received Using mean scores across respondents, we We refer to these risk classifications
responses from individuals all over the world, rank-ordered risks from highest to lowest
Analysis Across Executive throughout our report, and we also
Positions Represented
with 371 respondents (45%) based in North impact. This approach enabled us to compare review results for various subgroups (i.e.,
America and 454 respondents (55%) based mean scores across the past three years to company size, position held by respondent,
outside this region. In 2018, our responses by highlight changes in the perceived level of risk.
Industry Analysis industry representation, organization type,
region were also 45% from North America and
Consistent with our prior studies, we geographic location and presence of rated
55% of the organizations from other regions.
Analysis of Differences Between grouped all the risks based on their average debt). With respect to the various industries,
We are pleased that this year's report reflects a
Public and Non-Public Entities scores into one of three classifications: we grouped related industries into combined
more diverse geographic coverage from around
Risks with an average score of 6.0 industry groupings to facilitate analysis,
the globe. As a result, this report again provides ■■

Analysis of Differences Among

or higher are classified as having a consistent with our prior years’ reports.
Geographic Regions
a perspective about risk issues on the minds of
executives at a global level. “Significant Impact” over the next 12 Table 1 on the next page lists the 30 risk
months. issues rated by our respondents, arrayed
Analysis of Differences Our survey was conducted online in the fall of
Risks with an average score of 4.5 through across three categories — Macroeconomic,
Between Organizations With 2018. Each respondent was asked to rate 30 ■■
and Without Rated Debt
5.99 are classified as having a “Potential Strategic and Operational.
individual risk issues using a 10-point scale,
Impact” over the next 12 months.

Protiviti
where a score of 1 reflects “No Impact at All”
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:
Questions to Consider

3
Research Team
 TABLE OF CONTENTS

Introduction

List of 30 Risk Issues Analyzed

Executive Perspectives on Top Risks for 2019

TAB LE 1
Methodology

Executive Summary
M ACRO ECO NO M I C R I S K I S S U ES

Overall Risk Concerns for 2019

■■ Anticipated volatility in global financial markets and currency exchange rates may create significantly challenging issues for our
organization to address
Three-Year Comparison of Risks
■■ Uncertainty surrounding the influence and continued tenure of key global leaders may impact national and international markets to the point
of significantly limiting our growth opportunities
Analysis Across Different
Sizes of Organizations ■■ Evolving changes in global trade policies may limit our ability to operate effectively and efficiently in international markets

■■ Our ability to access sufficient capital/liquidity may restrict growth opportunities for our organization
Analysis Across Executive
Positions Represented ■■ Economic conditions in markets we currently serve may significantly restrict growth opportunities for our organization

■■ Demands made by activist investors and other key stakeholders may significantly affect how we do business in the marketplace*
Industry Analysis
■■ Geopolitical shifts and instability in governmental regimes or expansion of global terrorism may restrict the achievement of our global growth
and profitability objectives
Analysis of Differences Between
Public and Non-Public Entities ■■ Anticipated increases in labor costs may affect our opportunity to meet profitability targets

■■ Unexpected change in the current interest rate environment may have a significant effect on the organization’s operations
Analysis of Differences Among
Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action: * Represents a new risk issue added to the 2019 survey.
Questions to Consider

4
Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 1 (CONTINU ED)
Methodology

Executive Summary
STR ATEG I C R I SK I S S U ES

Overall Risk Concerns for 2019

■■ Rapid speed of disruptive innovations enabled by new and emerging technologies and/or other market forces may outpace our organization’s
ability to compete and/or manage the risk appropriately, without making significant changes to our business model
Three-Year Comparison of Risks
■■ Social media, mobile applications and other Internet-based applications may significantly impact our brand, customer relationships, regulatory
compliance processes and/or how we do business
Analysis Across Different
Sizes of Organizations ■■ Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which our products or services will be produced or delivered

■■ Shifts in environmental, social and governance (ESG) preferences as well as expectations of key stakeholders may be difficult for us to identify
Analysis Across Executive and address on a timely basis
Positions Represented
■■ Ease of entrance of new competitors into the industry and marketplace or other significant changes in the competitive environment (such as
major market concentrations due to M&A activity) may threaten our market share
Industry Analysis
■■ Our organization may not be sufficiently prepared to manage an unexpected crisis significantly impacting our reputation
Analysis of Differences Between ■■ Growth through acquisitions, joint ventures and other partnership activities may be difficult to identify and implement
Public and Non-Public Entities
■■ Opportunities for organic growth through customer acquisition and/or enhancement may be significantly limited for our organization
Analysis of Differences Among
Geographic Regions ■■ Substitute products and services may arise that affect the viability of our current business model and planned strategic initiatives

■■ Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in our
Analysis of Differences
Between Organizations With
existing customer base
and Without Rated Debt
■■ Performance vulnerabilities may trigger shareholder activism against our organization that may significantly impact our organization’s
strategic plan and vision

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:
Questions to Consider

5
Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 1 (CONTINU ED)
Methodology

Executive Summary
O PE R ATI O NAL R I S K I S S U ES

Overall Risk Concerns for 2019

■■ The cultural behaviors and personal interactions with others exhibited by the organization’s management team and other key
representatives — as manifested through day-to-day decision-making, attitudes and conduct — may not be aligned with the long-term
Three-Year Comparison of Risks interests of shareholders, the board’s risk appetite, compliance with laws and regulations, and/or the core values most accepted and
rewarded by the marketplace*

Analysis Across Different ■■ Uncertainty surrounding the viability of key suppliers, scarcity of supply, or stable supply prices may make it difficult to deliver our products or
Sizes of Organizations services at acceptable margins

■■ Risks arising from our reliance on outsourcing and strategic sourcing arrangements, IT vendor contracts, and other partnerships/joint
Analysis Across Executive ventures to achieve operational goals may prevent us from meeting organizational targets or impact our brand image
Positions Represented
■■ Our organization’s succession challenges and ability to attract and retain top talent in a tightening talent market may limit our ability to
achieve operational targets
Industry Analysis
■■ Our organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations
and/or damage our brand
Analysis of Differences Between
Public and Non-Public Entities
■■ Ensuring privacy/identity management and information security/system protection may require significant resources for us

Analysis of Differences Among

■■ Our existing operations and legacy IT infrastructure may not be able to meet performance expectations related to quality, time to market, cost
Geographic Regions and innovation as well as our competitors, especially new competitors that are “born digital” and with a low-cost base for their operations, or
established competitors with superior operations

Analysis of Differences ■■ Inability to utilize data analytics and “big data” to achieve market intelligence and increase productivity and efficiency may significantly affect
Between Organizations With our management of core operations and strategic plans
and Without Rated Debt
■■ Resistance to change may restrict our organization from making necessary adjustments to the business model and core operations

Protiviti
Plans to Deploy Resources to Enhance ■■ Our organization’s culture may not sufficiently encourage the timely identification and escalation of risk issues that have the potential to
Risk Management Capabilities
significantly affect our core operations and achievement of strategic objectives

A Call to Action:
Questions to Consider

6
Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Executive Summary
Overall Risk Concerns for 2019

Shifting cultural norms and expectations Expectations of key stakeholders regarding the
Three-Year Comparison of Risks TOP R I S K S FOR 2 0 1 9
of accountability. Disruptive business need for greater transparency about the nature
models. Innovations triggered by emerging and magnitude of risks undertaken in executing 1. Existing operations meeting performance
Analysis Across Different technologies. Changes in the geopolitical an organization’s corporate strategy continue expectations, competing against “born
Sizes of Organizations digital” firms
landscape. Negotiations surrounding to be high. Pressures from boards, volatile
Brexit. Shifting customer preferences and markets, intensifying competition, demanding 2. Succession challenges and ability to
Analysis Across Executive
demographics. Natural disasters. Record lows regulatory requirements, changing workplace attract and retain top talent
Positions Represented
in unemployment, tightening labor markets dynamics, shifting customer preferences, 3. Regulatory changes and
and escalating competition for specialized uncertainty regarding catastrophic events and regulatory scrutiny
Industry Analysis
talent. Immigration challenges. Cyber other dynamic forces are leading to increasing 4. Cyber threats
breaches on a massive scale. Terrorism. Big calls for management to design and implement
Analysis of Differences Between data analytics. A strong U.S. dollar. These and effective risk management capabilities and 5. Resistance to change operations
Public and Non-Public Entities
a host of other significant risk drivers are all response mechanisms to identify, assess and 6. Rapid speed of disruptive innovations
contributing to the risk dialogue happening manage the organization’s key risk exposures, and new technologies
Analysis of Differences Among
today in boardrooms and executive suites. with the intent of reducing them to an
Geographic Regions 7. Privacy/identity management and
acceptable level. information security

Analysis of Differences 8. Inability to utilize analytics

Between Organizations With and big data
and Without Rated Debt
9. Organization’s culture may not suffi-

Protiviti
ciently encourage timely identification
Plans to Deploy Resources to Enhance
Risk Management Capabilities
and escalation of risk issues

10. Sustaining customer loyalty

A Call to Action:
and retention
Questions to Consider

7
Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

One of the first questions an organization seeks to answer in risk management is, “What are our most critical risks?” The organization’s answer to
Executive Summary
this question lays the foundation for management to respond with appropriate capabilities for managing these risks. This survey provides insights
for 2019 from 825 respondents in C-suite and board positions in organizations around the globe. Here is a summary of the key findings:
Overall Risk Concerns for 2019

Three-Year Comparison of Risks

KE Y F I NDI N G S

Analysis Across Different

Sizes of Organizations Global business environment riskier in 2019 — Survey respondents indicate that the overall global business context is somewhat
riskier in 2019 relative to the two prior years. Our prior year survey respondents only rated seven of the top 10 risks higher for

01
2018 relative to 2017; however, for 2019, respondents rated all of the top 10 risks higher for 2019 relative to 2018. A majority of
Analysis Across Executive respondents rated each of the top 10 risks as a “Significant Impact” risk, and eight of our top 10 risks had an overall average score
Positions Represented
exceeding 6.0 (on a 10-point scale), placing the profile of top risks as “Significant Impact” on an overall basis. Likewise, risk levels for
nine of the top 10 risks in 2019 were higher than 2017. This suggests a potential shift in views about the riskiness of 2019 relative to
the last two years.
Industry Analysis

Nature of uncertainty concerns varies across the world — These overarching views about uncertainty in the business environment
Analysis of Differences Between seem to be global in reach, with respondents from six of the eight geographic regions of the world we examined agreeing that the

02
Public and Non-Public Entities
overall magnitude and severity of risks are of a “Significant Impact” level for 2019. Except for North America-based organizations,
respondents representing organizations in all other regions rate their top five risks at the “Significant Impact” level; in contrast,
Analysis of Differences Among organizations in North America only rate two of their top five risks at that level. Organizations in Latin America/South America
Geographic Regions and in India indicate the highest level of concern about the magnitude and severity of risks for 2019.

Firms more likely to invest in risk management — Interestingly, respondents indicate that they are more likely to devote
Analysis of Differences
Between Organizations With additional time or resources to risk identification and management over the next 12 months relative to their plans in the prior

03
and Without Rated Debt year, suggesting a greater desire to invest in strengthening risk management efforts. This is especially true for financial services
organizations as well as the largest organizations (revenues greater than $10 billion) in our sample. Individuals serving on boards

Protiviti
indicate the greatest desire to devote additional time or resources to risk management, perhaps to better inform their risk oversight
Plans to Deploy Resources to Enhance processes. The overall reality of the riskiness of the global business environment continues to motivate boards and executives to
Risk Management Capabilities renew their focus on effective risk oversight.

A Call to Action:
Questions to Consider

8
Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
KE Y F I NDI NG S (CO N T I N UED)

Overall Risk Concerns for 2019

Notable shifts in the 2019 top 10 risks — There are noticeable shifts in what constitutes the top 10 risks for 2019 relative to last
year. One risk jumped from the tenth position in the top 10 risks in 2018 to the number one spot for 2019: Concerns that existing
Three-Year Comparison of Risks
operations and legacy IT infrastructure may not be able to meet performance expectations as well as competitors that are “born
digital.” Respondents in five of the six industry groups we examined selected that risk as a top five risk concern, and they rated
Analysis Across Different
Sizes of Organizations
04 it as a “Significant Impact” risk concern for 2019. One risk returned to the top 10 in 2019 after dropping off in the prior year.
Respondents indicated their concerns about the increasing difficulty their organizations face in sustaining customer loyalty and
retention in light of evolving customer preferences and demographic shifts in their customer base. This risk had appeared in the top
10 in our 2015, 2016 and 2017 reports. As in the prior year, seven of the top 10 risks represent operational risk concerns, while the
Analysis Across Executive remaining three top 10 risks represent strategic risk concerns. None of the macroeconomic risk concerns made the top 10 list of risks
Positions Represented for 2019 for the overall sample.

Industry Analysis Regulatory concerns persist, economic concerns vary across the globe — Interestingly, respondents (particularly in Europe) remain
troubled over the threat of regulatory change and increased scrutiny, which has been a top 10 risk all seven years we have conducted

Analysis of Differences Between

Public and Non-Public Entities 05 this survey. But, for the first time, concerns about economic conditions fell out of the top 10 list of risks for 2019 for the overall
survey. Despite that finding for the overall sample, respondents in Europe, Latin America/South America, the Middle East and Africa
did include economic concerns as a top five risk concern for 2019. Perceptions of economic risks are like a swinging pendulum as
perceptions can change quickly over a short period of time as new developments transpire (including after our survey period).
Analysis of Differences Among
Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt
These are challenging times as digital disruption, regulatory and economic uncertainties, and other issues are

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities
manifesting themselves across the global marketplace.
— A ndrew Clinton, Executive Vice President, International Operations, Protiviti
A Call to Action:
Questions to Consider

9
Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

The list of top 10 global risks for 2019, along

Executive Summary
with their corresponding 2018 and 2017
scores, appears in Figure 1. With respect to
Digital transformation is a mindset. It is often said that organizations
Overall Risk Concerns for 2019 the top five risks overall: need to disrupt or be disrupted. Digital technologies make possible
Three-Year Comparison of Risks
■■ Existing operations and infrastructure continuous evolution at pace and present opportunities for more
unable to adjust to competitors “born
digital” — Overall, the top concern fundamental and sudden change. The latest technology presents
Analysis Across Different
Sizes of Organizations
among respondents for 2019 relates opportunities to rethink business models and to drive efficiencies and
to the ability of their organization —
relative to their competitors — to adjust improve performance in core operations. To take advantage of these
Analysis Across Executive
Positions Represented
existing operations to meet performance disruptive forces, as well as increase the likelihood that organizations
expectations. That risk concern raced
from the number 10 position in the top
spot them timely, they must learn to act and think digitally and be
Industry Analysis 10 list of risks for 2018 to the number capable of executing digitally.
one position for 2019. This concern may
Analysis of Differences Between be a composite of several significant — J onathan Wyatt, Managing Director, Global Leader, Protiviti Digital
Public and Non-Public Entities
uncertainties — the company’s digital
readiness, its lack of resiliency and agility
Analysis of Differences Among in staying ahead of or keeping pace with competitors. Hyperscalability of digital customer loyalty. In this environment,
Geographic Regions
changing market realities, the restrictive business models and lack of entry barriers established incumbents are leery of “born
burden of significant technical debt, the enable new competitors to emerge digital” players that can alter the game
Analysis of Differences lack of out-of-the-box thinking about and scale very quickly in redefining the by operating more efficiently, digitizing
Between Organizations With
and Without Rated Debt the business model and fundamental customer experience, making it difficult for new products and services, enhancing the
assumptions underlying the strategy, and incumbents to see it coming at all, much customer experience, and/or transforming

Protiviti
Plans to Deploy Resources to Enhance
the existence or threat of more nimble less react in a timely manner to preserve the business model. This risk was a
Risk Management Capabilities

A Call to Action:

10
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

concern for all four size categories of To thrive in the digital age, organizations that significant operational challenges
Executive Summary
organizations in our sample, except need to think and act digitally and have the may arise if organizations are unable to
for the smallest organizations. For most capabilities to execute digital plans. This sustain a workforce with the skills needed
Overall Risk Concerns for 2019 large companies today, it’s not a question vital specialized knowledge and subject- to implement their growth strategies.
of if digital will upend their business but matter expertise are becoming harder ■■ Regulatory change and heightened
Three-Year Comparison of Risks when. Even when executives are aware to acquire and retain on a cost-effective regulatory scrutiny — This risk continues
of emerging technologies that obviously basis. What’s at stake is sustaining the to represent a major source of uncertainty
have disruptive potential, it is often workforce with the requisite talent and among the majority of organizations. Sixty-
Analysis Across Different
Sizes of Organizations difficult to clarify the vision or foresight skills needed to think out of the box in nine percent of our respondents rated this
that anticipates the nature and extent of a rapidly changing digital marketplace, risk as a “Significant Impact” risk. This risk
Analysis Across Executive change — particularly if the organization execute high-performance business dropped to the fourth risk in 2018 after
Positions Represented does not think or act digitally at its core. models, and implement increasingly having been in our top two risk concerns all
■■ Succession challenges and talent demanding growth strategies. The flip prior years we have conducted this survey.
Industry Analysis acquisition and retention — The risk side is that talented people aspire to However, concerns about regulatory change
of succession challenges and the ability be a contributor in a contemporary, and increased regulatory scrutiny moved
Analysis of Differences Between to attract and retain talent moved into dynamic, digitally focused business with up one position for 2019, suggesting
Public and Non-Public Entities
the top five list of risks for 2019, likely its best days ahead of it, rather than to that respondents remain concerned
triggered by a continued tightening labor be bound to a more mature company about potential regulatory influences
Analysis of Differences Among market as unemployment in the United that is not capably structured to be disrupting how they do business. While
Geographic Regions
States hit the lowest jobless rate since innovative and dynamic even though it declining in significance in North America,
1969, as well as the growing gig economy. may have a strategy that asserts it will regulatory concerns were rated a top
Analysis of Differences be. Respondents continue to perceive
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

11
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

five risk in both Europe and Asia Pacific are two categories of companies — those spawned by disruptive innovations that
Executive Summary
(Asia and Australia/New Zealand). that have been breached and know it and alter business fundamentals can be lethal.
Perhaps the uncertainties over Brexit those that have been breached but don’t Strategic error in the digital economy can
Overall Risk Concerns for 2019 were top of mind for respondents from know it yet. Cybersecurity is a moving result in the ultimate price if a company
Europe. Political gridlock and checks and target as innovative digital transformation continues to play a losing hand in the
Three-Year Comparison of Risks balances remaining present in governing initiatives, cloud computing adoption, marketplace. Coupled with concerns about
institutions continue to be on the minds mobile device usage, machine learning and the inability to adjust existing operations
of respondents. other applications of exponential increases and IT infrastructure to compete with
Analysis Across Different
Sizes of Organizations ■■ Managing cyber threats — Threats related in computing power continue to outpace more nimble competitors, respondents
to cybersecurity are of major concern as the security protections companies have also highlighted a cultural concern related
Analysis Across Executive respondents focus on how such events in place. Increasingly sophisticated attacks to overall resistance to change within
Positions Represented
might interrupt core operations. It is no on the human perimeter by perpetrators of their organizations. As major business
surprise that this risk continues to be cybercrime add to the uncertainty. model disruptors emerge, respondents
Industry Analysis one of the most significant operational ■■ Resistance to change — Enabling change are growing even more focused on the
risks overall and it is a top five risk continues to be a significant priority for organization’s potential unwillingness
Analysis of Differences Between for each of the four size categories of just about every organization on the or inability to make necessary timely
Public and Non-Public Entities
organizations, except for the very largest planet, for change has become a way of adjustments to the business model and
organizations, as well as for four of the life for most companies. Whether covert core operations that might be needed to
Analysis of Differences Among six industry groups we examine. There or overt, resistance to necessary change respond to changes in the overall business
Geographic Regions environment and industry.

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

12
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Top 10 Risks for 2019

Executive Perspectives on Top Risks for 2019

FIGU RE 1
Methodology

Executive Summary Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Overall Risk Concerns for 2019 cost base for their operations, or established competitors with superior operations

Three-Year Comparison of Risks O

Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Different
Sizes of Organizations

S
Analysis Across Executive Regulatory changes and scrutiny may heighten, noticeably affecting the manner
Positions Represented in which our products or services will be produced or delivered

Industry Analysis
O
Our organization may not be sufficiently prepared to manage cyber threats that
Analysis of Differences Between have the potential to significantly disrupt core operations and/or damage our brand
Public and Non-Public Entities

Analysis of Differences Among O

Geographic Regions Resistance to change may restrict our organization from making necessary
adjustments to the business model and core operations

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

13
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

FIGU RE 1 (CONTINU ED)
Methodology

Executive Summary Rapid speed of disruptive innovations enabled by new and emerging technologies S
and/or other market forces may outpace our organization’s ability to compete
and/or manage the risk appropriately, without making significant changes to our
Overall Risk Concerns for 2019 business model

Three-Year Comparison of Risks O

Ensuring privacy/identity management and information security/system protection
may require significant resources for us
Analysis Across Different
Sizes of Organizations

Inability to utilize data analytics and “big data” to achieve market intelligence and O
Analysis Across Executive increase productivity and efficiency may significantly affect our management of
Positions Represented
core operations and strategic plans

Industry Analysis
Our organization’s culture may not sufficiently encourage the timely identification O
and escalation of risk issues that have the potential to significantly affect our core
Analysis of Differences Between operations and achievement of strategic objectives
Public and Non-Public Entities

Analysis of Differences Among Sustaining customer loyalty and retention may be increasingly difficult due S
Geographic Regions to evolving customer preferences and/or demographic shifts in our existing
customer base
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

14
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

In addition to providing a summary of the risks than the C-suite. However, when to market conditions faster than larger,
Executive Summary
overall risk findings across the entire set comparing overall scores for magnitude more established organizations, and
of 825 respondents, we also provide sub- and severity of risks for 2019 to 2018, the threats to their IT systems and concerns
Overall Risk Concerns for 2019 analyses to compare risk perspectives most noticeable increase in risk scores about ensuring the privacy of data in
across respondents from different sized among specific executive groups (other those systems are creating challenges for
Three-Year Comparison of Risks organizations, different C-suite and board than the "Other C-Suite" group) was for organizational leaders to manage. Seven of
positions, industry groupings, and geographic CEOs, suggesting that CEOs perceive a the top 10 risks for the full sample reflect
location of the entity, among other groups. noticeable upward shift in risks for 2019 operational risks, with the remaining three
Analysis Across Different
Sizes of Organizations Some of the most notable key findings from that relative to 2018. In fact, in the prior year, risks related to strategic risk concerns.
sub-analysis include the following: CEOs did not rate any of the 30 risks as The dominance of concern related to the
Analysis Across Executive ■■ Executives have differing views about the “Significant Impact” risks, while for 2019 capabilities of the operations, systems,
Positions Represented
magnitude and severity of risks expected they rated six of 30 risks at that level. personnel and infrastructure from within
in the coming year — There is variation These findings suggest there is a strong the organization is overshadowing risks
Industry Analysis in views among boards and C-suite need for discussion and dialogue to ensure on the horizon driven by external factors.
executives regarding the magnitude and everyone is in agreement at the highest While the strength of the overall economy
Analysis of Differences Between severity of risks for 2019 relative to prior level of the organization as to what the is fueling growth, in some organizations
Public and Non-Public Entities
years. Interestingly, board members most important risk exposures are and that growth may be outpacing the
report the highest overall score about whether the organization is focused on entity’s investment in strengthening
Analysis of Differences Among their impression regarding the magnitude them appropriately. core operations. These concerns are
Geographic Regions
and severity of risk for 2019 relative to consistent across all four size categories of
■■ Dominance of concern about operational
CEOs, CFOs and CROs. Out of the 30 risks organizations we examined. In fact, in all
capabilities — Respondents are
Analysis of Differences examined, board members rate 26 of the size categories except the very largest
Between Organizations With noticeably focused on risks related
30 risks as “Significant Impact” risks. In organizations, four of the top five risk
and Without Rated Debt to their organization’s infrastructure
contrast, CEOs only rated six of the 30 issues reflect operational risk concerns.
and core operations. Advancements in

Protiviti
risks at that level. So board members seem For the very largest organizations, three
Plans to Deploy Resources to Enhance technologies, the ability for organizations
Risk Management Capabilities to be substantially more concerned about of the top five risk concerns are of an
that were “born digital” to quickly adjust
operational risk nature.

A Call to Action:

15
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

■■ Risks vary noticeably across different ■■ Concerns about cyber risks and succession ■■ Most industries sense a heightened risk
Executive Summary
regions of the world — While organizations planning and talent acquisition/ concern for 2019 — Our sub-analyses
operate in a global business environment, retention are very common — Most of results across six different industry
Overall Risk Concerns for 2019 the risks that they may face can differ organizations, except those in the largest groups finds that every group, with the
widely across different geographic size category, identified concerns about exception of the Technology, Media and
Three-Year Comparison of Risks regions. This year we are able to analyze their organization’s ability to manage Telecommunications industry group,
the results across eight different regions cyber threats and the related potential for perceived that the magnitude and severity
of the world. That analysis finds that reputation damage as a top five risk concern. of risks affecting their organizations are
Analysis Across Different
Sizes of Organizations the nature of risks varies significantly As organizations continue to embrace the greater in 2019 than in the prior year. The
depending on geography. Respondents in benefits of technology, automation and Healthcare and Life Sciences industry
Analysis Across Executive Latin America/South America and in India- digital transformation, it is likely that this group reflects the highest overall
Positions Represented based operations rated the magnitude and concern will remain high for years to come. concern related to the magnitude and
severity of risks for 2019 at the highest In fact, cyber concerns have been in the top severity of risks. Not surprisingly, cyber
Industry Analysis levels. And, the nature of risks differs across 10 list of risks all seven years that we have risk is rated as a “Significant Impact” risk
the regions, with five of the eight regions conducted this survey. Succession challenges concern across all six industry groups
Analysis of Differences Between
mostly concerned about operational risks, and the ability to attract and retain top we examined. That risk is the only one
Public and Non-Public Entities while the remaining three regions are most talent appears in the top five list of risks for of the 30 risks identified at that level
concerned about macroeconomic risks. In all four organizational size categories we for all industries. All of the top five risks
Analysis of Differences Among particular, respondents in Europe, Latin examine. Record low unemployment and increased over 2018 for each of the
Geographic Regions America/South America, the Middle East the tightening labor market are creating industry groups, with the exception of
and Africa rated risks related to economic challenges for organizations to scale their two of the top five risks for the Energy and
Analysis of Differences conditions in the top five list of risks. As operations as demand continues to grow in Utilities industry group and one of the top
Between Organizations With organizations explore doing business the current strong economy. Interestingly, five risks for the Technology, Media and
and Without Rated Debt
in different parts of the globe, it will be risks related to cyber and succession Telecommunications industry group.

Protiviti
important for them to understand how planning were deemed as “Significant Risks”
Plans to Deploy Resources to Enhance
Risk Management Capabilities
risks may differ depending on where those by all C-suite positions, including board
operations are based. members, for 2019. Clearly, both are top of
mind issues.
A Call to Action:

16
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Table 2 lists the top 10 risks with the percentage responses for the three risk classifications (Significant Impact, Potential Impact, Less Significant
Executive Summary
Impact) we employ in this report.

Overall Risk Concerns for 2019

Top 10 Risks (With Percentages of Responses by “Impact” Level)2 TAB LE 2

Three-Year Comparison of Risks

Significant Potential Less Significant

Analysis Across Different R I SK DE SCR I PTI O N
Sizes of Organizations Impact (6 — 10) Impact (5) Impact (1 — 4)

Analysis Across Executive Our existing operations and legacy IT infrastructure may not be able to meet
Positions Represented performance expectations related to quality, time to market, cost and innovation
as well as our competitors, especially new competitors that are “born digital” 71% 12% 17%
and with a low-cost base for their operations, or established competitors with
Industry Analysis superior operations

Analysis of Differences Between Our organization’s succession challenges and ability to attract and retain top talent
71% 11% 18%
Public and Non-Public Entities in a tightening talent market may limit our ability to achieve operational targets

Analysis of Differences Among Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
69% 11% 20%
Geographic Regions which our products or services will be produced or delivered

Analysis of Differences Our organization may not be sufficiently prepared to manage cyber threats that
68% 12% 20%
Between Organizations With have the potential to significantly disrupt core operations and/or damage our brand
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities
2
The risks presented in Table 2 are in the same top 10 risk order as reported in Figure 1. That list is based on each risk’s overall average score (using our 10-point scale). Table 2 merely reflects the percentage
of respondents selecting a particular point on the 10-point scale. For example, 71% of respondents selected either “6,” “7,” “8,” “9” or “10” as their response (using our 10-point scale) for the risk related to the
A Call to Action: organization’s existing operations and legacy IT infrastructure, whereas only 69% of respondents chose one of those responses for the risk related to regulatory change and scrutiny.

17
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 2 (CONTINU ED)
Methodology

Executive Summary Significant Potential Less Significant

R I SK DE SCR I PTI O N (CO NTI NU E D)
Impact (6 — 10) Impact (5) Impact (1 — 4)
Overall Risk Concerns for 2019
Resistance to change may restrict our organization from making necessary
68% 11% 21%
adjustments to the business model and core operations
Three-Year Comparison of Risks

Rapid speed of disruptive innovations enabled by new and emerging technologies

Analysis Across Different
and/or other market forces may outpace our organization’s ability to compete
Sizes of Organizations 68% 11% 21%
and/or manage the risk appropriately, without making significant changes to our
business model
Analysis Across Executive
Positions Represented
Ensuring privacy/identity management and information security/system protection
66% 12% 22%
may require significant resources for us
Industry Analysis

Inability to utilize data analytics and “big data” to achieve market intelligence and
Analysis of Differences Between increase productivity and efficiency may significantly affect our management of core 66% 12% 22%
Public and Non-Public Entities operations and strategic plans

Our organization’s culture may not sufficiently encourage the timely identification
Analysis of Differences Among
Geographic Regions and escalation of risk issues that have the potential to significantly affect our core 65% 11% 24%
operations and achievement of strategic objectives

Analysis of Differences
Between Organizations With
Sustaining customer loyalty and retention may be increasingly difficult due
and Without Rated Debt to evolving customer preferences and/or demographic shifts in our existing 65% 13% 22%
customer base

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

18
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

In addition to our Key Findings, other notable 10 risk concerns for 2019. The presence manage operations and strategic plans.
Executive Summary
findings this year regarding those risks of this risk in the top 10 is somewhat They sense that other organizations may
making the top 10 include the following: expected given the increasing number be able to capture intelligence that allows
Overall Risk Concerns for 2019
■■ Rapid speed of disruptive innovation — of reports of hacking and other forms of them to be nimbler and more responsive
This strategic risk soared to the cyber intrusion that compromise sensitive to market shifts and changing customer
Three-Year Comparison of Risks top for 2018 and it remains a top 10 customer and personal information. preferences. In the digital age, knowledge
concern for 2019. Sixty-eight percent Two-thirds of our respondents rated this wins and advanced analytics is the key
of our respondents rated this risk as a risk as "Significant Impact" for their to unlocking the gate to insights that can
Analysis Across Different
Sizes of Organizations
“Significant Impact” risk for 2019. This organization. This concern is likely linked differentiate in the market.
top risk reflects respondent concerns to the proliferation of legislation to ■■ Culture may not encourage timely
Analysis Across Executive regarding the specter of disruptive protect the privacy of personal information. escalation of risk issues — Interestingly,
Positions Represented
innovation or new technologies Initiated in the European Union and respondents continue to highlight the
outpacing an organization’s ability to spreading to the United States and need for attention to be given to the
Industry Analysis keep up and remain competitive. With elsewhere, that legislation has created overall culture of the organization to
advancements in digital technologies enormous complexities for business with ensure it is sufficient to encourage the
Analysis of Differences Between and rapidly changing business models, the teeth of potential fines, penalties timely identification and escalation of risk
Public and Non-Public Entities
respondents are focused on whether and reputation loss that cannot be issues. This risk issue was added to our
their organizations are agile enough ignored. As the expanding digital 2015 risk survey, and it has been ranked
Analysis of Differences Among to respond to sudden developments economy enables businesses and third- in the top 10 risks each year since then.
Geographic Regions
that alter customer expectations and party organizations to house sensitive Sixty-five percent of respondents rated
change their core business model. This information obtained in many ways, this risk as a “Significant Impact” risk. The
Analysis of Differences risk is especially a concern for board fresh exposures to that information effectiveness of formal and ad hoc upward
Between Organizations With and identity theft present themselves.
and Without Rated Debt members, CEOs and CROs, with these communications processes is of vital
groups of respondents rating it as a top ■■ Inability to use big data and data importance to keeping an organization’s

Protiviti
Plans to Deploy Resources to Enhance
five risk concern. analytics — There is continued concern leaders in touch with business realities.
Risk Management Capabilities ■■ Privacy and identity management — among respondents about their ability Coupled with concerns over resistance to
Concerns related to privacy and identity to utilize data analytics and big data to change, the presence of this risk reflects on
A Call to Action: protection continue to be among the top achieve competitive advantage and to the state of the organization’s culture.

19
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

■■ Sustaining customer loyalty and retention operations and legacy IT infrastructures ■■ Less concern about macroeconomic
Executive Summary
may be becoming increasingly difficult — (see risk #1 in the top 10 list), they may risk issues for most, but with some
Concern about the organization’s ability not meet the expectations of their core exceptions — Interestingly, respondents
Overall Risk Concerns for 2019 to sustain its existing customer base customers in a manner sufficient to retain are not as concerned about economic
considering changing demographics made their loyalty. conditions in domestic and international
Three-Year Comparison of Risks the top 10 list of risks for 2019 after markets relative to prior years. In the
Additional insights about the overall risk
dropping out of the top 10 in 2018. This six prior years we have conducted this
environment for 2019 can be gleaned
risk is important because companies with study, economic concerns were rated
Analysis Across Different from these analyses, which we highlight
Sizes of Organizations high churn rates incur significant costs high, placing this risk near or at the top
in a number of charts and tables later in
in replacing lost customers. Sustaining of our top 10 risks in most years. Last
this report. Following are some additional
Analysis Across Executive customer loyalty and retention is year, economic concern dropped several
significant findings:
Positions Represented about increasing profitability through
superior top-line performance and
Industry Analysis reduced marketing costs and other costs
associated with educating new customers.
Analysis of Differences Between
Younger generations who have grown
Public and Non-Public Entities up in a technology-centric world are
rapidly embracing digital technologies
One of the most surprising findings this year was the complete absence
Analysis of Differences Among that are transforming all kinds of ways of macroeconomic risk concerns in the top 10 for 2019. Concerns over
Geographic Regions organizations have historically delivered
economic conditions have been highly ranked in all six prior years of
their products and services. The growing
Analysis of Differences presence of app-based platforms, digital our survey, but that perception has shifted in a substantial way looking
Between Organizations With marketing and other online ordering
and Without Rated Debt forward to 2019. However, as we note, economic concerns do exist in
delivery services is shocking many of the
certain areas around the world, including Europe.

Protiviti
traditional forms of customer interactions.
Plans to Deploy Resources to Enhance
Risk Management Capabilities
If organizations cannot adjust their
— M ark Beasley, Professor of Enterprise Risk Management and Director of the ERM Initiative, Poole
College of Management, NC State University
A Call to Action:

20
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

positions and for 2019 that concern did interesting to note the differences in respondents in the Middle East and India
Executive Summary
not make the top 10 list of risks overall. viewpoints about risks for 2019 between are concerned about geopolitical shifts
In fact, no macroeconomic risk made the organizations located in North America and instability in governmental regimes.
Overall Risk Concerns for 2019 overall top 10 list of risks for 2019 and no and those from the rest of the world. Those same respondents, in addition to
macroeconomic risk made the top five risk For North American respondents, only those from organizations in Africa, selected
Three-Year Comparison of Risks concerns for each of the four organization two of their top five risks were rated macroeconomic risk concerns as the
size categories we examine. This suggests as “Significant Impact” risks for 2019; majority of their top five risk issues for 2019.
that respondents seem more positive however, for every other region of the Most risks are higher for 2019 — We
Analysis Across Different ■■
Sizes of Organizations about macroeconomic issues for 2019 world, all of the top five risks in each added two new risks to our list of 30 risks
relative to the past several years. However, region were rated as “Significant Impact” for 2019. Out of the 28 risks that we also
Analysis Across Executive it is important to note that concerns about risks. Similarly, when asked about their examined in the prior year, all but three
Positions Represented the economy are in the top five list of risks views regarding the overall magnitude and of the risks increased in score for 2019
for certain regions of the world, including severity of risks for 2019, respondents relative to 2018. Three of the top five risks
Industry Analysis Europe, Latin America/South America, the from organizations located in North with the greatest increase in risk ratings
Middle East and Africa. America had the lowest score (tied with from 2018 relate to operational risk
Analysis of Differences Between ■■ Risks differ widely depending on region respondents from Africa). Respondents concerns. Interestingly, two of those risks
Public and Non-Public Entities
of the world — In addition to receiving from Latin America/South America and made the top 10 list of risks — concerns
371 responses from individuals in India had the highest concern about about existing operations and legacy
Analysis of Differences Among organizations headquartered in North the magnitude and severity of risks for IT infrastructure and concerns about
Geographic Regions
America, this year we were fortunate to 2019. There are some consistencies in succession and talent acquisition/retention
also receive 454 responses from individuals risk concerns across certain regions of challenges. While concern over risks
Analysis of Differences in other parts of the world. This allows the world. For example, respondents in related to outsourcing and other forms of
Between Organizations With North America, Europe, Australia/New
and Without Rated Debt us to provide more detailed analyses of joint ventures and partnerships did not
responses across different regions of the Zealand and Asia are all concerned about make the top 10 list of risks, that concern

Protiviti
world than we have been able to do in their organizations’ existing operations increased noticeably for 2019 from 2018 —
Plans to Deploy Resources to Enhance
Risk Management Capabilities prior year surveys. This year we provide a and legacy IT infrastructure, succession and indicating that this is a risk that is being
detailed breakdown of the results across talent acquisition/retention challenges, and watched more closely.
eight different geographic regions. It is exposure to regulatory change. In contrast,
A Call to Action:

21
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

■■ Concerns about ease of entrance of new ■■ Boards perceive a much riskier risks. This contrasts with 2018, when none of
Executive Summary
competitors and shifts in consumer pref- environment — Surprisingly, board the top five risks of CEOs were “Significant
erences affect most organizations — All members, CEOs, chief risk officers, and Impact” risks.
Overall Risk Concerns for 2019 organizations signaled an increased concern other individuals in C-suite positions ■■ Boards see risks differently than the
about the ease of entrance of new compet- perceive that the magnitude and severity C-suite — Board members are most
Three-Year Comparison of Risks itors into the industry and marketplace for of risks may be higher for 2019 relative to concerned about the ease of entrance
2019. With advancements in technologies 2018. Only CFOs, chief audit executives and of competitors into the industry and
enabling improved operational efficiencies chief information/technology officers sense marketplace. That represents their
Analysis Across Different
Sizes of Organizations and the hyperscalability of business models a slightly less risky business environment number one risk concern. None of the
to accommodate rapid growth, there are for 2019 in comparison to prior years. These C-suite executives identified that as a top
Analysis Across Executive opportunities for organizations to enter new findings suggest that there are noticeable five risk concern for 2019. Board members
Positions Represented markets like never before. For example, new differences in viewpoints among board are also concerned about the potential
entrants can leverage technology in ways members and C-suite executives about the for increased regulatory scrutiny and
Industry Analysis that avoid the costly investments in physical nature of the overall risk environment and change, while that did not make the top
infrastructures that have traditionally pro- the need to invest more time and resources five list of risks for CEOs or CFOs. Of
Analysis of Differences Between
vided the platform for offering products and in risk management for 2019. What is particular interest, they are concerned
Public and Non-Public Entities services. Respondents are also increasingly most striking is that board members are about economic conditions, as are
concerned about their ability to identify and much more concerned about the overall CEOs. Respondents in most of the other
Analysis of Differences Among respond to unexpected shifts in social, envi- magnitude and severity of risks relative to C-suite positions did not include that
Geographic Regions ronmental and other customer preferences. senior management. Board members ranked concern as a top five risk issue, except for
For certain demographic shifts, such as an 26 of the 30 risks as “Significant Impact” chief information/technology officers.
Analysis of Differences aging population and increased urbanization, risks. In contrast, CEOs ranked only six of the These differences in views highlight
Between Organizations With organizations are concerned that they may 30 risks at that level, while CFOs only ranked
and Without Rated Debt the critical importance of boards and
not recognize those and other shifts on a five at that level. These differences are more senior management engaging in robust

Protiviti
timely basis, or they are concerned that their pronounced than in our prior year results. conversations about the critical enterprise
Plans to Deploy Resources to Enhance
Risk Management Capabilities
existing business models may not be sustain- The top five risk concerns of board members risks and emerging risks. It also suggests
able under new conditions. and individuals representing the various that board members may not be as fully
C-suite positions are all “Significant Impact” engaged as management with the digital
A Call to Action:

22
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

revolution and its implications to the list of risk exposures across all organizations, concerned about an internal culture that
Executive Summary
companies they serve, creating greater warranting a careful assessment by each may be resistant to change as well as
uncertainty on their part with respect to organization of its risk profile. about protecting the privacy and identity
Overall Risk Concerns for 2019 these issues. ■■ For-profit entities view risks differently of sensitive information they possess
■■ Bigger organizations perceive greater than not-for-profit and governmental within their organizations.
Three-Year Comparison of Risks uncertainty — The three largest size organizations — Succession challenges The remainder of this report includes our
categories of organizations rated all of and the ability to attract and retain talent in-depth analysis of perceptions about specific
Analysis Across Different their top five risks as “Significant Impact” is a top five risk concern for all types risk concerns. We identify and discuss variances
Sizes of Organizations
risks for 2019. The smallest organizations of organizational structures — publicly in the responses when viewed by organization
(those with revenues under $100 million) traded companies; private, for-profit size, type, industry and geography, as well as
Analysis Across Executive rated only one of their top five risks as entities; and non-profit organizations. by respondent role. In addition, on page 121
Positions Represented
“Significant Impact.” Thus, the environment For-profit entities — both publicly traded we pose key questions as a call to action for
for most organizations appears to be risky, and privately held — are concerned board members and executive management
Industry Analysis even though respondents from smaller about limitations they may face due to to consider that can serve as a diagnostic to
organizations do not sense the same their existing operations and legacy IT evaluate and improve their organization’s risk
Analysis of Differences Between overall level of risk concern. Unease over infrastructure, changes in regulatory assessment and management process.
Public and Non-Public Entities
operational risks is common among all scrutiny, and the potential for disruptive
Our plan is to continue conducting this risk
sizes of organizations (although the specific innovations to rapidly emerge and
survey annually so we can stay abreast of key
Analysis of Differences Among operational risks differ), and concerns about disrupt their business models and core
Geographic Regions risk issues on the minds of executives and
those risks are generally higher for 2019 operations. Non-profit and governmental
observe trends in risk concerns over time.
relative to 2018. These findings emphasize organizations face a different set of
Analysis of Differences the reality that there is no “one size fits all” top risk issues. They are particularly
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

23
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Overall Risk Concerns for 2019
Overall Risk Concerns for 2019

Before asking respondents to assess the

Three-Year Comparison of Risks Overall, what is your impression of the magnitude 2019 2018 2017
importance of each of the 30 risks, we asked
and severity of risks your organization will be facing
them to provide their overall impression of with respect to reaching or exceeding profitability (or
Analysis Across Different the magnitude and severity of risks their funding) targets over the next 12 months? 6.2 6.0 6.2
Sizes of Organizations
organization will be facing with respect
to reaching or exceeding profitability (or
Analysis Across Executive
Positions Represented
funding) targets over the next 12 months. We
concern about those same risk issues in operations and legacy IT infrastructures to
provided them with a 10-point scale where
2019 relative to 2018. The 2019 average risk meet performance expectations of their key
1 = “Extremely Low” and 10 = “Extensive.”
Industry Analysis scores are also higher than those in 2017, stakeholders. They are concerned that “born
The data above shows there appears to be a
except for one risk. These results suggest digital” competitors with a lower investment
slightly higher concern about the overall risk
Analysis of Differences Between that there is an overall greater risk concern in brick-and-mortar infrastructure and
environment relative to 2018 returning to
Public and Non-Public Entities for 2019 relative to the prior two years. None capability to deploy hyperscalable business
the level observed two years ago.
of the top 10 risk issues for 2019 relates to models that reduce dependence on human
Analysis of Differences Among
Figure 1 (shown earlier) summarizes the macroeconomic concerns, while three relate resources are more capable of transforming
Geographic Regions top 10 risks for 2019. Nine of the top 10 to strategic risk issues. Thus, operational the customer experience and responding to
risk concerns for 2019 were also included risks once again dominate the 2019 top 10 rapidly changing market conditions. Further, the
Analysis of Differences in the top 10 list of risks for 2018. While risk challenges. lower entry costs to enter some markets may
Between Organizations With respondents continue to be concerned about
and Without Rated Debt For 2019, respondents are especially focused allow new forms of competition to threaten
similar issues, the overall level of concern more established, traditional businesses.
on the risks associated with the ability of

Protiviti
about each of the top 10 risks is higher than While this risk made the top 10 list of risks in
Plans to Deploy Resources to Enhance their organizations to adjust their existing
in 2018, signaling a consistently stronger
Risk Management Capabilities

A Call to Action:

24
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

2018, it was in the number 10 spot. This year, age, organizations need to think and act digital In four of the six prior risk surveys we have
Executive Summary
respondents rated this concern significantly and this requires a different set of capabilities, conducted, regulatory risk was the number
higher, moving it to the number one position in knowledge and skills. As boundaryless one risk concern, falling to the number four
Overall Risk Concerns for 2019
the list of risks for 2019. organizations expand their global reach, they position last year. This year, this risk increased
Succession planning and acquiring and must “think digital” as well as “think global” as by one position, suggesting an increasing
Three-Year Comparison of Risks retaining talent remains a top risk concern for they build the culturally aware, diverse and concern about the impact of regulatory
2019, moving up four positions to the number collaborative teams needed to be agile and change relative to the other top 10 risks.
two spot for 2019. For the past six surveys, this resilient so they can innovate and face the While discussions among political leaders in
Analysis Across Different
Sizes of Organizations
risk has appeared in the list of top 10 risks. With future confidently. For example, companies in the United States about reducing some of
changing demographics in the workplace due to some industries must now access talent pools the regulatory burden may have provided
Analysis Across Executive an aging population and the increasing influence globally to obtain the specialized knowledge some a sense that potential relief may be on
Positions Represented
of millennials, record low unemployment, strong and technical know-how they need. The survey the horizon, the impact on policy change as a
economic growth, increasingly demanding results likely indicate that executives recognize result of the midterm elections in the United
Industry Analysis customers, increasingly sophisticated business the need for talented people with the requisite States and changing policies in Europe
models, and growing complexity in the global knowledge, skills and core values to execute due to potential key leadership changes
Analysis of Differences Between marketplace, organizations must up their game innovative and challenging growth strategies in Germany and the United Kingdom’s
Public and Non-Public Entities
to acquire, develop and retain the right talent. in a rapidly changing world. And such talent anticipated settlement of its separation from
Multiple trends are transforming the global lacks abundance. the European Union may be creating some
Analysis of Differences Among talent landscape as well as creating the need for Anxiety continues over how regulatory uncertainty about how all of those changes
Geographic Regions
altering talent management strategies. These changes and heightened regulatory might impact regulations and government
trends include globalization, digitalization, scrutiny may affect the manner in which policies. This risk is included in the top five list
Analysis of Differences increasing mobility, worker shortfalls over the an organization’s products and services are of risks for all sizes of organizations except the
Between Organizations With smallest (those with revenues less than $100
and Without Rated Debt long term in many developed countries, and produced or delivered. This risk concern
growing opportunities in emerging markets. remains high on the top 10 risks list for 2019, million). Four of our six industry groups rated

Protiviti
To illustrate, digital technology raises the bar consistent with what we have observed in all this risk as a “Significant Impact” risk (i.e., a
Plans to Deploy Resources to Enhance
Risk Management Capabilities in the war for talent. To thrive in the digital seven years we have conducted this study. risk with an average score of 6.0 or higher on

A Call to Action:

25
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

our 10-point scale). The stakes are high since,

Executive Summary
without effective management of regulatory
risks, organizations are reactive, at best,
Risks associated with heightened regulatory oversight and new limits on
Overall Risk Concerns for 2019
and noncompliant, at worst, with all of the how organizations may conduct business have been front-of-mind in all
attendant consequences.
Three-Year Comparison of Risks
seven years we have conducted this survey, never falling below the fourth
It should come as no surprise to see that
concerns about the risk of cyber threats highest-ranked risk. We have no doubt this will continue as we observe
Analysis Across Different
Sizes of Organizations
disrupting core operations for organizations significant changes in governmental leadership around the globe.
remained in the top five. Cyber risks have
evolved into a moving target, with digitization — B ruce Branson, Professor of Accounting, Associate Director, Enterprise Risk Management Initiative,
Analysis Across Executive advances, cloud computing adoption, Poole College of Management, NC State University
Positions Represented
mobile device usage, creative applications of
exponential increases in computing power, and
Industry Analysis innovative digital transformation initiatives companies, cyber risk events have already change restricting necessary adjustments to
constantly outpacing the security protections taken place and continue to take place, yet their business model and core operations is a
Analysis of Differences Between companies have in place. Given publicity about many companies do not have the detection top 10 risk for 2019. In these uncertain times,
Public and Non-Public Entities
data breaches, ransomware attacks and failures and response capabilities they need to reduce it makes sense to enhance the organization’s
to patch known vulnerabilities, along with the the impact and frequency of such events. With ability and discipline to act decisively on
Analysis of Differences Among growing presence of state-sponsored cyber the increasing sophistication of perpetrators revisions to strategic and business plans
Geographic Regions
terrorism and advanced persistent threats and the significant impact of a breach, more in response to changing market realities,
and their devastating drain on intellectual organizations are recognizing that this risk particularly in light of the potential for
Analysis of Differences property and reputation, the stakes for effective is an enterprise security issue, not just an IT significant disruptive innovation. To that
Between Organizations With
and Without Rated Debt cybersecurity spiral upward. As they do, more security issue. end, organizations committed to continuous
executives and directors are recognizing the In addition to issues related to existing improvement along with breakthrough,

Protiviti
Plans to Deploy Resources to Enhance
need for “cyber resiliency.” The old thinking operations and legacy IT infrastructures disruptive change and innovation to
Risk Management Capabilities of “it is not a matter of if a cyber risk event impeding an organization’s ability to respond processes, products and services are more
might occur, but more a matter of when it will to shifting market conditions, respondents apt to be early movers in exploiting market
A Call to Action: occur” is dated. It’s happening — now. For most also continue to indicate that resistance to opportunities and responding to emerging

26
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

risks. The rules of the game are disrupt or executing strategy. With the accelerating managing privacy, information and system
Executive Summary
be disrupted. Interestingly, this risk concern speed of change and advancement of digital security risks. With the spread of the
made the top five list of risks for all sizes of technologies, rapid response to changing European Union data protection legislation
Overall Risk Concerns for 2019
organizations, except for the largest category market expectations is a significant requirements to the United States and
(i.e., revenues greater than $10 billion). This competitive advantage for organizations that elsewhere, the realities of this growing risk
Three-Year Comparison of Risks risk was rated as a “Significant Impact” risk by are nimble as an early mover and able to concern are highlighted by the continued
the largest organizations, but was rated eighth avoid bureaucratic “command and control” coverage of hacking attacks exposing
in their overall ranking. More importantly, processes that slow down the ability to tremendous amounts of sensitive information
Analysis Across Different
Sizes of Organizations board members and all members of the change in the face of market opportunities involving a number of large companies,
C-suite — except for CEOs — rated this as a and emerging threats. This risk is a particular the federal government and high-profile
Analysis Across Executive “Significant Impact” risk for 2019. concern for board members and members political campaigns. The continued advances
Positions Represented
Respondents continue to be concerned about of the C-suite, with all of them rating it as a of technology disruptors in the form of
the rapid speed of disruptive innovations and “Significant Impact” risk for 2019, except for digitization to harvest new sources of value
Industry Analysis dramatic changes that new technologies may those in the CFO and CAE positions. It is also through business model innovation require
have in the marketplace. This risk concern is a top five risk issue for organizations in the continued progress in maturing security and
Analysis of Differences Between rated sixth in 2019, after rising significantly Financial Services and the Technology, Media privacy capabilities across the enterprise.
Public and Non-Public Entities
to the top risk concern in the prior year. and Telecommunications industry groups. Achieving this maturation requires improved
Innovations in traditional forms of conducting Along with concerns about cyber threats collaboration between IT and the core
Analysis of Differences Among business may quickly interrupt what has been are challenges related to privacy/identity business as well as improvements to the
Geographic Regions
a core way of doing business. If organizations management and information security/ human perimeter.
are not proactively thinking about how they system protection. Technological innovation Respondents recognize the growing volume
Analysis of Differences might respond, they may be too late to deal is a powerful source of disruptive change, of data that may be available to them, but they
Between Organizations With
and Without Rated Debt with the impact. Further complexity arises and no one wants to be on the wrong side are concerned that they may not have the
from the nature of innovative, market- of it. Cloud computing, social media, mobile ability to utilize data analytics and “big data”

Protiviti
Plans to Deploy Resources to Enhance
changing organizations; these companies technologies and other initiatives to use as effectively as others. Many are observing
Risk Management Capabilities are built differently, not because they technology as a source of innovation and how some major players in the marketplace
have a “digital strategy,” but because they an enabler to strengthen the customer are leveraging knowledge gleaned from
A Call to Action: “think and behave digitally” in setting and experience present new challenges for structured and unstructured data to improve

27
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

operational efficiency and effectiveness and risk management, compliance and responsible customers away from traditional businesses
Executive Summary
target products and services more sharply business behavior has a huge effect on by appealing to their shifting preferences.
to the most appropriate market segments. timely escalation of risk issues. The timely Younger generations may be more willing
Overall Risk Concerns for 2019
Respondents are concerned that they may be identification and escalation of key risks is not to explore new options and innovations, and
falling behind some of their key competitors easy, which is likely why this risk was ranked may be less inclined to remain loyal customers
Three-Year Comparison of Risks with these capabilities and that may limit highly. Given the overall levels of risk impact to a particular provider. This is particularly a
their ability to manage core operations and scores for all risks in 2019, this cultural concern for CEOs who rated this as their top
strategic plans. This is particularly a concern issue may be especially concerning to senior risk concern for 2019, and the increase in
Analysis Across Different
Sizes of Organizations for the largest organizations that included management and boards. Board members, their concern relative to 2018 is noticeable.
this risk concern as a top five risk issue for CIOs/CTOs and Other C-Suite executives Interestingly, they were the only executive
Analysis Across Executive 2019. Those who serve as chief information (see our position analysis section for how category to include this risk in their top five
Positions Represented officers also included this as one of their this group is defined) rated this risk as a risk concerns for 2019 and this reflects their
top five risk concerns. “Significant Impact” risk for 2019. focus on the top line.
Industry Analysis Respondents expressed concern that their A risk re-entering the top 10 list for 2019 We also compared the average scores for 2019
organization’s culture may not encourage relates to the concern that the organization may for the total population of 30 risks that we
Analysis of Differences Between the timely identification and escalation of not be able to sustain and retain customer examined in 2018 to identify those risks with
Public and Non-Public Entities
risk issues that might significantly affect core loyalty as existing customer preferences and the largest changes in scores from 2018 to
operations. Despite the recognition that there demographics evolve. This risk was consistently 2019. The five risks with the greatest increases
Analysis of Differences Among are several significant top risk concerns along a top 10 risk in 2015-2017 but did not appear in risk scores are shown in Table 3. Three of
Geographic Regions
operational, strategic and macroeconomic in our 2018 ranking. Over time, as consumers the five risks with the biggest year-over-year
dimensions, there appears to be an overall become more accustomed and comfortable increases relate to operational risks. Among
Analysis of Differences lack of confidence that effective processes with emerging technologies, they are more the increasing risk issues, respondents are
Between Organizations With
and Without Rated Debt are in place for individuals to elevate risk likely to do business with organizations concerned that competitors may enter their
issues to the leadership of the organization. that leverage those technologies to better markets and as a result, they may also face

Protiviti
Plans to Deploy Resources to Enhance
The collective impact of the tone at the top, deliver products and services. This dynamic difficulty in sustaining and retaining existing
Risk Management Capabilities tone in the middle and tone at the bottom on positions new competitors to lure loyal core customers.

A Call to Action:

28
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

The Five Risks with Highest Level of Increase

Executive Perspectives on Top Risks for 2019

TAB LE 3
Methodology

Executive Summary
R I SK DE SCR I PTI O N Type of Risk 2019 2018 Increase

Overall Risk Concerns for 2019

Our existing operations and legacy IT infrastructure may not be able to meet
performance expectations related to quality, time to market, cost and innovation
Three-Year Comparison of Risks as well as our competitors, especially new competitors that are “born digital” Operational 6.35 5.67 0.68
and with a low-cost base for their operations, or established competitors with
superior operations
Analysis Across Different
Sizes of Organizations
Our organization’s succession challenges and ability to attract and retain top talent
Operational 6.34 5.88 0.46
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Executive
Positions Represented
Risks arising from our reliance on outsourcing and strategic sourcing
arrangements, IT vendor contracts, and other partnerships/joint ventures
Operational 5.70 5.29 0.41
Industry Analysis to achieve operational goals may prevent us from meeting organizational
targets or impact our brand image

Analysis of Differences Between

Public and Non-Public Entities Ease of entrance of new competitors into the industry and marketplace or
other significant changes in the competitive environment (such as major Strategic 5.56 5.18 0.38
market concentrations due to M&A activity) may threaten our market share
Analysis of Differences Among
Geographic Regions
Sustaining customer loyalty and retention may be increasingly difficult due
to evolving customer preferences and/or demographic shifts in our existing Strategic 5.95 5.57 0.38
Analysis of Differences customer base
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

29
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

We also examined those risks with the greatest reduction in risk impact scores from 2018 to 2019 (see Table 4). Note that only three risks actually
Executive Summary
decreased in magnitude in 2019. The final two risks are those with the smallest increases from 2018 to 2019. That highlights the overall heightened
level of risk concern, given the overall risk scores of only three of the 30 risks we examined reflected a decrease between 2018 and 2019.
Overall Risk Concerns for 2019

The Five Risks with Highest Level of Decrease (or Smallest Increase) TAB LE 4
Three-Year Comparison of Risks

Analysis Across Different

Sizes of Organizations
Decrease/
R I SK DE SCR I PTI O N Type of Risk 2019 2018 Smallest
Increase
Analysis Across Executive
Positions Represented
Shifts in environmental, social and governance (ESG) preferences as well
as expectations of key stakeholders may be difficult for us to identify and Strategic 5.23 5.57 -0.34
Industry Analysis address on a timely basis

Analysis of Differences Between Uncertainty surrounding the influence and continued tenure of key global
Public and Non-Public Entities leaders may impact national and international markets to the point of Macroeconomic 5.12 5.45 -0.33
significantly limiting our growth opportunities

Analysis of Differences Among

Geographic Regions Anticipated volatility in global financial markets and currency exchange rates
Macroeconomic 5.25 5.37 -0.12
may create significantly challenging issues for our organization to address

Analysis of Differences
Between Organizations With Rapid speed of disruptive innovations enabled by new and emerging
and Without Rated Debt technologies and/or other market forces may outpace our organization’s ability
Strategic 6.13 6.10 0.03
to compete and/or manage the risk appropriately, without making significant

Protiviti
changes to our business model
Plans to Deploy Resources to Enhance
Risk Management Capabilities
Our organization’s culture may not sufficiently encourage the timely
identification and escalation of risk issues that have the potential to significantly Operational 5.99 5.91 0.08
A Call to Action: affect our core operations and achievement of strategic objectives

30
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Two of the three risks that fell in 2019 from markets, rising consumer confidence and regions included economic conditions in
Executive Summary
2018 involve macroeconomic risks. While in regulatory relief are creating more overall their top five list of risks. That is not too
prior years respondents have consistently optimism about the economy for 2019 surprising given the ongoing focus on
Overall Risk Concerns for 2019
indicated notable concerns about overall relative to prior years. Despite the overall operationalizing Brexit, recent elections in
economic conditions restricting growth drop in this risk concern, it is interesting to Brazil, the announcements of leadership
Three-Year Comparison of Risks in markets their organizations serve, that note that board members, CEOs and CIOs/ changes in Germany, and overall concerns
risk issue fell out of the top 10 list of risk CTOs identified economic concerns as a about nationalistic trends and trade policies.
issues for 2019 after being in the number top five risk issue for 2019. Additionally, Collectively, these results suggest economic
Analysis Across Different
Sizes of Organizations one spot in 2017 and the eighth position respondents in the European, Latin American/ concerns remain a significant issue in the
in our top 10 list for 2018. Strong capital South American, Middle Eastern and African boardroom and in certain regions.
Analysis Across Executive
Positions Represented

Industry Analysis

Analysis of Differences Between

Public and Non-Public Entities Overall, seven of the top 10 risks for 2019 are operational risks. Six of these are rated as "Significant Impact"
risks — a major increase from 2018 (only one risk rated at this level) and 2017 (no risks rated as "Significant
Analysis of Differences Among
Geographic Regions Impact" risks). These results indicate that a heightened focus on operations will be observed in the coming year.
— Don Pagach, Professor of Accounting, Director of Research, Enterprise Risk Management Initiative, Poole College of Management, NC State University
Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

31
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Three-Year Comparison of Risks
Overall Risk Concerns for 2019

Three-Year Comparison of Risks

We provide an analysis of the overall had an overall score that fell into the “Less
three-year trends for the 30 risks surveyed Significant Impact — Rating of 6.0 Significant Impact” category. Only three
●
or higher
this year. As discussed previously, to help risks saw lower average scores for 2019
Analysis Across Different identify differences in risk concerns across relative to 2018. Among the three risks that
Sizes of Organizations ● Potential Impact — Rating of 4.5 — 5.99
respondent type, we group all the risks based saw a decrease in risk score from 2018 to
on their average scores into one of three 2019, two represent macroeconomic risks,
Analysis Across Executive Less Significant Impact — Rating of
classifications. Consistent with our prior ● suggesting that respondents are noticeably
Positions Represented 4.49 or lower
studies, we use the following color-coding less concerned about these issues for 2019.
scheme to highlight risks visually using For the most part, the relative significance of all
Industry Analysis
these three categories. Table 5 summarizes Twenty-five of the 28 risks we examined in the risks in the macroeconomic and strategic
the impact assessments for each of the 30 both 2018 and 2019 increased in 2019 based categories has remained consistent for all
Analysis of Differences Between risks for the full sample, and it shows the color on their average risk scores. Eight of the 30
Public and Non-Public Entities years, as observed by the consistency in color
code for the 28 risks examined in all three risks were rated as “Significant Impact” risks reflected for most risks across the three years
years. Recall that we added two new risks to for 2019, which is noticeably more than both reported. We do observe a marked change in
Analysis of Differences Among
Geographic Regions
the 2019 study. Thus, we only show results 2018 and 2017, when only two of the 30 risks the operational risk category, however. Here,
for this year for these two risks. were rated at that level. This is consistent we see six of the 10 risk concerns rated as
with the overall finding that respondents “Significant Impact,” a dramatic increase from
Analysis of Differences
Between Organizations With are more concerned about the magnitude 2018 (one risk in this category) and 2017 (no
and Without Rated Debt and severity of risks for 2019 relative to risks rated in this manner).
the two prior years. None of the 30 risks

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

32
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Perceived Impact for 2019 Relative to Prior Years — Full Sample

Executive Perspectives on Top Risks for 2019

TAB LE 5
Methodology

Executive Summary 2019

M ACRO ECO NO M I C R I SK I SSU E S 2019 2018 2017
Rank
Overall Risk Concerns for 2019
Economic conditions in markets we currently serve may significantly restrict growth
11 ● ● ●
opportunities for our organization
Three-Year Comparison of Risks
Unexpected change in the current interest rate environment may have a significant effect
18 ● ● ●
on the organization’s operations
Analysis Across Different
Sizes of Organizations
Anticipated increases in labor costs may affect our opportunity to meet profitability targets 19 ● ● ●

Analysis Across Executive Geopolitical shifts and instability in governmental regimes or expansion of global terrorism
22 ● ● ●
Positions Represented may restrict the achievement of our global growth and profitability objectives

Anticipated volatility in global financial markets and currency exchange rates may create
23 ● ● ●
Industry Analysis significantly challenging issues for our organization to address

Our ability to access sufficient capital/liquidity may restrict growth opportunities for
Analysis of Differences Between 26 ● ● ●
our organization
Public and Non-Public Entities
Evolving changes in global trade policies may limit our ability to operate effectively and
28 ● ● ●
efficiently in international markets
Analysis of Differences Among
Geographic Regions
Uncertainty surrounding the influence and continued tenure of key global leaders may
impact national and international markets to the point of significantly limiting our 29 ● ● ●
Analysis of Differences growth opportunities
Between Organizations With
and Without Rated Debt Demands made by activist investors and other key stakeholders may significantly affect
30 ● N/A N/A
how we do business in the marketplace (new in 2019)

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

33
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 5 (CONTINU ED)
Methodology

Executive Summary 2019

STR ATEG I C R I SK I SSU E S 2019 2018 2017
Rank
Overall Risk Concerns for 2019
Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which
3 ● ● ●
our products or services will be produced or delivered
Three-Year Comparison of Risks
Rapid speed of disruptive innovations enabled by new and emerging technologies and/or
other market forces may outpace our organization’s ability to compete and/or manage the 6 ● ● ●
Analysis Across Different risk appropriately, without making significant changes to our business model
Sizes of Organizations
Sustaining customer loyalty and retention may be increasingly difficult due to evolving
10 ● ● ●
customer preferences and/or demographic shifts in our existing customer base
Analysis Across Executive
Positions Represented Our organization may not be sufficiently prepared to manage an unexpected crisis
12 ● ● ●
significantly impacting our reputation
Industry Analysis Social media, mobile applications and other Internet-based applications may significantly
impact our brand, customer relationships, regulatory compliance processes and/or how we 13 ● ● ●
do business
Analysis of Differences Between
Public and Non-Public Entities
Opportunities for organic growth through customer acquisition and/or enhancement may
14 ● ● ●
be significantly limited for our organization
Analysis of Differences Among
Geographic Regions Substitute products and services may arise that affect the viability of our current business
16 ● ● ●
model and planned strategic initiatives

Analysis of Differences Ease of entrance of new competitors into the industry and marketplace or other significant
Between Organizations With changes in the competitive environment (such as major market concentrations due to M&A 17 ● ● ●
and Without Rated Debt activity) may threaten our market share

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

34
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 5 (CONTINU ED)
Methodology

Executive Summary 2019

STR ATEG I C R I SK I SSU E S (CO NTI NU E D) 2019 2018 2017
Rank
Overall Risk Concerns for 2019
Growth through acquisitions, joint ventures and other partnership activities may be
21 ● ● ●
difficult to identify and implement
Three-Year Comparison of Risks

Shifts in environmental, social and governance (ESG) preferences as well as expectations of

24 ● ● ●
key stakeholders may be difficult for us to identify and address on a timely basis
Analysis Across Different
Sizes of Organizations
Performance vulnerabilities may trigger shareholder activism against our organization that
27 ● ● ●
may significantly impact our organization’s strategic plan and vision
Analysis Across Executive
Positions Represented

Industry Analysis
2019
O PE R ATI O NAL R I SK I SSU E S 2019 2018 2017
Rank

Analysis of Differences Between Our existing operations and legacy IT infrastructure may not be able to meet performance
Public and Non-Public Entities
expectations related to quality, time to market, cost and innovation as well as our competitors,
1 ● ● ●
especially new competitors that are “born digital” and with a low cost base for their operations,
Analysis of Differences Among
or established competitors with superior operations
Geographic Regions
Our organization’s succession challenges and ability to attract and retain top talent in a
2 ● ● ●
tightening talent market may limit our ability to achieve operational targets
Analysis of Differences
Between Organizations With Our organization may not be sufficiently prepared to manage cyber threats that have the
4 ● ● ●
and Without Rated Debt potential to significantly disrupt core operations and/or damage our brand

Protiviti
Resistance to change may restrict our organization from making necessary adjustments to
Plans to Deploy Resources to Enhance 5 ● ● ●
the business model and core operations
Risk Management Capabilities

A Call to Action:

35
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 5 (CONTINU ED)
Methodology

Executive Summary 2019

OPE R ATI O NAL R I SK I SSU E S (CO NTI NU E D) 2019 2018 2017
Rank
Overall Risk Concerns for 2019
Ensuring privacy/identity management and information security/system protection may
7 ● ● ●
require significant resources for us
Three-Year Comparison of Risks
Inability to utilize data analytics and “big data” to achieve market intelligence and increase
productivity and efficiency may significantly affect our management of core operations 8 ● ● ●
Analysis Across Different and strategic plans
Sizes of Organizations
Our organization’s culture may not sufficiently encourage the timely identification and
escalation of risk issues that have the potential to significantly affect our core operations 9 ● ● ●
Analysis Across Executive
and achievement of strategic objectives
Positions Represented

Risks arising from our reliance on outsourcing and strategic sourcing arrangements, IT
Industry Analysis
vendor contracts, and other partnerships/joint ventures to achieve operational goals may 15 ● ● ●
prevent us from meeting organizational targets or impact our brand image

Analysis of Differences Between The cultural behaviors and personal interactions with others exhibited by the organization’s
Public and Non-Public Entities management team and other key representatives — as manifested through day-to-day
decision-making, attitudes and conduct — may not be aligned with the long-term interests 20 ● N/A N/A
of shareholders, the board’s risk appetite, compliance with laws and regulations, and/or the
Analysis of Differences Among core values most accepted and rewarded by the marketplace (new in 2019)
Geographic Regions
Uncertainty surrounding the viability of key suppliers, scarcity of supply, or stable supply
25 ● ● ●
prices may make it difficult to deliver our products or services at acceptable margins
Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

36
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Analysis Across Different Sizes of Organizations
Overall Risk Concerns for 2019

The sizes of organizations, as measured by total revenues, vary across our 825 respondents, as shown below. The mix of sizes of organizations
Three-Year Comparison of Risks
represented by respondents is relatively similar to the mix of respondents in our prior years’ surveys. Almost 70 percent of our respondents are in
organizations with revenues between $100 million and $10 billion.
Analysis Across Different
Sizes of Organizations

Analysis Across Executive

MO ST R ECE NT R E VE NU E S N U M BER O F R ES P O N D EN TS
Positions Represented

Revenues $10 billion or greater 150

Industry Analysis
Revenues $1 billion to $9.99 billion 348
Analysis of Differences Between
Revenues $100 million to $999 million 226
Public and Non-Public Entities

Revenues less than $100 million 101

Analysis of Differences Among
Geographic Regions
Total Number of Respondents 825

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

37
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

The overall outlook about risk conditions revenues above $100 million) all perceive The overall magnitude and severity of risks
Executive Summary
differs across sizes of organizations. We an increase in the magnitude and severity is believed to be highest among the largest
asked respondents to provide their overall of risks for their organizations, while the organizations and declines in step with the
Overall Risk Concerns for 2019 impression of the magnitude and severity of smallest organizations indicated that the size strata we explore. There was a significant
risks their organization will be facing with magnitude and severity of risks has been increase in the perception of the magnitude
Three-Year Comparison of Risks respect to reaching or exceeding profitability relatively stable over the three-year period. and severity of risks from 2018 to 2019 for
(or funding) targets over the next 12 months, The smallest-sized organizations are also the our largest firms.
Analysis Across Different using a 10-point scale where 1 = “Extremely least concerned relative to organizations in
Sizes of Organizations Low” and 10 = “Extensive.” The three largest the other size categories.
size categories of organizations (those with
Analysis Across Executive
Positions Represented

Overall, what is your impression of the magnitude and severity of risks your organization will be facing with
Industry Analysis 2019 2018 2017
respect to reaching or exceeding profitability (or funding) targets over the next 12 months?

Analysis of Differences Between Organizations with revenues $10 billion or greater 6.5 5.9 6.5
Public and Non-Public Entities
Organizations with revenues between $1 billion and $9.99 billion 6.3 6.1 6.6

Analysis of Differences Among Organizations with revenues between $100 million and $999 million 6.2 6.1 5.8
Geographic Regions
Organizations with revenues less than $100 million 5.5 5.5 5.4

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

38
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Consistent with our findings related to the change from 2018, when this was the highest- Except for the smallest organizations (those
Executive Summary
overall top 10 risks for 2019 for the full sample, rated risk for the smallest organizations in with revenues less than $100 million), all
operational risks dominate the top five risks our sample. Similarly, the three largest size other sizes of organizations rated all of their
Overall Risk Concerns for 2019 for each of the size categories of organizations. groups share a concern over their legacy IT top five risks as “Significant Impact” risks. The
For all but the largest group, four of the top five infrastructure and their ability to keep pace largest organizations (those with revenues of
Three-Year Comparison of Risks risks are operational in nature, while for those with new competitors who likely have lower $10 billion or more) rated all five above 6.50.
organizations with revenues in excess of $10 cost structures and are more resilient in For the smallest organizations, only their top-
Analysis Across Different billion, three of the top five are in this cate- embracing the new digital landscape. rated risk — concern about cyber threats —
Sizes of Organizations gory. Succession challenges and the ability was rated as a ”Significant Impact” risk.
All organizations, except those in the largest
to attract and retain top talent appears on category (those with revenues of $10 billion or The sense that core business models may
Analysis Across Executive all four top five lists. This makes sense given more), rated concerns about their organization’s be altered by competitors that introduce
Positions Represented the tightening labor market as the economy ability to manage cyber threats and related new and innovative ways of doing business
continues to expand and strengthen and damage to operations and brand as a top is on the minds of respondents from both
Industry Analysis creates new opportunities for these organi- five risk concern. Interestingly, the largest our largest and smallest organizations. The
zations’ workforces. organizations rated this risk as 13th overall, accompanying charts summarize the top-
Analysis of Differences Between Regulatory change and regulatory scrutiny suggesting that they may be in a leadership rated risks by size of organization. Only the
Public and Non-Public Entities
continue to be a top five concern for most position in mitigating exposure to this particular top five risks are reported.
organizations, except those with revenues risk event. Indeed, they have more capacity to
Analysis of Differences Among less than $100 million. This is a significant invest in cybersecurity measures.
Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

39
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Rev $10B or Greater

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
S
Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
which our products or services will be produced or delivered
Overall Risk Concerns for 2019

Three-Year Comparison of Risks Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Analysis Across Different
cost base for their operations, or established competitors with superior operations
Sizes of Organizations

Rapid speed of disruptive innovations enabled by new and emerging technologies S

Analysis Across Executive and/or other market forces may outpace our organization’s ability to compete
Positions Represented and/or manage the risk appropriately, without making significant changes to our
business model

Industry Analysis
O
Our organization’s succession challenges and ability to attract and retain top talent
Analysis of Differences Between in a tightening talent market may limit our ability to achieve operational targets
Public and Non-Public Entities

Analysis of Differences Among Inability to utilize data analytics and “big data” to achieve market intelligence and O
Geographic Regions increase productivity and efficiency may significantly affect our management of core
operations and strategic plans
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

40
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Rev $1B to $9.9B

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Overall Risk Concerns for 2019 cost base for their operations, or established competitors with superior operations

Three-Year Comparison of Risks O

Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Different
Sizes of Organizations

S
Analysis Across Executive Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
Positions Represented which our products or services will be produced or delivered

Industry Analysis
O
Resistance to change may restrict our organization from making necessary adjustments
Analysis of Differences Between to the business model and core operations
Public and Non-Public Entities

Analysis of Differences Among O

Geographic Regions Our organization may not be sufficiently prepared to manage cyber threats that
have the potential to significantly disrupt core operations and/or damage our brand

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

41
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Rev $100M to $999M

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
O
Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Overall Risk Concerns for 2019

Three-Year Comparison of Risks Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Analysis Across Different
cost base for their operations, or established competitors with superior operations
Sizes of Organizations

O
Analysis Across Executive Our organization may not be sufficiently prepared to manage cyber threats that
Positions Represented have the potential to significantly disrupt core operations and/or damage our brand

Industry Analysis
O
Resistance to change may restrict our organization from making necessary
Analysis of Differences Between adjustments to the business model and core operations
Public and Non-Public Entities

Analysis of Differences Among S

Geographic Regions Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
which our products or services will be produced or delivered

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

42
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Rev Less than $100M

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
O
Our organization may not be sufficiently prepared to manage cyber threats that
have the potential to significantly disrupt core operations and/or damage our brand
Overall Risk Concerns for 2019

Three-Year Comparison of Risks O

Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Different
Sizes of Organizations

Rapid speed of disruptive innovations enabled by new and emerging technologies S

Analysis Across Executive and/or other market forces may outpace our organization’s ability to compete
Positions Represented and/or manage the risk appropriately, without making significant changes to our
business model

Industry Analysis
O
Ensuring privacy/identity management and information security/system protection may
Analysis of Differences Between require significant resources for us
Public and Non-Public Entities

Analysis of Differences Among O

Geographic Regions Resistance to change may restrict our organization from making necessary
adjustments to the business model and core operations

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

43
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Analysis Across Executive Positions Represented
Overall Risk Concerns for 2019

We targeted our survey to individuals currently serving on the board of directors or in senior executive positions so that we could capture C-suite
Three-Year Comparison of Risks
and board perspectives about risks on the horizon for 2019. Respondents to the survey serve in a number of different board and executive
positions. The remaining respondents represent individuals currently serving in a variety of executive positions. We received responses from 90
Analysis Across Different members of a board of directors, and it is reasonable to expect that some CEOs and perhaps other C-level executives also serve on a board.
Sizes of Organizations

Analysis Across Executive

Positions Represented E X ECU TI VE PO SI TI O N N U M BER O F R ES P O N D EN TS

Industry Analysis Board of Directors 90

Chief Executive Officer 47

Analysis of Differences Between
Public and Non-Public Entities Chief Financial Officer 35

Chief Risk Officer 210

Analysis of Differences Among
Geographic Regions Chief Audit Executive 192

Chief Information/Technology Officer 55

Analysis of Differences
Between Organizations With Other C-Suite³ 100
and Without Rated Debt
All other4 96

Protiviti
Plans to Deploy Resources to Enhance Total Number of Respondents 825
Risk Management Capabilities

3
This category includes titles such as chief operating officer, general counsel and chief compliance officer.
A Call to Action: 4
These 96 respondents either did not provide a response or are best described as middle management or business advisers/consultants. We do not provide a separate analysis for this category.

44
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

To determine if perspectives about top risks Similar to our analysis of the full sample and to reaching or exceeding profitability (or
Executive Summary
differ across executive positions, we also across the different sizes of organizations, we funding) targets over the next 12 months,
analyzed key findings for boards of directors analyzed responses about overall impressions using a 10-point scale where 1 = “Extremely
Overall Risk Concerns for 2019 and the six executive positions with the greatest of the magnitude and severity of risks across Low” and 10 = “Extensive.”
number of respondents: chief executive officer the above types of respondents. Again, the
Three-Year Comparison of Risks (CEO), chief financial officer (CFO), chief risk scores in the table below reflect responses to
officer (CRO), chief audit executive (CAE), chief the question about their overall impression
information/technology officer (CIO/CTO), and of the magnitude and severity of risks their
Analysis Across Different
Sizes of Organizations Other C-Suite executives.5 organization will be facing with respect

Analysis Across Executive

Positions Represented
Overall, what is your impression of the magnitude and severity of risks your organization will be facing with
2019 2018 2017
respect to reaching or exceeding profitability (or funding) targets over the next 12 months?
Industry Analysis

Board of Directors 6.7 6.4 5.5

Analysis of Differences Between
Public and Non-Public Entities Chief Executive Officer 6.4 5.9 6.0

Chief Financial Officer 6.0 6.3 6.3

Analysis of Differences Among
Geographic Regions Chief Risk Officer 5.9 5.5 6.3

Chief Audit Executive 6.0 6.4 6.1

Analysis of Differences
Between Organizations With Chief Information/Technology Officer 6.2 6.3 6.6
and Without Rated Debt
Other C-Suite 6.8 6.0 6.4

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

5
We grouped individuals with equivalent but different executive titles into these positions when appropriate. For example, we included “Vice President — Risk Management” in the CRO grouping and we
A Call to Action: included “Director of Finance” in the CFO grouping.

45
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

The overall impression among executives Interestingly, CIOs/CTOs lowered their 2019 of three classifications. Consistent with
Executive Summary
with respect to the magnitude and severity of impressions below not only their 2018 ratings prior studies, we use the following color-
risks in the environment is decidedly mixed. but also their 2017 ratings, and CROs, while coding scheme to highlight risks visually
Overall Risk Concerns for 2019 Board members, CEOs and Other C-Suite increasing from 2018, report the lowest level using these three categories. Below, Table
executives have significantly increased their of concern across the variety of positions 6 summarizes the impact assessments for
Three-Year Comparison of Risks 2019 risk expectations relative to 2018. we surveyed. This contrast in perspectives each of the 30 risks for the full sample and
These respondents rated the magnitude suggests there may be value in explicitly for each category of executive using the
and severity of risks for 2019 at the highest discussing and analyzing factors that might be following color code scheme:
Analysis Across Different
Sizes of Organizations level among all executives. This increase influencing overall impressions about the risk
in risk expectations may be the result of environment among key leaders, especially
Analysis Across Executive overall concern about how quickly business at the highest level of the organization. Thus, Significant Impact — Rating of 6.0
●
Positions Represented
conditions and expectations for oversight enterprise risk assessments would benefit or higher
are changing, as well as how quickly it could from the influx of multiple perspectives.
change going forward. Only CFOs, CAEs and ● Potential Impact — Rating of 4.5 — 5.99
Industry Analysis As discussed previously, to help identify
CIOs/CTOs lowered their future impressions differences in risk concerns across
Less Significant Impact — Rating of
Analysis of Differences Between
of the risk environment. respondent type, we group all the risks ●
4.49 or lower
Public and Non-Public Entities
based on their average scores into one

Analysis of Differences Among

Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

46
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Role

Executive Perspectives on Top Risks for 2019

TAB LE 6
Methodology

Executive Summary CIO/ Other

MACRO ECO NO M I C R I SK I SSU E S Board CEO CFO CRO CAE
CTO C-Suite
Overall Risk Concerns for 2019
Economic conditions in markets we currently serve may significantly
● ● ● ● ● ● ●
restrict growth opportunities for our organization
Three-Year Comparison of Risks
Anticipated increases in labor costs may affect our opportunity to meet
● ● ● ● ● ● ●
profitability targets
Analysis Across Different
Sizes of Organizations Unexpected change in the current interest rate environment may have a
● ● ● ● ● ● ●
significant effect on the organization’s operations
Analysis Across Executive
Our ability to access sufficient capital/liquidity may restrict growth
Positions Represented ● ● ● ● ● ● ●
opportunities for our organization

Anticipated volatility in global financial markets and currency exchange rates

Industry Analysis ● ● ● ● ● ● ●
may create significantly challenging issues for our organization to address

Geopolitical shifts and instability in governmental regimes or expansion

Analysis of Differences Between
of global terrorism may restrict the achievement of our global growth and ● ● ● ● ● ● ●
Public and Non-Public Entities
profitability objectives

Analysis of Differences Among

Uncertainty surrounding the influence and continued tenure of key global
Geographic Regions leaders may impact national and international markets to the point of ● ● ● ● ● ● ●
significantly limiting our growth opportunities

Analysis of Differences Demands made by activist investors and other key stakeholders may
● ● ● ● ● ● ●
Between Organizations With significantly affect how we do business in the marketplace (new in 2019)
and Without Rated Debt
Evolving changes in global trade policies may limit our ability to operate

Protiviti
● ● ● ● ● ● ●
effectively and efficiently in international markets
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

47
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 6 (CONTINU ED)
Methodology

Executive Summary CIO/ Other

STR ATEG I C R I SK I SSU E S Board CEO CFO CRO CAE
CTO C-Suite
Overall Risk Concerns for 2019
Rapid speed of disruptive innovations enabled by new and emerging
technologies and/or other market forces may outpace our organization’s
● ● ● ● ● ● ●
Three-Year Comparison of Risks ability to compete and/or manage the risk appropriately, without making
significant changes to our business model

Analysis Across Different Sustaining customer loyalty and retention may be increasingly difficult due
Sizes of Organizations to evolving customer preferences and/or demographic shifts in our existing ● ● ● ● ● ● ●
customer base
Analysis Across Executive
Positions Represented Regulatory changes and scrutiny may heighten, noticeably affecting the
● ● ● ● ● ● ●
manner in which our products or services will be produced or delivered

Social media, mobile applications and other Internet-based applications

Industry Analysis
may significantly impact our brand, customer relationships, regulatory ● ● ● ● ● ● ●
compliance processes and/or how we do business
Analysis of Differences Between
Public and Non-Public Entities Our organization may not be sufficiently prepared to manage an
● ● ● ● ● ● ●
unexpected crisis significantly impacting our reputation

Analysis of Differences Among Opportunities for organic growth through customer acquisition and/or
● ● ● ● ● ● ●
Geographic Regions enhancement may be significantly limited for our organization

Shifts in environmental, social and governance (ESG) preferences as well

Analysis of Differences as expectations of key stakeholders may be difficult for us to identify and ● ● ● ● ● ● ●
Between Organizations With address on a timely basis
and Without Rated Debt
Ease of entrance of new competitors into the industry and marketplace or

Protiviti
other significant changes in the competitive environment (such as major ● ● ● ● ● ● ●
Plans to Deploy Resources to Enhance
Risk Management Capabilities
market concentrations due to M&A activity) may threaten our market share

A Call to Action:

48
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 6 (CONTINU ED)
Methodology

Executive Summary CIO/ Other

S TRATEG I C R I SK I SSU E S (CO NTI NU E D) Board CEO CFO CRO CAE
CTO C-Suite
Overall Risk Concerns for 2019
Substitute products and services may arise that affect the viability of our
● ● ● ● ● ● ●
current business model and planned strategic initiatives
Three-Year Comparison of Risks
Growth through acquisitions, joint ventures and other partnership
● ● ● ● ● ● ●
activities may be difficult to identify and implement
Analysis Across Different
Sizes of Organizations Performance vulnerabilities may trigger shareholder activism against our
organization that may significantly impact our organization’s strategic plan ● ● ● ● ● ● ●
Analysis Across Executive and vision
Positions Represented

Industry Analysis CIO/ Other

O PE R ATI O NAL R I SK I SSU E S Board CEO CFO CRO CAE
CTO C-Suite
Analysis of Differences Between
Public and Non-Public Entities Our organization’s succession challenges and ability to attract and retain
top talent in a tightening talent market may limit our ability to achieve ● ● ● ● ● ● ●
operational targets
Analysis of Differences Among
Geographic Regions Our organization may not be sufficiently prepared to manage cyber threats
that have the potential to significantly disrupt core operations and/or ● ● ● ● ● ● ●
damage our brand
Analysis of Differences
Between Organizations With
and Without Rated Debt
Our existing operations and legacy IT infrastructure may not be able to
meet performance expectations related to quality, time to market, cost and
innovation as well as our competitors, especially new competitors that are

Protiviti
● ● ● ● ● ● ●
Plans to Deploy Resources to Enhance “born digital” and with a low cost base for their operations, or established
Risk Management Capabilities competitors with superior operations

A Call to Action:

49
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 6 (CONTINU ED)
Methodology

Executive Summary CIO/ Other

OPE RATI O NAL R I SK I SSU E S (CO NTI NU E D) Board CEO CFO CRO CAE
CTO C-Suite
Overall Risk Concerns for 2019
Resistance to change may restrict our organization from making necessary
● ● ● ● ● ● ●
adjustments to the business model and core operations
Three-Year Comparison of Risks
Ensuring privacy/identity management and information security/system
● ● ● ● ● ● ●
protection may require significant resources for us
Analysis Across Different
Sizes of Organizations Inability to utilize data analytics and “big data” to achieve market
intelligence and increase productivity and efficiency may significantly ● ● ● ● ● ● ●
Analysis Across Executive affect our management of core operations and strategic plans
Positions Represented
Risks arising from our reliance on outsourcing and strategic sourcing
arrangements, IT vendor contracts, and other partnerships/joint ventures
● ● ● ● ● ● ●
Industry Analysis
to achieve operational goals may prevent us from meeting organizational
targets or impact our brand image

Analysis of Differences Between Our organization’s culture may not sufficiently encourage the
Public and Non-Public Entities timely identification and escalation of risk issues that have the
● ● ● ● ● ● ●
potential to significantly affect our core operations and achievement
of strategic objectives
Analysis of Differences Among
Geographic Regions Uncertainty surrounding the viability of key suppliers, scarcity of supply, or
stable supply prices may make it difficult to deliver our products or services ● ● ● ● ● ● ●
at acceptable margins
Analysis of Differences
Between Organizations With
The cultural behaviors and personal interactions with others exhibited by
and Without Rated Debt
the organization’s management team and other key representatives — as
manifested through day-to-day decision-making, attitudes and conduct —

Protiviti
● ● ● ● ● ● ●
Plans to Deploy Resources to Enhance may not be aligned with the long-term interests of shareholders, the board’s
Risk Management Capabilities risk appetite, compliance with laws and regulations, and/or the core values
most accepted and rewarded by the marketplace (new in 2019)

A Call to Action:

50
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Board members and Other C-Suite executives Of particular note is the observation that three discussions, given the different perspectives
Executive Summary
overwhelmingly exhibit the most significant of the top five risks for board members relate each brings to the table and the potential for
concern about risk issues, as reflected by their to strategic risk concerns, which are more than a lack of consensus about the organization’s
Overall Risk Concerns for 2019 ratings of the 30 risks at the highest impact level any other position. CEOs, CROs and the group most significant risks. Without clarity of focus,
(red circles). Board members rate 26 of the 30 of executives in our Other C-Suite category the executive team may be unaligned with
Three-Year Comparison of Risks risks at the highest level, followed closely by the identify two of their top five risks in this the board on what the top risks are. Worse,
Other C-Suite executives, who rate 25 of the 30 category. CAEs and CFOs almost exclusively they may not be appropriately addressing the
in this manner. CIOs/CTOs were not far behind, pinpointed operational issues in their top five most important risks facing the organization,
Analysis Across Different
Sizes of Organizations identifying 19 of the 30 risks at the highest risks (all five for CAEs and four of five for CFOs). thereby leaving the organization potentially
impact level. At the other end of the spectrum, In contrast, board members took a broader view vulnerable to certain risk events. The disparity
Analysis Across Executive CFOs identified only five of the 30 risks at the and did not include a single operational risk in reflected above may also reflect CEOs and
Positions Represented
highest level and CEOs were not much different, their top five list this year. board members taking more of a “big picture”
pegging six of the 30 at the highest level. This disparity in viewpoints emphasizes view as other executives focus more on
Industry Analysis The charts on the following pages highlight the critical importance of both the board operational issues.
the top five risks identified by each position. and the management team engaging in risk
Analysis of Differences Between
Public and Non-Public Entities

Analysis of Differences Among

Geographic Regions

With the disparity of views regarding risk in today’s complex business environment, companies can best differentiate
Analysis of Differences
Between Organizations With themselves with a properly structured risk-informed approach that considers the impact of risk on strategy and
and Without Rated Debt
performance, measures both risks and opportunities, is integrated with strategy-setting and business planning and

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities
execution, and addresses the business needs, expectations and cultural attributes of the organization.
— E mma Marcandalli, Managing Director, Protiviti
A Call to Action:

51
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Board Members

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
Ease of entrance of new competitors into the industry and marketplace or S
other significant changes in the competitive environment (such as major market
Overall Risk Concerns for 2019 concentrations due to M&A activity) may threaten our market share

Three-Year Comparison of Risks S

Regulatory changes and scrutiny may heighten, noticeably affecting the manner
in which our products or services will be produced or delivered
Analysis Across Different
Sizes of Organizations

M
Analysis Across Executive Economic conditions in markets we currently serve may significantly restrict growth
Positions Represented opportunities for our organization

Industry Analysis
M
Anticipated increases in labor costs may affect our opportunity to meet
Analysis of Differences Between profitability targets
Public and Non-Public Entities

Rapid speed of disruptive innovations enabled by new and emerging technologies S

Analysis of Differences Among
Geographic Regions and/or other market forces may outpace our organization’s ability to compete
and/or manage the risk appropriately, without making significant changes to our
business model
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

52
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

CEOs

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
Sustaining customer loyalty and retention may be increasingly difficult due S
to evolving customer preferences and/or demographic shifts in our existing
Overall Risk Concerns for 2019 customer base

Three-Year Comparison of Risks O

Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Different
Sizes of Organizations

O
Analysis Across Executive Our organization may not be sufficiently prepared to manage cyber threats that
Positions Represented have the potential to significantly disrupt core operations and/or damage our brand

Industry Analysis
M
Economic conditions in markets we currently serve may significantly restrict growth
Analysis of Differences Between opportunities for our organization
Public and Non-Public Entities

Rapid speed of disruptive innovations enabled by new and emerging technologies S

Analysis of Differences Among
Geographic Regions and/or other market forces may outpace our organization’s ability to compete
and/or manage the risk appropriately, without making significant changes to our
business model
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

53
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

CFOs

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
O
Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Overall Risk Concerns for 2019

Three-Year Comparison of Risks O

Resistance to change may restrict our organization from making necessary
adjustments to the business model and core operations
Analysis Across Different
Sizes of Organizations

Our existing operations and legacy IT infrastructure may not be able to meet O
Analysis Across Executive performance expectations related to quality, time to market, cost and innovation as well
Positions Represented as our competitors, especially new competitors that are “born digital” and with a low
cost base for their operations, or established competitors with superior operations

Industry Analysis
O
Our organization may not be sufficiently prepared to manage cyber threats that
Analysis of Differences Between have the potential to significantly disrupt core operations and/or damage our brand
Public and Non-Public Entities

Analysis of Differences Among M

Geographic Regions Anticipated increases in labor costs may affect our opportunity to meet
profitability targets

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

54
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

CROs

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Rapid speed of disruptive innovations enabled by new and emerging technologies S
and/or other market forces may outpace our organization’s ability to compete
and/or manage the risk appropriately, without making significant changes to our
Overall Risk Concerns for 2019 business model

Three-Year Comparison of Risks O

Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Different
Sizes of Organizations

S
Analysis Across Executive Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
Positions Represented which our products or services will be produced or delivered

Industry Analysis
Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
Analysis of Differences Between as our competitors, especially new competitors that are “born digital” and with a low
Public and Non-Public Entities cost base for their operations, or established competitors with superior operations

Analysis of Differences Among O

Geographic Regions Resistance to change may restrict our organization from making necessary
adjustments to the business model and core operations

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

55
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

CAEs

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Overall Risk Concerns for 2019 cost base for their operations, or established competitors with superior operations

Three-Year Comparison of Risks O

Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Different
Sizes of Organizations

O
Analysis Across Executive Our organization may not be sufficiently prepared to manage cyber threats that
Positions Represented have the potential to significantly disrupt core operations and/or damage our brand

Industry Analysis
O
Resistance to change may restrict our organization from making necessary
Analysis of Differences Between adjustments to the business model and core operations
Public and Non-Public Entities

Analysis of Differences Among O

Geographic Regions Ensuring privacy/identity management and information security/system
protection may require significant resources for us

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

56
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

CIOs/CTOs

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
M
Economic conditions in markets we currently serve may significantly restrict growth
opportunities for our organization
Overall Risk Concerns for 2019

Three-Year Comparison of Risks Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Analysis Across Different cost base for their operations, or established competitors with superior operations
Sizes of Organizations

Inability to utilize data analytics and “big data” to achieve market intelligence and O
Analysis Across Executive
Positions Represented increase productivity and efficiency may significantly affect our management of core
operations and strategic plans

Industry Analysis
O
Ensuring privacy/identity management and information security/system
Analysis of Differences Between protection may require significant resources for us
Public and Non-Public Entities

Analysis of Differences Among S

Geographic Regions Our organization may not be sufficiently prepared to manage an unexpected crisis
significantly impacting our reputation

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

57
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Other C-Suite

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Overall Risk Concerns for 2019 cost base for their operations, or established competitors with superior operations

Three-Year Comparison of Risks S

Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
which our products or services will be produced or delivered
Analysis Across Different
Sizes of Organizations

O
Analysis Across Executive Our organization may not be sufficiently prepared to manage cyber threats that
Positions Represented have the potential to significantly disrupt core operations and/or damage our brand

Industry Analysis
O
Our organization’s succession challenges and ability to attract and retain top talent
Analysis of Differences Between in a tightening talent market may limit our ability to achieve operational targets
Public and Non-Public Entities

Rapid speed of disruptive innovations enabled by new and emerging technologies S

Analysis of Differences Among
Geographic Regions and/or other market forces may outpace our organization’s ability to compete
and/or manage the risk appropriately, without making significant changes to our
business model
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

58
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Industry Analysis
Overall Risk Concerns for 2019

Respondents to our survey represent organizations in a number of industry groupings, as shown below:
Three-Year Comparison of Risks

Analysis Across Different

Sizes of Organizations
I NDU STRY N UM BER O F R ES P O N D EN TS

Analysis Across Executive Financial Services (FS) 230

Positions Represented
Consumer Products and Services (CPS) 185
Industry Analysis
Manufacturing and Distribution (MD) 129

Technology, Media and Telecommunications (TMT) 63

Analysis of Differences Between
Public and Non-Public Entities
Healthcare and Life Sciences (HLS) 93

Energy and Utilities (EU) 72

Analysis of Differences Among
Geographic Regions
Other industries (not separately reported) 53

Total Number of Respondents 825

Analysis of Differences
Between Organizations With
and Without Rated Debt We analyzed responses across the six industry of the magnitude and severity of risks across reaching or exceeding profitability (or funding)
groups to determine whether industries rank- the above industry grouping categories. Again, targets over the next 12 months, using a

Protiviti
Plans to Deploy Resources to Enhance order risks differently. Similar to our analysis the scores in the table below reflect responses 10-point scale where 1 = “Extremely Low” and
Risk Management Capabilities
of the full sample and across the different sizes to the question about their overall impression 10 = “Extensive.”
of organizations and types of respondents, we of the magnitude and severity of risks their
A Call to Action: analyzed responses about overall impressions organization will be facing with respect to

59
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Overall, what is your impression of the magnitude and severity of risks your organization will be facing with
2019 2018 2017
respect to reaching or exceeding profitability (or funding) targets over the next 12 months?
Overall Risk Concerns for 2019
Financial Services (FS) 6.0 5.8 6.5

Three-Year Comparison of Risks Consumer Products and Services (CPS) 6.1 5.8 5.9

Manufacturing and Distribution (MD) 6.3 6.2 6.1

Analysis Across Different
Sizes of Organizations Technology, Media and Telecommunications (TMT) 6.2 6.5 6.5

Healthcare and Life Sciences (HLS) 6.7 6.2 6.2

Analysis Across Executive
Positions Represented Energy and Utilities (EU) 6.1 5.7 6.5

Industry Analysis
Respondents from every industry group, with areas include regulatory matters, disruptive weighing on energy prices create volatility and
the exception of the Technology, Media and technologies, ability to compete with more environmental issues add to the uncertainty
Analysis of Differences Between
Public and Non-Public Entities Telecommunications industry group, perceived nimble competitors, talent management, cyber in the Energy and Utilities industry group.
that the magnitude and severity of risks threats, sustaining customer loyalty and cultural The Healthcare and Life Sciences industry
affecting their organization are greater in issues. For example, take regulatory concerns. group reflects the highest overall concern
Analysis of Differences Among
Geographic Regions 2019 than in the prior year. This increase Healthcare reform and regulation of drug related to the magnitude and severity of risks
was felt most significantly by the Healthcare prices continue to be a significant political overall. Given technological advancements
Analysis of Differences
and Life Sciences, Consumer Products and issue affecting the Healthcare and Life that continue to occur at a rapid pace as
Between Organizations With Services, and Energy and Utilities industry Sciences industry group, particularly in the well as significant regulatory uncertainty,
and Without Rated Debt
groups. This is due to increased concerns United States. Tariffs and trade continue to this industry group continues to experience

Protiviti
in a variety of areas affecting different roil the Consumer Products and Services significant change relative to the other
Plans to Deploy Resources to Enhance industry groups in different ways. These industry group, while Middle East politics
Risk Management Capabilities industry groups.

A Call to Action:

60
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Respondents in the Energy and Utilities

Executive Summary
industry group reflect the most volatility in
overall risk concerns across the three years.
To no one’s surprise, the dynamics in each industry group we examine
Overall Risk Concerns for 2019 After this industry group saw a significant are different. We see regulatory matters, the effects of disruptive
decrease in the overall risk environment from
Three-Year Comparison of Risks 2017 to 2018, the 2019 survey results reflect
technologies, the war for talent, the persistence of cyber threats, the
a significant increase in the level of overall criticality of preserving customer loyalty, and the all-too-important
risk concern. These changes may be a result
Analysis Across Different
Sizes of Organizations of the volatility of oil prices. Oil markets saw a
issue of organizational culture rear their respective heads in different
significant decrease in prices in late 2017 and ways, depending on the industry group.
Analysis Across Executive early 2018. In addition, there was a significant
Positions Represented drop in volatility for energy companies during — P at Scott, Executive Vice President, Global Industry Program, Protiviti
2018. However, in mid-to-late 2018 energy
Industry Analysis prices again started increasing along with
Middle East tensions resulting in an overall the Technology, Media and Telecommunications
increase in uncertainty and volatility. industry group, even though the industry’s top Significant Impact — Rating of 6.0
Analysis of Differences Between ●
or higher
Public and Non-Public Entities
The 2019 levels of overall risk concern are risks mostly increased.
mostly tracking in line with 2018 levels for Table 7 provides an overview of the significance ● Potential Impact — Rating of 4.5 — 5.99
Analysis of Differences Among the Financial Services and Manufacturing and and differences across industries in executive
Geographic Regions
Distribution industry groups. Surprisingly, we perspectives about each of the 30 risks rated Less Significant Impact — Rating of
observe a decrease in the overall impression of in this study (categorized as macroeconomic, ●
4.49 or lower
Analysis of Differences the magnitude and severity of risks affecting strategic and operational risk issues).
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

61
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Industry

Executive Perspectives on Top Risks for 2019

TAB LE 7
Methodology

Executive Summary
M ACRO ECO NO M I C R I SK I SSU E S FS CPS MD TMT HLS EU

Overall Risk Concerns for 2019

Economic conditions in markets we currently serve may significantly restrict growth
● ● ● ● ● ●
opportunities for our organization
Three-Year Comparison of Risks
Evolving changes in global trade policies may limit our ability to operate effectively
● ● ● ● ● ●
and efficiently in international markets
Analysis Across Different
Sizes of Organizations Anticipated increases in labor costs may affect our opportunity to meet
● ● ● ● ● ●
profitability targets

Analysis Across Executive Unexpected change in the current interest rate environment may have a significant
Positions Represented ● ● ● ● ● ●
effect on the organization’s operations

Industry Analysis
Anticipated volatility in global financial markets and currency exchange rates may
● ● ● ● ● ●
create significantly challenging issues for our organization to address

Uncertainty surrounding the influence and continued tenure of key global leaders
Analysis of Differences Between
may impact national and international markets to the point of significantly limiting ● ● ● ● ● ●
Public and Non-Public Entities
our growth opportunities

Analysis of Differences Among

Our ability to access sufficient capital/liquidity may restrict growth opportunities for
● ● ● ● ● ●
Geographic Regions our organization

Demands made by activist investors and other key stakeholders may significantly
● ● ● ● ● ●
Analysis of Differences affect how we do business in the marketplace (new in 2019)
Between Organizations With
and Without Rated Debt Geopolitical shifts and instability in governmental regimes or expansion of
global terrorism may restrict the achievement of our global growth and ● ● ● ● ● ●

Protiviti
profitability objectives
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

62
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 7 (CONTINU ED)
Methodology

Executive Summary
STR ATEG I C R I SK I SSU E S FS CPS MD TMT HLS EU

Overall Risk Concerns for 2019

Rapid speed of disruptive innovations enabled by new and emerging technologies
and/or other market forces may outpace our organization’s ability to compete
● ● ● ● ● ●
Three-Year Comparison of Risks and/or manage the risk appropriately, without making significant changes to our
business model

Analysis Across Different Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
● ● ● ● ● ●
Sizes of Organizations which our products or services will be produced or delivered

Sustaining customer loyalty and retention may be increasingly difficult due

Analysis Across Executive to evolving customer preferences and/or demographic shifts in our existing ● ● ● ● ● ●
Positions Represented
customer base

Industry Analysis Ease of entrance of new competitors into the industry and marketplace or
other significant changes in the competitive environment (such as major market ● ● ● ● ● ●
concentrations due to M&A activity) may threaten our market share
Analysis of Differences Between
Public and Non-Public Entities Our organization may not be sufficiently prepared to manage an unexpected crisis
● ● ● ● ● ●
significantly impacting our reputation

Analysis of Differences Among Opportunities for organic growth through customer acquisition and/or enhancement
● ● ● ● ● ●
Geographic Regions may be significantly limited for our organization

Social media, mobile applications and other Internet-based applications may

Analysis of Differences significantly impact our brand, customer relationships, regulatory compliance ● ● ● ● ● ●
Between Organizations With processes and/or how we do business
and Without Rated Debt
Shifts in environmental, social and governance (ESG) preferences as well as

Protiviti
expectations of key stakeholders may be difficult for us to identify and address on ● ● ● ● ● ●
Plans to Deploy Resources to Enhance
Risk Management Capabilities
a timely basis

A Call to Action:

63
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 7 (CONTINU ED)
Methodology

Executive Summary
S TR ATEG I C R I SK I SSU E S (CO NTI NU E D) FS CPS MD TMT HLS EU

Overall Risk Concerns for 2019

Growth through acquisitions, joint ventures and other partnership activities may be
● ● ● ● ● ●
difficult to identify and implement
Three-Year Comparison of Risks
Substitute products and services may arise that affect the viability of our current
● ● ● ● ● ●
business model and planned strategic initiatives
Analysis Across Different
Sizes of Organizations Performance vulnerabilities may trigger shareholder activism against our
● ● ● ● ● ●
organization that may significantly impact our organization’s strategic plan and vision
Analysis Across Executive
Positions Represented

Industry Analysis
O PE R ATI O NAL R I SK I SSU E S FS CPS MD TMT HLS EU

Analysis of Differences Between Our organization may not be sufficiently prepared to manage cyber threats that have
● ● ● ● ● ●
Public and Non-Public Entities the potential to significantly disrupt core operations and/or damage our brand

Our organization’s succession challenges and ability to attract and retain top talent in
● ● ● ● ● ●
Analysis of Differences Among a tightening talent market may limit our ability to achieve operational targets
Geographic Regions
Our existing operations and legacy IT infrastructure may not be able to meet
performance expectations related to quality, time to market, cost and innovation as
Analysis of Differences ● ● ● ● ● ●
well as our competitors, especially new competitors that are “born digital” and with a
Between Organizations With
and Without Rated Debt
low cost base for their operations, or established competitors with superior operations

Resistance to change may restrict our organization from making necessary

Protiviti
● ● ● ● ● ●
Plans to Deploy Resources to Enhance adjustments to the business model and core operations
Risk Management Capabilities

A Call to Action:

64
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

TAB LE 7 (CONTINU ED)
Methodology

Executive Summary
OPE R ATI O NAL R I SK I SSU E S (CO NTI NU E D) FS CPS MD TMT HLS EU

Overall Risk Concerns for 2019

Ensuring privacy/identity management and information security/system protection
● ● ● ● ● ●
may require significant resources for us
Three-Year Comparison of Risks
Our organization’s culture may not sufficiently encourage the timely identification
and escalation of risk issues that have the potential to significantly affect our core ● ● ● ● ● ●
Analysis Across Different operations and achievement of strategic objectives
Sizes of Organizations
Inability to utilize data analytics and “big data” to achieve market intelligence and
increase productivity and efficiency may significantly affect our management of core ● ● ● ● ● ●
Analysis Across Executive
operations and strategic plans
Positions Represented

Uncertainty surrounding the viability of key suppliers, scarcity of supply, or stable supply
● ● ● ● ● ●
Industry Analysis prices may make it difficult to deliver our products or services at acceptable margins

Risks arising from our reliance on outsourcing and strategic sourcing arrangements,
Analysis of Differences Between IT vendor contracts, and other partnerships/joint ventures to achieve operational ● ● ● ● ● ●
Public and Non-Public Entities goals may prevent us from meeting organizational targets or impact our brand image

The cultural behaviors and personal interactions with others exhibited by the
Analysis of Differences Among organization’s management team and other key representatives — as manifested
Geographic Regions through day-to-day decision-making, attitudes and conduct — may not be aligned
● ● ● ● ● ●
with the long-term interests of shareholders, the board’s risk appetite, compliance
with laws and regulations, and/or the core values most accepted and rewarded by the
Analysis of Differences
marketplace (new in 2019)
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

65
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Across the different industries, operational Examining macroeconomic risks more closely, The Healthcare and Life Sciences industry
Executive Summary
risks seem to be of greatest concern for 2019. two industry groups stand out: Manufacturing group has the highest level of risk concerns.
Out of the 10 operational risks included in and Distribution, and Energy and Utilities. Respondents in that industry group identified
Overall Risk Concerns for 2019 our survey, four of those risks were rated as The Manufacturing and Distribution industry 14 of the 30 risks as “Significant Impact” risks,
“Significant Impact” risks for at least five of group has three of the macroeconomic risks with all other risks rated in the middle category
Three-Year Comparison of Risks the six industry groups. In contrast, three rated as “Significant Impact” risks versus zero of “Potential Impact” risks. The Manufacturing
of the 11 strategic risks and only one of rated at that level in 2018. The Energy and and Distribution industry group has the largest
the nine macroeconomic risks were rated Utilities industry group went from having three increase in risk concerns. After rating zero risks
Analysis Across Different
Sizes of Organizations as “Significant Impact” risks by four of the macroeconomic risks rated as “Less Significant as “Significant Impact” in 2018, the number
six industries. Impact” in 2018 to none rated that low in 2019. of “Significant Impact” risks increased to 10
Analysis Across Executive For 2019, operational risks related to concerns Overall, four of the six industry groups now risks in 2019. The Financial Services industry
Positions Represented
about succession challenges and the ability to rate the macroeconomic risk that economic group also saw a notable increase in the overall
attract and retain talent and concerns about conditions in markets we currently serve may concern about the magnitude and severity of
Industry Analysis significantly restrict growth opportunities as risks, with respondents in that industry group
existing infrastructure and legacy IT systems
made the top five list of risks for each of the “Significant Impact.” rating 10 of the 30 risks as “Significant Impact”
Analysis of Differences Between industry groups examined, except for Energy At the strategic risk level, we see more risks for 2019 versus only four in 2018. The
Public and Non-Public Entities
and Utilities. Concerns about the ability to consistency among the industry groups. only industry group that rated fewer risks
manage cyber threats was rated as a top five However, one change clearly stands out for as “Significant Impact” in 2019 versus 2018
Analysis of Differences Among risk issue for four of the six industry groups — 2019 — the risk that sustaining customer was Energy and Utilities; however, in 2018 it
Geographic Regions
the exceptions are Financial Services and loyalty and retention may be difficult due to rated three risks as “Less Significant Impact,”
Technology, Media and Telecommunications. evolving customer preferences. In 2018, only whereas zero were given that rating in 2019.
Analysis of Differences Concerns about the inability to utilize the Healthcare and Life Sciences industry The bar charts on the following pages report
Between Organizations With
and Without Rated Debt analytics and “big data” increased for every group listed this as a “Significant Impact” risk, the top five risk exposures in rank order for
industry group and is seen as a “Significant whereas in 2019 it is joined by the Financial each of the six industry groups. The 2019

Protiviti
Plans to Deploy Resources to Enhance
Impact” risk for the Financial Services and Services, Consumer Products and Services, and results are presented in light blue.
Risk Management Capabilities Healthcare and Life Sciences industry groups. Technology, Media and Telecommunications
industry groups.
A Call to Action:

66
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Recall that a risk with an average score of 6.0 higher in 2019 relative to 2017, as reflected their top five risk concerns. The Consumer
Executive Summary
or higher is considered a “Significant Impact” by the bar graphs on the pages that follow. Products and Services and the Healthcare
risk, while risks with average scores between In 2019, no industry group has a risk with and Life Sciences industry groups are
Overall Risk Concerns for 2019 4.5 and 5.99 are “Potential Impact” risks and an average score that exceeds 7.0 on our mostly concerned about operational risks,
risks with average scores below 4.5 are “Less 10-point scale. This is in contrast to 2017, given four of their top five risk concerns
Three-Year Comparison of Risks Significant Impact” risks. In addition, the bar when a number of industry groups had risks are in that category. In contrast, only the
charts provide the risk rating for the previous ranked above 7.0. However, the increases Financial Services and Technology, Media and
two years with 2018 in red and 2017 in green. in almost every risk from 2018 to 2019 Telecommunications industry groups ranked
Analysis Across Different
Sizes of Organizations
One noticeable observation from these charts are concerning, with four industry groups more than one strategic risk among their top
is that every industry group rated all of their (Financial Services, Consumer Products and five risk concerns.
Analysis Across Executive top five risks as "Significant Impact" risks Services, Manufacturing and Distribution, and These noted differences in risk issues across
Positions Represented
for 2019, whereas only the Technology, Technology, Media and Telecommunications) the different industry groups highlight
Media and Telecommunications, Healthcare all seeing a significant increase in the number of the importance of understanding industry
Industry Analysis
and Life Sciences, and Energy and Utilities “Significant Impact” risks in their top five. drivers and emerging developments to
industry groups did so in 2018. In addition, There are also differences in categories for effectively identify the most significant
Analysis of Differences Between while respondents in almost every industry the top five risks across the six industry enterprise risks and emerging risk concerns.
Public and Non-Public Entities
group have the overall impression that the groups examined. The Financial Services, Following each bar chart by industry, we
magnitude and severity of risks is higher in Manufacturing and Distribution, and Energy provide additional commentary about
Analysis of Differences Among 2019 relative to 2018, respondents also and Utilities industry groups are the only industry-specific risk drivers.
Geographic Regions
generally rate their top five risk concerns as ones to include a macroeconomic risk in

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

67
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Financial Services

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
S
Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which
our products or services will be produced or delivered
Overall Risk Concerns for 2019

Three-Year Comparison of Risks Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Analysis Across Different cost base for their operations, or established competitors with superior operations
Sizes of Organizations

Rapid speed of disruptive innovations enabled by new and emerging technologies S

Analysis Across Executive and/or other market forces may outpace our organization’s ability to compete
Positions Represented and/or manage the risk appropriately, without making significant changes to our
business model
Industry Analysis
O
Our organization’s succession challenges and ability to attract and retain top talent
Analysis of Differences Between in a tightening talent market may limit our ability to achieve operational targets
Public and Non-Public Entities

Analysis of Differences Among M

Geographic Regions Unexpected change in the current interest rate environment may have a significant
effect on the organization’s operations

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

68
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Commentary — Financial Services

Executive Summary
Industry Group
For Financial Services globally, our top risks surveys conducted for
For financial services organizations globally,
Overall Risk Concerns for 2019
the years since the global financial crisis that 2018 and 2019 marked a shift away from an intensive and, for many
Three-Year Comparison of Risks
began in 2008 were marked by an unusually firms, almost exclusive focus on risk management and regulatory
intensive and, for many firms, almost exclusive
focus on risk management and regulatory
compliance matters that transpired since the global financial crisis.
Analysis Across Different
Sizes of Organizations
compliance matters. Last year, the results While regulatory compliance matters remain a significant source of
of our survey marked an initial shift away
from those trends, in that while regulatory
risk, digital disruption and other threats to business competitiveness
Analysis Across Executive
Positions Represented
compliance matters remained a significant are being viewed with increasing concern. The results for 2019 show
source of risk, digital disruption and other
threats to business competitiveness began to
this shift not only is continuing but is, in many areas, accelerating.
Industry Analysis
be viewed as increasing sources of concern. — M ichael Brauneis, Managing Director, Americas Financial Services Industry Leader, Protiviti
Our 2019 results show this shift is continuing
Analysis of Differences Between and, in many areas, accelerating.
Public and Non-Public Entities
4 percent year over year. Moreover, perceptions Congress, as well as what has generally been
Regulatory compliance concerns remain
of regulatory risk diverged significantly by perceived to be a more balanced, growth-
Analysis of Differences Among elevated but stable
Geographic Regions geography in this year’s survey. Concern friendly supervisory environment promoted by
Although regulatory change and regulatory for this risk issue actually decreased in North the new leaders of the major federal regulatory
scrutiny remained the highest scoring risk issue America, reflecting the deregulatory agenda of agencies within the United States.
Analysis of Differences
Between Organizations With this year, scores for this attribute increased only the Trump administration and Republican-held
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

69
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Conversely, the perception of regulatory and Paris, and obtain the necessary licenses institutions’ attention toward business
Executive Summary
risk increased significantly among financial to reflect their new footprints. In the meantime, growth and innovation objectives. Notably, the
institutions in the European Union, as well they also are attempting to develop contingency attribute that saw the largest year-over-year
Overall Risk Concerns for 2019 as those in Asia-Pacific and Australia/New plans in the event that a failure in negotiations increase in the current survey was:
Zealand. European institutions face ongoing leads to a “no deal” or “hard Brexit” scenario by Our existing operations and legacy IT
Three-Year Comparison of Risks efforts to fully implement and optimize March 2019. infrastructure may not be able to meet
controls related to the General Data The Asia-Pacific region continues to experience performance expectations related to quality,
Protection Regulation (GDPR) that became increasing regulatory scrutiny in areas in which time to market, cost and innovation as well as
Analysis Across Different
Sizes of Organizations initially effective in May 2018.6 Additionally, U.S. and European financial institutions have our competitors, especially new competitors
significant concerns and uncertainty exist spent the past decade in remediation activities, that are “born digital” and with a low-cost
Analysis Across Executive regarding the ultimate outcome and impact notably financial crimes misconduct and base for their operations, or established
Positions Represented of the United Kingdom’s looming exit from overall strengthening of the risk and competitors with superior operations.
the European Union in light of London’s compliance management framework.
Industry Analysis This risk issue also increased in significance
historical prominence as a financial services
from 2017 to 2018; however, the rate of
hub.7 Financial institutions might face Concerns about keeping pace with
increase from 2018 to 2019 was nearly three
Analysis of Differences Between
myriad change-management tasks should technological change increase
times that of last year, indicating a strong and
Public and Non-Public Entities they need to relocate people and operations
Although regulatory compliance matters accelerating degree of concern about the
out of the United Kingdom and into financial
remain important, as described above, we ability of financial institutions to keep pace
Analysis of Differences Among services centers that will remain in the
continue to see an accelerating shift in financial with disruptive technology change.
Geographic Regions European Union, such as Dublin, Frankfurt

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

6
For more information, read Understanding the General Data Protection Regulation: Frequently Asked Questions, available at www.protiviti.com/gdpr.
A Call to Action: 7
www.bankingsupervision.europa.eu/press/publications/newsletter/2018/html/ssm.nl180815_3.en.html.

70
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Going into 2018, for example, 82 percent of In practice, we have observed several specific past year, global money center banks such
Executive Summary
U.S. commercial banks surveyed expected to areas of investment, including: as HSBC (piloting its “Pepper” robot in
increase FinTech investments over the next ■■ Use of technologies such as robotics and branches10) and Bank of America (with
Overall Risk Concerns for 2019 three years, and 86 percent of those expected other workflow automation tools, natural its “Erica” digital assistant11) have made
to begin investing immediately.8 These expec- language processing, and artificial intel- headlines for their innovations in these
Three-Year Comparison of Risks tations were strongly borne out in practice. ligence/machine learning to dramatically areas. In 2019, we expect to see these
According to FinTech Global, total financial increase the efficiency of and reduce costs trends continue and increasingly trickle
technology venture investments in the first half associated with operational, risk manage- down to smaller organizations, as well.
Analysis Across Different
Sizes of Organizations of 2018 alone ($41.7B) exceeded those made ment and compliance activities. In particu- ■■ Consolidating platforms and providing
throughout all of 2017 ($39.4B).9 Additionally, lar, we are seeing that anti-financial crime a more efficient and user-friendly
Analysis Across Executive 2018 continued to see the total number of and fraud risk management functions are customer-facing digital experience across
Positions Represented investments shrink, while average investment at the center of significant innovation and internet and mobile platforms as well as
size increased significantly and investments cost reduction efforts. in physical locations.
Industry Analysis continued to shift more to late stage startups.
■■ Modernizing legacy technology platforms ■■ Evaluating the feasibility of and beginning
All of these data points indicate a maturing and
and data storage infrastructure to reduce to launch initial use cases for distributed
Analysis of Differences Between
consolidating market for FinTech capabilities as
the competitive advantage that “born ledger technology, particularly in areas
Public and Non-Public Entities traditional financial institutions increase invest-
digital” competitors have in these areas, such as global payments, trade clearing,
ments designed to ward off competition from
and enable greater use of big data-driven and custody operations.
Analysis of Differences Among non-traditional startups.
Geographic Regions solutions such as AI-supported digital
customer service assistants. Over the

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance 8
www.americanbanker.com/news/bank-fintech-investment-will-focus-on-blockchain-and-ai.
Risk Management Capabilities
9
http://fintech.global/2018-is-already-a-record-year-for-global-fintech-investment/.
10
www.cnbc.com/2018/06/26/this-bank-is-staffing-branches-with-humanoid-robots-that-dance-take-s.html.
A Call to Action: 11
https://promo.bankofamerica.com/erica/.

71
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Concerns about talent on the rise 2018, unemployment for the “financial Beyond the demand within CIO and chief data
Executive Summary
activities” sector was less than half that rate, officer-type functions for specialized talent, we
In addition to attention shifting to the risk
at 2 percent.12 also are seeing concerns on this front across
of technology-driven disruption discussed
Overall Risk Concerns for 2019
In addition to a broad-based war for talent, the second and third lines of defense. For
above, the other risk issue that saw the most
this risk issue is strongly coupled with example, as financial institutions increasingly
significant increase between the 2018 and
Three-Year Comparison of Risks concerns about technological disruption as use more complex AI/ML-driven models in
2019 surveys was:
described above. Financial institutions of all place of traditional rules-based programs in
Our organization’s succession challenges and
types and sizes are struggling to meet the areas such as credit underwriting and fraud
Analysis Across Different
ability to attract and retain top talent in a
Sizes of Organizations
vastly increased need for data scientists, risk management, chief audit executives
tightening talent market may limit our ability
quantitative resources, information security worry about how they will be able to find and
to achieve operational targets
Analysis Across Executive professionals and other technical specialists. retain the audit talent with the right technical
Positions Represented We believe heightened focus on this risk skills to evaluate these models. In addition,
Unlike other positions for which financial
stems from multiple factors. First, at this we have had multiple conversations with
services firms must recruit, in these areas
Industry Analysis point in the economic cycle, markets such as regulatory agency leadership who share
they must compete not only with one another,
the United States have essentially reached these concerns with respect to their own
but also with "FAANG"-type tech companies
full employment and costs to attract and supervisory teams. Given all of the above,
Analysis of Differences Between (Facebook, Amazon, Apple, Netflix and Google)
Public and Non-Public Entities retain specialized talent have increased. For we expect these risks to continue to remain
that often are viewed as the premier employers
example, while the overall U.S. unemployment elevated in the years ahead.
in these fields.
Analysis of Differences Among rate stood at 4.4 percent as of October
Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action: 12
www.statista.com/statistics/217787/unemployment-rate-in-the-united-states-by-industry-and-class-of-worker/.

72
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Consumer Products and Services

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
O
Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Overall Risk Concerns for 2019

Three-Year Comparison of Risks Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Analysis Across Different cost base for their operations, or established competitors with superior operations
Sizes of Organizations

O
Analysis Across Executive Resistance to change may restrict our organization from making necessary
Positions Represented adjustments to the business model and core operations

Industry Analysis
O
Our organization may not be sufficiently prepared to manage cyber threats that
Analysis of Differences Between have the potential to significantly disrupt core operations and/or damage our brand
Public and Non-Public Entities

Analysis of Differences Among S

Geographic Regions Sustaining customer loyalty and retention may be increasingly difficult due to evolving
customer preferences and/or demographic shifts in our existing customer base

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

73
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Commentary — Consumer Products Consumers have increasingly high expectations and driving revenue and sales. Here again, the
Executive Summary
and Services Industry Group for superior customer experience, from near right leadership and new ways of thinking are
real-time delivery of products ordered online of paramount importance, requiring strong
With many baby boomers retiring in the
Overall Risk Concerns for 2019 to offering beneficial on-site expertise in succession planning as well as recruiting and
foreseeable future and ongoing industry
retail stores. fostering the talent needed to move the
disruption, Consumer Products and Services
Three-Year Comparison of Risks Sustaining customer loyalty and retention organization forward rather than resist
organizations are clearly concerned about
also ranks as a top five risk for the industry changes to dated strategies and practices.
the competition for talent and succession
Analysis Across Different planning. Increasing in significance notably group, as retailers, in particular, explore new This landscape is also reflected in our top five
Sizes of Organizations
from the prior year, succession challenges and innovative ways to keep their customers list of risk issues, all of which are considered
and the ability to attract and retain top talent engaged and loyal. Bottom line, the status quo “Significant Impact” risks by industry board
Analysis Across Executive is at the top of risk issues on the minds of is no longer sufficient. members and executives, and all of which have
Positions Represented
Consumer Products and Services industry In light of this, succession challenges, and increased year-over-year in significance.
leaders for 2019. This continues a trend especially the ability to attract and retain top Competing against “born digital” companies,
Industry Analysis
revealed last year, which also showed a talent, is a key issue as Consumer Products and the second-highest rank risk issue for 2019,
significant jump for this risk issue. In fact, Services organizations seek to put in place the has been a simmering challenge for several
Analysis of Differences Between while it was a "Potential Impact" risk issue in right leadership and talent to bring in innovative years, but has now become a critical matter
Public and Non-Public Entities
2017, it has been a “Significant Impact” risk ways of thinking to cultivate and manage their for leadership in the Consumer Products
issue the past two years. organizations in this new landscape. and Services industry group to address.
Analysis of Differences Among
Geographic Regions This issue relates closely to an ongoing interest This risk issue and resistance to change (another With numerous factors at play, “born digital”
among these organizations to enhance top five risk for this industry group) reflect what companies have an obvious big advantage
corporate culture and focus on building and is being called the ongoing “retail apocalypse.” when it comes to competing for market share.
Analysis of Differences
Between Organizations With enhancing customer experience. It has been Some retailers are thriving in this dynamic For instance, the cost of upgrading or replacing
and Without Rated Debt aging legacy systems is considerable, as is
well-documented that consumer products environment, delivering high levels of service
organizations, and retailers in particular, must offering customers a seamless omnichannel

Protiviti
and capabilities — both online and in their
Plans to Deploy Resources to Enhance think and operate differently to be successful in physical stores. Others are struggling and have experience to keep them coming back for more
Risk Management Capabilities
an ever-changing digital business environment. yet to figure out the right formula for innovation and excited about the brand.

A Call to Action:

74
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology
Consumer Products and Services companies are undergoing a sea change made possible with disruptive
Executive Summary digital technologies. But at the root of this change is the old adage updated to today’s optics – customers are,
and always will be, kings and queens! They want it all and industry players who are determined to survive and
Overall Risk Concerns for 2019
thrive in this brave new world must adapt to shifting customer preferences, wherever they lead.
Three-Year Comparison of Risks — R ichard Childs, Managing Director, Consumer Products and Services Industry Leader, Protiviti

Analysis Across Different

Sizes of Organizations
It doesn’t help matters that more Consumer is not a “no win” proposition. There are long- 500 million customer records containing highly
Products and Services organizations are established companies that are ramping up their personal information were breached.
Analysis Across Executive becoming wary of making seemingly open- technology infrastructure and online services,
Positions Represented Consumer products and retail companies
ended investments that may not achieve the as well as acquiring digital assets to compete in cannot thrive without customer loyalty
desired results. They believe that at some point the digital world. There is a strategy for success, and retention. This strategic risk issue is at
Industry Analysis
there will be an economic slowdown, possibly but it needs to be planned and executed well. the core of why the other top five risks —
limiting their ability to move quickly to make With regard to cyber threats, the only surprise all operational — are top of mind for these
Analysis of Differences Between necessary infrastructure improvements. They in this finding is that this risk issue has not been companies. The potential cost of reputational
Public and Non-Public Entities
also are concerned that they may not be able ranked higher in prior years. Looking at the damage due to a cyber attack is a more critical
to make these investments fast enough to history of cyber attacks, consumer products issue than ever before — far more than, for
Analysis of Differences Among compete with born-digital organizations that
Geographic Regions and retail organizations were among the first example, actual dollar losses, or costs for credit
already operate in digital and innovative ways entities to be considered primary targets. monitoring services for customers affected by
on a daily basis. These organizations do not Whereas today organizations in virtually any a data breach. A data breach can permanently
Analysis of Differences
Between Organizations With
need to transform — they already are digital. industry should consider themselves targets and irreparably damage the customer’s trust
and Without Rated Debt It’s very possible that as this dynamic continues for hackers, early on it was retailers that and brand loyalty the organization worked so
to unfold, so-called legacy organizations were attacked on a regular basis. And for the hard to build. Board members and executives

Protiviti
Plans to Deploy Resources to Enhance that continue to fall behind in market share, foreseeable future, consumer products and throughout the industry recognize that cyber
Risk Management Capabilities technology and innovations will become retail organizations remain a top, if not the risk can cripple their organizations and scare
acquisition targets. top, target for cyber attacks. As evidence of away their customers.
A Call to Action: Yet for these legacy, or traditional, organiza- this, look no further than the recent breach

75
Questions to Consider
tions, competing against born-digital players announced by a major hotel chain, in which

Research Team
 TABLE OF CONTENTS

Introduction

Manufacturing and Distribution

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
O
Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Overall Risk Concerns for 2019

Three-Year Comparison of Risks Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Analysis Across Different cost base for their operations, or established competitors with superior operations
Sizes of Organizations

M
Analysis Across Executive Evolving changes in global trade policies may limit our ability to operate effectively
Positions Represented and efficiently in international markets

Industry Analysis
O
Our organization may not be sufficiently prepared to manage cyber threats that
Analysis of Differences Between have the potential to significantly disrupt core operations and/or damage our brand
Public and Non-Public Entities

Analysis of Differences Among M

Geographic Regions Anticipated increases in labor costs may affect our opportunity to meet
profitability targets

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

76
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Commentary — Manufacturing and years ago. It is no wonder that this risk is current state: Outdated legacy systems and/
Executive Summary
Distribution Industry Group top-of-mind for board members and executive or disconnected/decentralized systems may
management in this industry group. In fact, put manufacturing companies behind their
Boards and executive management in
Overall Risk Concerns for 2019 the unemployment rate is even lower (an peers, considering the pace of IT change and
manufacturing and distribution organizations
estimated 3.2 percent) in the manufacturing competitor migrations to next-generation
view a substantially different risk landscape
Three-Year Comparison of Risks sector, making it tougher to find skilled systems to better support the business.
in 2019 versus the prior year, with four of
workers, especially for today’s automated Organizations recognize the significant
the five top risk issues changing year over
and technologically advanced processes. efforts (and costs) to update and upgrade.
Analysis Across Different year. However, our results indicate that last
Sizes of Organizations In certain geographies, manufacturing So the question is not if, but when, to make
year’s top risk issues for the industry group
industry retirements are exacerbating these improvements to keep pace with
did not drop in significance — in fact, the risk
Analysis Across Executive the challenge, causing companies to look the competition and, in particular, born-
ratings for each of them actually rose. What
Positions Represented closely into incentives that may draw more digital companies that think and operate
we do find is that the scores for the 2019
candidates. And closely related to these innovatively at their core.
top risks increased substantially, suggesting
Industry Analysis challenges, another top five risk issue for
manufacturing and distribution organizations Not surprisingly, changes in global trade
the Manufacturing and Distribution industry policies potentially limiting the ability
are focusing on more tactical operational
group involves anticipated increases in labor to operate effectively and efficiently in
Analysis of Differences Between areas to ensure they can prosper over the
Public and Non-Public Entities costs — potentially affecting the ability to international markets remains a top five
long term.
meet profitability targets. risk issue. The severity of this risk’s rating,
Succession challenges and the ability to attract
Analysis of Differences Among With regard to addressing existing operations once again at the “Significant Impact”
Geographic Regions and retain top talent has been a consistent
and legacy IT infrastructure, this risk issue level, is consistent with two years ago,
top five risk issue for manufacturing and
has steadily crept up over the past two when manufacturing organizations were
distribution organizations for the past several
Analysis of Differences years, finally landing in the top five for 2019. apprehensive about which direction a new
Between Organizations With years. However, its risk score and ranking as
and Without Rated Debt While last year’s top five risk regarding the U.S. administration might take with economic
a “Significant Impact” risk issue indicate it is
rapid speed of disruptive innovations and policy and global trade relationships. Early
being viewed with more urgency for 2019.

Protiviti
Plans to Deploy Resources to Enhance
new technologies is not ranked as high this on, the Trump administration was more
Risk Management Capabilities
The U.S. unemployment rate was 3.7 percent year, the broader issues of business and focused on healthcare, a new tax code and
for October 2018 (a 49-year low), versus digital transformation and innovation still border protection rather than trade, likely
4.1 percent a year ago and 4.9 percent two reflects the impact of that reality on the driving down the anticipated significance
A Call to Action:

77
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary

People, trade, cyber and efficiency issues are top-of-mind for Manufacturing and Distribution organizations, but
Overall Risk Concerns for 2019
digital innovation opportunities are, as well. Deploying digital capabilities to transform customer fulfillment,
Three-Year Comparison of Risks
quality management, decision-making velocity, cybersecurity, asset management, predictive maintenance,
energy usage optimization and resource conservation can improve the business model, sustain competitive
Analysis Across Different
Sizes of Organizations advantage and reduce risks.
— S haron Lindstrom, Managing Director, Manufacturing and Distribution Industry Leader, Protiviti
Analysis Across Executive
Positions Represented

Industry Analysis
of this risk issue last year. But throughout Board members and executive management in IT infrastructure possibly not meeting
2018, near weekly headlines about new the Manufacturing and Distribution industry performance expectations leaves them more
Analysis of Differences Between trade agreements, tariffs and trade wars group also see cyber threats as a “Significant vulnerable to cyber attacks.
Public and Non-Public Entities
has brought this risk back to the forefront. Impact” risk issue. Although historically Overall, board members and executive
This makes sense, given that certain sectors, considered a lower-priority target industry for management in the industry believe the
Analysis of Differences Among including those reliant on aluminum and cyber attackers, manufacturing organizations
Geographic Regions magnitude and severity of risks their
steel, are experiencing the impact of the increasingly present a broader risk to cyber organizations will face in 2019, with respect
tariffs on their operations. Given the current threats due to Industry 4.0 and the Industrial to reaching or exceeding profitability or
Analysis of Differences
Between Organizations With
uncertainty of how the trade wars will play Internet of Things. In addition, the higher risk funding targets, are slightly higher than 2018.
and Without Rated Debt out, we expect this risk to remain high heading rating this year likely reflects the fact that many Since three of the top five risk issues are
into 2019. But longer term, this risk is likely manufacturers fall short in their cybersecurity operational in nature, with potential direct

Protiviti
Plans to Deploy Resources to Enhance to moderate as nations reach agreements on planning. Furthermore, the above-mentioned impact to the bottom line, these results
Risk Management Capabilities trade policies and practices. risk regarding existing operations and legacy explain why these risks are growing concerns.

A Call to Action:

78
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Technology, Media and Telecommunications

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Rapid speed of disruptive innovations enabled by new and emerging technologies S
and/or other market forces may outpace our organization’s ability to compete
and/or manage the risk appropriately, without making significant changes to our
Overall Risk Concerns for 2019 business model

Three-Year Comparison of Risks Ease of entrance of new competitors into the industry and marketplace or S
other significant changes in the competitive environment (such as major market
concentrations due to M&A activity) may threaten our market share
Analysis Across Different
Sizes of Organizations

O
Analysis Across Executive Ensuring privacy/identity management and information security/system protection
Positions Represented may require significant resources for us

Industry Analysis
Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
Analysis of Differences Between as our competitors, especially new competitors that are “born digital” and with a low
Public and Non-Public Entities cost base for their operations, or established competitors with superior operations

Analysis of Differences Among O

Geographic Regions Our organization’s succession challenges and ability to attract and retain top talent in
a tightening talent market may limit our ability to achieve operational targets

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

79
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Commentary — Technology, Media and changing business models and adjusting long- market share for themselves. Organizations —
Executive Summary
Telecommunications Industry Group term strategies to avoid being disrupted. That large and small — face potential threats
said, we continue to see emerging markets from new entrants in the market that can be
The rapid speed of disruptive innovations
Overall Risk Concerns for 2019 and technologies come into play — another acquired by competitors and leveraged to
remains the top risk for the Technology,
reason why this remains the top risk issue for grab market share from them.
Media and Telecommunications (TMT)
Three-Year Comparison of Risks the industry. Ensuring privacy and identity management
industry group for the third consecutive
year. This is understandable given the With regard to the ease of entrance of new and information security/system protection
Analysis Across Different rapid pace of change and innovation in the competitors into the industry (a new top remains a critical risk issue for the industry.
Sizes of Organizations
industry and the significantly reduced half- five risk for the industry group in 2019), this Threats continue to grow from multiple bad
life for dated, legacy business models that can has always been a relatively significant actors, including rogue individual hackers
Analysis Across Executive be disrupted and become obsolete quickly. risk to TMT organizations. Historically, and global hacking groups as well as nation
Positions Represented
the barriers to entry in the industry have states. Technology organizations continue
If anything, it is a bit surprising to find the
been low, with few regulatory hurdles. to maintain a vast amount of personal data of
Industry Analysis significance of this risk issue to be moderating,
The industry embodies the example of users and customers. Considering how the
particularly compared to two years ago.
startup companies — with potentially brands and reputations of several well-known
It is possible that while the rapid speed of
Analysis of Differences Between disruptive business models — launching companies in the industry group continue to
Public and Non-Public Entities
disruptive innovations remains a critically
their business from a garage or apartment. be affected by data breaches — and with no end
important area for board members and
However, it is noteworthy to see the rapid in sight — it is evident why reputational risk is a
executive management in the industry to
Analysis of Differences Among increase in significance for this risk issue top concern.
Geographic Regions address and manage, there is a higher level
over the past three years. This also may be Succession challenges and the ability to
of awareness about it than ever before, and
perceived as a more pressing risk issue attract and retain talent goes hand-in-hand
organizations arguably have become more
Analysis of Differences today because, more than ever before, new
Between Organizations With knowledgeable of strategies to address it with broader corporate culture issues
and Without Rated Debt companies, rather than seeking to obtain that remain key areas of focus for TMT
effectively. We see many organizations in
and then maintain a relatively small slice organizations. Building a healthy company
the industry focusing intently on research,

Protiviti
of the market, are intentionally becoming culture and becoming a responsible firm that
Plans to Deploy Resources to Enhance development and ongoing innovation. Most
Risk Management Capabilities acquisition targets for larger companies that demonstrates strong corporate governance,
have been facing the risk of disruptive
subsequently strategize to gain a greater social responsibility and ethical business
innovations for years and are proactively
A Call to Action:

80
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

practices deliver far-reaching benefits that

Executive Summary
promote attracting and retaining top talent.
In today’s highly competitive landscape for
Technology, Media and Telecommunications companies have long
Overall Risk Concerns for 2019 talent in many different functional areas, focused on creating enterprise value; however, the changing risk
having a strong culture can be the difference
Three-Year Comparison of Risks between keeping and losing your best people.
landscape is altering conversations in C-suites and boardrooms across
As part of this concern, more organizations the industry, necessitating a more balanced focus on governance and
Analysis Across Different
Sizes of Organizations
in the industry group are also assessing their regulatory concerns, a more risk-informed corporate culture, a stronger
diversity and inclusion practices, which will help
them address long-term succession and talent commitment to social responsibility — including gender diversity —
Analysis Across Executive
Positions Represented
retention challenges. As discussed in Protiviti’s and other matters germane to preserving enterprise value.
Responsible Technology Firm of the Future white
paper series, gender imbalance in the science, — G ordon Tucker, Managing Director, Technology, Media and Telecommunications Industry Leader, Protiviti
Industry Analysis
technology, engineering and mathematics
(STEM) fields will have technology companies
Analysis of Differences Between struggling to fill millions of these jobs that will be entry-level STEM jobs, there are staggering those who believe that the issue can only
Public and Non-Public Entities
created over the next decade. The implication imbalances at the executive level. The be resolved by starting at the top of the
for technology organizations is there may not be fraction of startups owned by women and company. To make matters worse, attrition
Analysis of Differences Among enough qualified employees to drive innovation. the percentage of women holding executive is more than twice as high for women as it is
Geographic Regions
By extension, these organizations will be positions at technology companies are for men.14 These figures suggest that a sea
hampered significantly in their leadership abysmally low. The number of women change is needed before gender disparity in
Analysis of Differences succession planning.13
Between Organizations With
occupying board seats also requires STEM fields is no longer a glaring issue.
and Without Rated Debt Addressing these challenges will not be easy. attention. This is important in solving the
In addition to a marked gender disparity in entry-level challenge because there are

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

13
The Responsible Technology Firm of the Future: Corporate Social Responsibility, Protiviti: www.protiviti.com/US-en/insights/responsible-tech-series-part-4.
A Call to Action: 14
Ibid.

81
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Healthcare and Life Sciences

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
S
Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
which our products or services will be produced or delivered
Overall Risk Concerns for 2019

Three-Year Comparison of Risks O

Ensuring privacy/identity management and information security/system protection
may require significant resources for us
Analysis Across Different
Sizes of Organizations

Our existing operations and legacy IT infrastructure may not be able to meet O
Analysis Across Executive performance expectations related to quality, time to market, cost and innovation as well
Positions Represented as our competitors, especially new competitors that are “born digital” and with a low
cost base for their operations, or established competitors with superior operations
Industry Analysis
O
Our organization’s succession challenges and ability to attract and retain top talent
Analysis of Differences Between in a tightening talent market may limit our ability to achieve operational targets
Public and Non-Public Entities

Analysis of Differences Among O

Geographic Regions Our organization may not be sufficiently prepared to manage cyber threats that
have the potential to significantly disrupt core operations and/or damage our brand

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

82
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Commentary — Healthcare and Life fewer Americans with health insurance, and focusing on appropriate and compliant
Executive Summary
Sciences Industry Group likely fewer doctor visits and hospital stays. coding and billing practices in the post-acute
Additionally, this will result in a decrease in care environment. Additionally, billing and
Overall Risk Concerns for 2019 Regulatory changes and regulatory scrutiny the amount of drugs and medical devices sold. collection policies remain under scrutiny to
The healthcare landscape continues to evolve, Constraints to access to healthcare will be ensure providers adhere to 501(r) requirements
Three-Year Comparison of Risks with regulatory changes and scrutiny on the eased with the growth of telemedicine. The for fair collection protocols, as well as timely
rise. This trend continues due to pressure to opioid crisis will continue to take center identification, quantification and refunding of
reduce regulations, control regulatory costs, stage, resulting in an increase in mental government overpayments. Also, 2019 will be
Analysis Across Different
Sizes of Organizations and increase public engagement for more health and treatment facilities. Additionally, the first year that home health organizations
transparency, public notice and due process enforcement agencies will increase focus will be subjected to potential civil monetary
Analysis Across Executive in rulemaking. The cost of staying on top of on physician prescribing patterns in the penalties for not adhering to new CMS
Positions Represented
regulatory changes has increased, in part, coming year, as elevated scrutiny of the regulations surrounding documentation of the
by imposing significant fines and take-backs 340B Drug Pricing Program is already being patient’s care plan and utilizing data to ensure
Industry Analysis felt across the industry. Specific examples continuous improvement of patient care and
for fraud, waste and abuse violations. The
collaboration between various government include increased Human Resources and patient outcomes.
Analysis of Differences Between agencies (e.g., Office of Inspector General Services Administration (HRSA) audits and
Public and Non-Public Entities the need for annual independent audits of Privacy/identity management and
(OIG), Centers for Medicare and Medicaid
contract pharmacy arrangements. Ultimately, information security
Services (CMS), Office of Civil Rights (OCR),
Analysis of Differences Among and Department of Justice (DOJ)) has implementing robust and effective compliance A major theme in 2019 will continue to be
Geographic Regions
exposed the largest healthcare fraud takedown programs will be key to understanding and data privacy and security. The European
in history — sending a strong message that fraud mitigating risk and managing the complex Union has led the charge with the General
Analysis of Differences and abuse will not be tolerated.15 regulatory landscape. Data Protection Regulation (GDPR),
Between Organizations With
Key compliance areas of focus manifest which is intended to protect the privacy of
and Without Rated Debt The Affordable Care Act remains on uncertain
themselves in the provider revenue cycle individuals within the European Union and
ground as tax reform promises to end

Protiviti
terrain, as well. For example, the OIG is the European Economic Area. For healthcare
Plans to Deploy Resources to Enhance the individual mandate, which will mean
Risk Management Capabilities organizations in the United States, the GDPR

15
“National Health Care Fraud Takedown Results in Charges Against 601 Individuals Responsible for Over $2 Billion in Fraud Losses,” U.S. Department of Justice press release, June 28, 2018, www.justice.gov/
A Call to Action: opa/pr/national-health-care-fraud-takedown-results-charges-against-601-individuals-responsible-over.

83
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

carries implications that have yet to be truly (many of whom are not employees, have non- ■■ Enabling additional authentication
Executive Summary
understood and enforced. The California standard roles, etc.) would place a strain on functionality for local workstation
Consumer Privacy Act is a new state law even the most established and formalized user access; and
Overall Risk Concerns for 2019 that imposes GDPR-like privacy protections. access management teams. Many healthcare ■■ Securing vendor access.
It is set to affect the privacy landscape in organizations are moving to role-based access,
Three-Year Comparison of Risks the next few years as it gives consumers assigning business owners to monitor non- As healthcare continues to become more
unprecedented control over their personal employees, and implementing requirements digital and with more third-party vendors
data. Other states are following suit with for more frequent (e.g., quarterly) review playing a part in the patient/consumer service
Analysis Across Different
Sizes of Organizations their own legislative initiatives. The Health of assigned access rights by supervisors or arena, the need for defined processes with
Insurance Portability and Accountability Act business owners. However, even with those appropriate user access technologies will only
Analysis Across Executive (HIPAA) continues to be a major headache controls, effectively managing access continues grow in importance.
Positions Represented for healthcare-covered entities, with to be of concern.
penalties for HIPAA violations that have Existing operations meeting performance
Healthcare organizations leading in this space
Industry Analysis surpassed the $100 million mark. Clearly, expectations, competing against “born
are focusing on: digital” firms
the data privacy movement is in full force
■■ Understanding all areas in which users In 2017, the Health Care Industry Cybersecu-
Analysis of Differences Between
and organizations will need to increase their
could be introduced to the environment; rity Task Force, established by Congress, issued
Public and Non-Public Entities resources to meet the demand of complying
with regulations and also to prevent penalties ■■ Assigning business ownership for its Report on Improving Cybersecurity in the Health
Analysis of Differences Among as well as reputational damage, as privacy user access; Care Industry, which represented an analysis
Geographic Regions compliance has become required table stakes ■■ Utilizing role-based access with specific of the state of healthcare cybersecurity in the
in the industry. approval requirements for any standard increasingly interconnected world of today.16
Analysis of Differences access deviations; What was perhaps most troublesome about
Identity management continues to be a
Between Organizations With the findings outlined in this report were the
and Without Rated Debt source of struggle for the healthcare industry. ■■ Moving away from the use of “set up user
38 references to patient safety compared to
Managing hundreds or even thousands of A like user B”;

Protiviti
19 references to patient privacy. It is clear that
Plans to Deploy Resources to Enhance
users that have been introduced into the
■■ Rolling out multi-factor authentication change is needed as the industry continues to
Risk Management Capabilities environment through numerous means
for remote access and cloud applications; rely more heavily on technology.

A Call to Action: 16
Report on Improving Cybersecurity in the Health Care Industry, Health Care Industry Cybersecurity Task Force, June 2017, www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf.

84
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

One theme identified in the report is that

Executive Summary
legacy devices are a significant problem
in the healthcare industry. The Task Force
A look at the top healthcare industry risks for 2019 presents a sobering
Overall Risk Concerns for 2019 recommended that the industry take picture, as each risk represents a significant issue for any player in
action to “phase out legacy and insecure
Three-Year Comparison of Risks health care technologies.”17 In today’s digital
the industry group. Each organization's strategy, business and risk
world, existing operations and legacy IT management plans must take these risks into consideration. For
infrastructure are a common source of pain
Analysis Across Different
Sizes of Organizations and frustration as organizations try to keep
example, regulatory changes and scrutiny are on the rise and well
up with the competition. Many strategies to up at the top of the list. The cost of staying on top of and responding
further embrace digital transformation die in
Analysis Across Executive
Positions Represented their infancy because legacy operations and
to regulatory developments continues to increase. Proactive and
infrastructure are incapable of supporting effective risk management across the identified top risks will be key to
Industry Analysis those initiatives. In resource-constrained
maintaining or enhancing enterprise value.
organizations, the need to advance and
Analysis of Differences Between
evolve is, all too often, overruled by the — R ichard Williams, Managing Director, Healthcare Industry Leader, Protiviti
Public and Non-Public Entities desire to cut costs and limit spend.
Recent years have also seen an increase
Analysis of Differences Among in the opening of virtual care centers. We’ve and Google see healthcare as an industry ripe increasing their appetite for risk. The need to
Geographic Regions
seen growth in the use of telehealth, resulting for disruption. These firms are aggressively replace legacy operations and IT infrastructure
in a consumer-friendly level of convenience seeking opportunities to upend healthcare with may soon be a harsh reality that comes along
Analysis of Differences that patients are seeking. Furthermore, a radical new approaches. Keeping up with these with that cultural shift.
Between Organizations With
and Without Rated Debt truly new business threat is emerging as “born competitors is a reality that will force many
digital” companies such as Amazon, Apple healthcare organizations to take a hard look at

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action: 17
Ibid.

85
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Succession challenges and ability to to determine employees’ top priorities, but of these may be the only technology on the
Executive Summary
attract and retain top talent also fully engage them in the processes that market to meet specific healthcare delivery
Attracting and retaining top talent remains influence the trajectory of their careers. needs for certain care specialties or may have
Overall Risk Concerns for 2019
a key concern for organizations seeking to Effective strategies aid in reducing potential required large capital outlays. They also may
appropriately plan succession and configure attrition and can also serve as an effective involve vendors that have failed to provide and
Three-Year Comparison of Risks future operational targets. This is particularly tool in recruiting top-tier talent. allow for ongoing security updates (as is the
true in the healthcare provider space, with case with many medical devices).
Cyber threats
Analysis Across Different expected nursing and physician shortages Those healthcare organizations that are more
Sizes of Organizations
in the coming years caused primarily by an The healthcare industry continues to undergo mature in addressing cyber threats have
aging population on the demand side and significant change due to the frequency and had success in addressing the technology
Analysis Across Executive an anticipated reduction of interest in the variety of new technologies being utilized expansion, with formal governance and
Positions Represented across the care continuum, including devices,
medical profession due to increased regulatory assessment processes for new technologies
scrutiny on the supply side. An aging workforce, applications (on-premises and in the cloud), to include connectivity, control and security
Industry Analysis
especially at top executive levels, and difficulty interfaces, etc. As a result, cyber threats aspects. Additionally, these organizations
for non-profit systems to offer competitive are continuously evolving. But when this are performing ongoing risk analyses,
Analysis of Differences Between compensation for specialized talent in areas technology explosion is coupled with the including regular vulnerability scanning and
Public and Non-Public Entities need for seemingly instant access to sensitive
such as cybersecurity also add to the complexity multifaceted penetration testing efforts
of this issue. information to provide care and the push to identify new areas of vulnerability
Analysis of Differences Among for interoperability among many healthcare to be addressed, and have implemented
Geographic Regions
With an increasingly diverse workforce and
organizations, the resulting potential exposure processes and controls to allow for proper
tightening talent market, understanding what
expands at a rate with which even the most incident response and contingency planning
driving factors directly attribute to employee
Analysis of Differences mature organizations struggle to keep pace. should key incidents occur. Healthcare
Between Organizations With attrition should be top priority. One of the
and Without Rated Debt
Healthcare organizations are also hindered organizations must continue to address the
first steps in understanding these factors is
in dealing with applications and devices that threat landscape presented by the influx of
the development and deployment of a holistic

Protiviti
may have known security flaws that cannot technology from today and tomorrow in order
Plans to Deploy Resources to Enhance employee retention strategy and program.
Risk Management Capabilities be patched, updated or fully retired. Many to properly care for patients.
In tandem, these items not only should seek

A Call to Action:

86
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Energy and Utilities

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
S
Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
which our products or services will be produced or delivered
Overall Risk Concerns for 2019

Three-Year Comparison of Risks O

Resistance to change may restrict our organization from making necessary
adjustments to the business model and core operations
Analysis Across Different
Sizes of Organizations

O
Analysis Across Executive Our organization may not be sufficiently prepared to manage cyber threats that
Positions Represented have the potential to significantly disrupt core operations and/or damage our brand

Industry Analysis

Our organization’s culture may not sufficiently encourage the timely identification O
and escalation of risk issues that have the potential to significantly affect our core
Analysis of Differences Between operations and achievement of strategic objectives
Public and Non-Public Entities

Analysis of Differences Among M

Geographic Regions Economic conditions in markets we currently serve may significantly restrict growth
opportunities for our organization

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

87
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Commentary — Energy and Utilities In comparing to last year’s results, there are a Supplanting these two risk issues for 2019
Executive Summary
Industry Group couple of risks that fell just outside of the top are two risks that historically have been in
five this year: succession and talent recruiting the top five for the industry group and are
Despite an annual risk outlook that has
Overall Risk Concerns for 2019 and retention challenges, and the risks around closely tied to the ever-changing geopolitical
been volatile over the past three years, the
disruptive technologies. Succession and environment: cybersecurity and the risks
overall view for the Energy and Utilities
Three-Year Comparison of Risks talent acquisition/retention challenges in around economic conditions in various
industry group in 2019 appears to be more
the industry are still a priority, but we have markets. As operations become more “digital,”
optimistic than in the recent past, buoyed
seen an increased focus in energy and utility the cybersecurity threat will continue to
Analysis Across Different by stability in commodity prices, efficiencies
Sizes of Organizations organizations on leadership development be an evolving risk for which the industry
realized in operations, and a renewed sense
programs and human capital management needs to stay vigilant. When viewed across the
that potentially disruptive forces (geopolitical
Analysis Across Executive initiatives to ensure there are replacements current geopolitical landscape, organizations
or technological) have not had sustained
Positions Represented for the aging workforce. The disruptive have an elevated awareness for “bad actors”
momentum. Nevertheless, as outlooks from
technology topic is still an interesting trend looking to cause harm, such as hacktivists
prior years of our study have shown, there
Industry Analysis that executives need to monitor, but their targeting systems and data or, worse yet,
remains an awareness that organizations
concerns appear to be easing a bit, as many adversaries that seek to obtain access to
in the industry group are often blindsided,
believe the necessary advancements in industrial control systems and create a
Analysis of Differences Between and board members and C-level executives
Public and Non-Public Entities various technologies that could disrupt the disruptive event. There is also a realization
must continue to be prepared to shift with
industry are still several years away from that, with regard to cybersecurity, there is
market trends. As Energy and Utilities industry
Analysis of Differences Among becoming a broader risk issue. Therefore, only so much the organization can control,
executives look to formulate their strategies
Geographic Regions the risk remains an important issue but is as the enemy is constantly learning new
going forward, there are some interesting
an emerging one to be monitored over time ways to exploit vulnerabilities — particularly
observations of the risks that lie ahead.
Analysis of Differences rather than an immediate concern. the people perimeter. But it is good to see
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

88
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary

Stability in commodity prices, efficiencies realized in operations, and a perception that disruptive geopolitical
Overall Risk Concerns for 2019
or technological forces have not had sustained momentum have improved the overall 2019 outlook for the
Three-Year Comparison of Risks
Energy and Utilities industry group. With this more optimistic view (as compared to the recent past), there
remains an awareness that the uncertainty of emerging risks and significant disruptive change lies ahead
Analysis Across Different
Sizes of Organizations beyond 2019.
— Tyler Chase, Managing Director, Energy and Utilities Industry Leader, Protiviti
Analysis Across Executive
Positions Represented

Industry Analysis
that this risk issue has been elevated and East. These geopolitical events often “come Closely tied is the risk that the organization’s
should continue to garner the attention and out of the blue” and result in emergency culture may not encourage the timely
Analysis of Differences Between investment necessary to be mitigated. board-level discussions to quickly evaluate identification and escalation of emerging
Public and Non-Public Entities the organizational impact and strategize on enterprise risks. With the evolving geopolitics
Organizations are also increasingly reactive
to global political decisions that create steps that should be taken to mitigate any and increased regulations and reporting
Analysis of Differences Among
widespread impacts to markets across the enterprise and operational risks in the various requirements, organizations within the
Geographic Regions
industry. Just a few examples in 2018 that affected markets. While the U.S. government industry group are being forced to review
forced energy and utility organizations to be continues to be viewed as favorable for the their risk environment from a broader
Analysis of Differences industry, the macroeconomic and geopolitical perspective and ensure that mechanisms are
Between Organizations With nimble are decisions regarding Iran crude oil,
and Without Rated Debt the trade war between the United States and environment appears to be volatile enough to in place to identify and evaluate emerging
China, and continued tensions in the Middle warrant the increased level for this risk. risks. Additionally, as seen in the top five

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

89
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

risk issues and discussed below, energy and pressure from environmental, social and Tying this all together is the view that energy
Executive Summary
utility organizations historically have focused governance (ESG) activists on operational and utility organizations tend to operate on
on proven business models and are slower areas such as hydraulic fracturing, emissions “tried and true” strategies and thus have been
Overall Risk Concerns for 2019 to adopt changes. When considering this and reducing carbon footprints remain a slower than other industries to adopt changes.
historical reality, anything that may bring consistent challenge for the industry group. We have seen a shift in recent years as these
Three-Year Comparison of Risks about a need to rethink the business model Other concerns include increased tariffs on organizations desire to be more efficient in
due to a newly identified risk issue may receive many products, such as steel, and resulting their operations and back office, yet there
initial pushback within the organization and trade wars that may impact the geopolitical is still a sentiment that the industry group
Analysis Across Different
Sizes of Organizations not receive the attention it warrants. arena for the industry group around the is based on an infrastructure of mechanical
The two top risk issues for 2019 have been world. Additionally, many leaders in the plants and equipment that have a history of
Analysis Across Executive mainstays in the Energy and Utilities industry industry group are focusing on appeasing their predictable performance and is expensive to
Positions Represented
group for many years of our study, which is stakeholders as investor momentum shifts change. While this might be true today, with a
not surprising given the evolving regulatory toward social responsibility and emission/ focus from the public on social responsibility
Industry Analysis carbon reduction actions, both of which and increased demands to be operationally
environment and an industry that values
traditional operational practices and thus is have broad impacts to the organization’s efficient, energy and utility companies need to
Analysis of Differences Between reluctant to change. operations and internal processes as they continue to step outside of their comfort zone
Public and Non-Public Entities look to comply and report. Case in point: The and look for ways to decrease costs and adopt
Regulatory scrutiny and the overall regulatory
recent announcement that Royal Dutch Shell emerging technologies.
environment remain a high-risk area for the
Analysis of Differences Among is setting carbon emission targets and linking
industry group, particularly considering the
Geographic Regions them to long-term executive compensation
recent midterm elections in the United States,
illustrates the dynamic environment that
as varying restrictions on drilling were on the
Analysis of Differences players in oil and gas face.
Between Organizations With ballot in many states. Additionally, continued
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

90
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Analysis of Differences Between Public
Overall Risk Concerns for 2019
and Non-Public Entities
Three-Year Comparison of Risks

Participants in the survey represent three whether organizational types rank-order impression of the magnitude and severity of
Analysis Across Different
Sizes of Organizations
types of organizations: publicly traded risks differently. Similar to our analysis risks their organization will be facing with
companies (401 respondents), privately held summarized earlier in this report, we respect to reaching or exceeding profitability
for-profit entities (270 respondents), and not- analyzed responses about overall impressions (or funding) targets over the next 12 months,
Analysis Across Executive
Positions Represented for-profit and governmental organizations of the magnitude and severity of risks across using a 10-point scale where 1 = “Extremely
(154 respondents). the three organizational type categories. Low” and 10 = “Extensive.”
We analyzed responses across these Again, the scores in the table below reflect
Industry Analysis
three types of entities to determine responses to the question about their overall

Analysis of Differences Between

Public and Non-Public Entities

Overall, what is your impression of the magnitude and severity of risks your organization will be facing with
2019 2018 2017
Analysis of Differences Among respect to reaching or exceeding profitability (or funding) targets over the next 12 months?
Geographic Regions
Public Companies 6.2 6.1 6.6
Analysis of Differences
Privately Held For-Profit Companies 6.3 6.0 6.1
Between Organizations With
and Without Rated Debt
Not-for-Profit and Governmental Organizations 5.9 5.5 5.8

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

91
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Overall, the magnitude and severity of risks 2018 they rated none of their top five risks as with that risk in the top five risks for each
Executive Summary
for all three organization types increased from “Significant Impact” risks. Public companies and of the organization types. Public companies
2018 and are generally consistent with the not-for-profit and governmental organizations and privately held for-profit organizations
Overall Risk Concerns for 2019 2017 results (although public companies remain also rated all five of their top risks as having a shared four of their top five risks: existing
a little less concerned than in 2017). Not-for- “Significant Impact.” operations and legacy IT may not be able to
Three-Year Comparison of Risks profit and governmental organizations saw the Privately held for-profit companies meet performance challenges, succession
largest increase in overall risk levels for 2019, were the only organizations to identify a and talent challenges, regulatory changes
although they still view 2019 overall as slightly macroeconomic risk (economic conditions and scrutiny may heighten, and rapid speed
Analysis Across Different
Sizes of Organizations below the “Significant Impact” (above 6.0) level. in markets we currently serve may restrict of disruptive innovations. Public companies
However, looking at the responses in total, we growth opportunities) as one of the top five also included concerns about cyber risks in
Analysis Across Executive see a slight pickup in overall risk concerns for risks; in addition, privately held companies their top five risks, while private for-profit
Positions Represented the full sample in 2019. had two operational risks and two strategic companies ranked concerns about economic
Surprisingly, even though overall impressions risks in the top five. All five of the top risks conditions as part of the top five. Not-for-
Industry Analysis of the magnitude and severity of risks identified by not-for-profit and governmental profit and governmental organizations rated
increased from 2018, each of the three types organizations are operational risks. Public two risks related to culture in their top five
Analysis of Differences Between of organizations rated all their top five risks companies recognized three operational risks list of risks: concerns about resistance to
Public and Non-Public Entities
for 2019 at the “Significant Impact” level. Most and two strategic risks. change and concerns regarding the timely
importantly, privately held for-profit companies escalation of risk issues.
All of the organizations are concerned
Analysis of Differences Among rated all the top five at that level, whereas in about succession and talent challenges,
Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

92
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Public Companies

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Overall Risk Concerns for 2019 cost base for their operations, or established competitors with superior operations

Three-Year Comparison of Risks O

Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Different
Sizes of Organizations

S
Analysis Across Executive Regulatory changes and scrutiny may heighten, noticeably affecting the manner
Positions Represented in which our products or services will be produced or delivered

Industry Analysis
O
Our organization may not be sufficiently prepared to manage cyber threats that
Analysis of Differences Between have the potential to significantly disrupt core operations and/or damage our brand
Public and Non-Public Entities

Rapid speed of disruptive innovations enabled by new and emerging technologies S

Analysis of Differences Among
Geographic Regions and/or other market forces may outpace our organization’s ability to compete
and/or manage the risk appropriately, without making significant changes to our
business model
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

93
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Privately Held For-Profit Companies

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
O
Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Overall Risk Concerns for 2019

Three-Year Comparison of Risks Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Analysis Across Different cost base for their operations, or established competitors with superior operations
Sizes of Organizations

S
Analysis Across Executive Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
Positions Represented which our products or services will be produced or delivered

Industry Analysis
Rapid speed of disruptive innovations enabled by new and emerging technologies S
and/or other market forces may outpace our organization’s ability to compete
Analysis of Differences Between and/or manage the risk appropriately, without making significant changes to our
Public and Non-Public Entities business model

Analysis of Differences Among M

Geographic Regions Economic conditions in markets we currently serve may significantly restrict growth
opportunities for our organization

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

94
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Not-For-Profit and Governmental Organizations

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
O
Resistance to change may restrict our organization from making necessary
adjustments to the business model and core operations
Overall Risk Concerns for 2019

Three-Year Comparison of Risks O

Ensuring privacy/identity management and information security/system protection
may require significant resources for us
Analysis Across Different
Sizes of Organizations

O
Analysis Across Executive Our organization’s succession challenges and ability to attract and retain top talent
Positions Represented in a tightening talent market may limit our ability to achieve operational targets

Industry Analysis
O
Our organization may not be sufficiently prepared to manage cyber threats that
Analysis of Differences Between have the potential to significantly disrupt core operations and/or damage our brand
Public and Non-Public Entities

Analysis of Differences Among Our organization’s culture may not sufficiently encourage the timely identification O
Geographic Regions and escalation of risk issues that have the potential to significantly affect our core
operations and achievement of strategic objectives
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

95
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Analysis of Differences Among Geographic Regions
Overall Risk Concerns for 2019

For this year’s report, we obtained a sufficient (LASA), 40 organizations from the Middle magnitude and severity of risks across the
Three-Year Comparison of Risks
number of non-U.S.-based organizations to East (ME), 33 organizations from India (IND), three categories. Again, the scores in the table
split the sample into eight distinct groups: and 21 organizations based in Africa (AFR). below reflect responses to the question about
Analysis Across Different 371 North America-based organizations their overall impression of the magnitude and
Sizes of Organizations We analyzed responses across the eight
(NA), 120 organizations based in Europe or groups to determine whether respondents severity of risks their organization will be
the United Kingdom (EUR), 86 organizations across different geographic locations rank- facing with respect to reaching or exceeding
Analysis Across Executive
Positions Represented
from Australia/New Zealand (ANZ), 82 order risks differently. Similar to our analysis profitability (or funding) targets over the
organizations from Asia (A), 72 organizations summarized earlier in this report, we analyzed next 12 months, using a 10-point scale where
based in Latin America/South America responses about overall impressions of the 1 = “Extremely Low” and 10 = “Extensive.”
Industry Analysis

Analysis of Differences Between

Public and Non-Public Entities

Analysis of Differences Among

Geographic Regions
We’re excited about the global participation in this year’s top risks survey and the interesting results across
different regions. There are some similarities but also a number of distinctive differences. This year’s survey
Analysis of Differences
Between Organizations With
and Without Rated Debt
offers a baseline for comparison in the years to come.
— A ndrew Clinton, Executive Vice President, International Operations, Protiviti

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

96
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Overall, what is your impression of the magnitude and severity of risks your organization will be facing with
2019 2018 2017
respect to reaching or exceeding profitability (or funding) targets over the next 12 months?
Overall Risk Concerns for 2019
North America-based Organizations 5.6 5.7 6.0

Three-Year Comparison of Risks Europe-based Organizations 6.4 6.4 6.7

Australia/New Zealand-based Organizations 6.7 N/A N/A

Analysis Across Different
Sizes of Organizations Asia-based Organizations 6.6 N/A N/A

Latin America/South America-based Organizations 7.1 N/A N/A

Analysis Across Executive
Positions Represented Middle East-based Organizations 6.8 N/A N/A

India-based Organizations 7.0 N/A N/A

Industry Analysis
Africa-based Organizations 5.6 5.3 N/A

Analysis of Differences Between

Public and Non-Public Entities
Globally, organizations from six of the eight “Significant Impact” level; in contrast, North whereas three regions are most focused
Analysis of Differences Among geographic regions agree that the overall America only rates two of its top five risks at on macroeconomic risks. Organizations
Geographic Regions magnitude and severity of risks are of a that level. based in North America, Europe, Australia/
“Significant Impact” level in 2019. Except Across the eight regions, the similarities and New Zealand, Asia and Latin America/South
Analysis of Differences
for North America-based organizations, all differences are interesting. Five regions America all have at least three operational
Between Organizations With regions rate all of their top five risks at the are most focused on operational risks, risks in their top five risks. The threat that
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

97
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

existing operations and legacy IT systems may macroeconomic risks in their top five risks. the top five risks of organizations based in
Executive Summary
not be able to meet performance expectations The Middle East region rated concern North America and Europe; perhaps that is
appears in each of those five regions’ top five about geopolitical shifts and instability in because both regions have strong disclosure
Overall Risk Concerns for 2019 lists. In addition, threats related to succession government regimes as its number one risk, requirements and include many high-profile
challenges and the ability to attract and retain while organizations in India rated this third. cyber targets. Respondents from the Asia-
Three-Year Comparison of Risks talent and the threat that regulatory changes Organizations in both the Middle East and Pacific region were the only group to identify
may heighten appear in four of the five Africa were significantly concerned with the risk of uncertainty surrounding key
geographic regions. Only organizations from the macroeconomic risks that economic suppliers as a top five risk, likely because
Analysis Across Different
Sizes of Organizations Europe and Latin America/South America rate conditions in markets that they currently supply chains in many Asian companies are
risks related to macroeconomic conditions in serve may restrict growth opportunities. In based on a low-cost model that does not
Analysis Across Executive their top five, with both reporting the threat addition, organizations in these two regions support present-day growth imperatives. In
Positions Represented of economic conditions restricting growth also shared the strategic risk that social media addition, only organizations in Latin America/
opportunities. Latin America/South America and internet applications may threaten how South America ranked the risk of anticipated
Industry Analysis organizations also expressed concern about they do business. increases in labor costs as a top five risk.
increasing labor costs. Organizations in India and Africa placed the This could be due to the trade and tariff
Analysis of Differences Between On the other hand, three geographic threat that their ability to access sufficient uncertainties during the latter part of 2018
Public and Non-Public Entities
regions are more focused on macroeconomic capital would restrict growth opportunities as well as higher inflationary pressures in
risks. Organizations based in the Middle as one of their top five risks. Surprisingly, many countries in that region.
Analysis of Differences Among
Geographic Regions
East, India and Africa all have at least three concerns about cyber threats only appear in

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

98
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

North America HQ Organizations

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Overall Risk Concerns for 2019 cost base for their operations, or established competitors with superior operations

Three-Year Comparison of Risks O

Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Different
Sizes of Organizations

S
Analysis Across Executive Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
Positions Represented which our products or services will be produced or delivered

Industry Analysis
O
Resistance to change may restrict our organization from making necessary
Analysis of Differences Between adjustments to the business model and core operations
Public and Non-Public Entities

Analysis of Differences Among O

Geographic Regions Our organization may not be sufficiently prepared to manage cyber threats that have
the potential to significantly disrupt core operations and/or damage our brand

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

99
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Europe HQ Organizations

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
S
Regulatory changes and scrutiny may heighten, noticeably affecting the manner
in which our products or services will be produced or delivered
Overall Risk Concerns for 2019

Three-Year Comparison of Risks O

Our organization may not be sufficiently prepared to manage cyber threats that
have the potential to significantly disrupt core operations and/or damage our brand
Analysis Across Different
Sizes of Organizations

Our existing operations and legacy IT infrastructure may not be able to meet O
Analysis Across Executive performance expectations related to quality, time to market, cost and innovation as well
Positions Represented as our competitors, especially new competitors that are “born digital” and with a low
cost base for their operations, or established competitors with superior operations

Industry Analysis
M
Economic conditions in markets we currently serve may significantly restrict growth
Analysis of Differences Between opportunities for our organization
Public and Non-Public Entities

Analysis of Differences Among O

Geographic Regions Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

100
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Australia/New Zealand HQ Organizations

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Overall Risk Concerns for 2019 cost base for their operations, or established competitors with superior operations

Three-Year Comparison of Risks S

Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
which our products or services will be produced or delivered
Analysis Across Different
Sizes of Organizations

O
Analysis Across Executive Resistance to change may restrict our organization from making necessary adjustments
Positions Represented to the business model and core operations

Industry Analysis
O
Our organization’s succession challenges and ability to attract and retain top talent
Analysis of Differences Between in a tightening talent market may limit our ability to achieve operational targets
Public and Non-Public Entities

Analysis of Differences Among Rapid speed of disruptive innovations enabled by new and emerging technologies S
Geographic Regions and/or other market forces may outpace our organization’s ability to compete
and/or manage the risk appropriately, without making significant changes to our
business model
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

101
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Asia HQ Organizations

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
O
Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Overall Risk Concerns for 2019

Three-Year Comparison of Risks S

Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
which our products or services will be produced or delivered
Analysis Across Different
Sizes of Organizations

Inability to utilize data analytics and “big data” to achieve market intelligence and O
Analysis Across Executive increase productivity and efficiency may significantly affect our management of core
Positions Represented
operations and strategic plans

Industry Analysis
Uncertainty surrounding the viability of key suppliers, scarcity of supply, or O
stable supply prices may make it difficult to deliver our products or services at
Analysis of Differences Between acceptable margins
Public and Non-Public Entities

Analysis of Differences Among Our existing operations and legacy IT infrastructure may not be able to meet O
Geographic Regions performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
cost base for their operations, or established competitors with superior operations
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

102
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Latin America/South America HQ Organizations

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
O
Resistance to change may restrict our organization from making necessary
adjustments to the business model and core operations
Overall Risk Concerns for 2019

Three-Year Comparison of Risks O

Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Different
Sizes of Organizations

Our existing operations and legacy IT infrastructure may not be able to meet O
Analysis Across Executive performance expectations related to quality, time to market, cost and innovation as well
Positions Represented as our competitors, especially new competitors that are “born digital” and with a low
cost base for their operations, or established competitors with superior operations

Industry Analysis
M
Economic conditions in markets we currently serve may significantly restrict growth
Analysis of Differences Between opportunities for our organization
Public and Non-Public Entities

Analysis of Differences Among M

Geographic Regions Anticipated increases in labor costs may affect our opportunity to meet
profitability targets

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

103
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Middle East HQ Organizations

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
M
Geopolitical shifts and instability in governmental regimes or expansion of global
terrorism may restrict the achievement of our global growth and profitability objectives
Overall Risk Concerns for 2019

Three-Year Comparison of Risks M

Anticipated volatility in global financial markets and currency exchange rates may
create significantly challenging issues for our organization to address
Analysis Across Different
Sizes of Organizations

M
Analysis Across Executive Economic conditions in markets we currently serve may significantly restrict growth
Positions Represented opportunities for our organization

Industry Analysis
Social media, mobile applications and other Internet-based applications may S
significantly impact our brand, customer relationships, regulatory compliance
Analysis of Differences Between processes and/or how we do business
Public and Non-Public Entities

Analysis of Differences Among M

Uncertainty surrounding the influence and continued tenure of key global leaders
Geographic Regions
may impact national and international markets to the point of significantly limiting
our growth opportunities
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

104
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

India HQ Organizations

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
Inability to utilize data analytics and “big data” to achieve market intelligence and O
increase productivity and efficiency may significantly affect our management of core
Overall Risk Concerns for 2019 operations and strategic plans

Three-Year Comparison of Risks M

Our ability to access sufficient capital/liquidity may restrict growth opportunities
for our organization
Analysis Across Different
Sizes of Organizations

M
Analysis Across Executive Geopolitical shifts and instability in governmental regimes or expansion of global
Positions Represented terrorism may restrict the achievement of our global growth and profitability objectives

Industry Analysis
Our organization’s culture may not sufficiently encourage the timely identification O
and escalation of risk issues that have the potential to significantly affect our core
Analysis of Differences Between operations and achievement of strategic objectives
Public and Non-Public Entities

Analysis of Differences Among M

Geographic Regions Demands made by activist investors and other key stakeholders may significantly
affect how we do business in the marketplace (new in 2019)

Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

105
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Africa HQ Organizations

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
M
Our ability to access sufficient capital/liquidity may restrict growth opportunities
for our organization
Overall Risk Concerns for 2019

Three-Year Comparison of Risks Social media, mobile applications and other Internet-based applications may S
significantly impact our brand, customer relationships, regulatory compliance
processes and/or how we do business
Analysis Across Different
Sizes of Organizations

M
Analysis Across Executive Anticipated volatility in global financial markets and currency exchange rates may create
Positions Represented significantly challenging issues for our organization to address

Industry Analysis
M
Economic conditions in markets we currently serve may significantly restrict growth
Analysis of Differences Between opportunities for our organization
Public and Non-Public Entities

Analysis of Differences Among Rapid speed of disruptive innovations enabled by new and emerging technologies S
Geographic Regions and/or other market forces may outpace our organization’s ability to compete
and/or manage the risk appropriately, without making significant changes to our
business model
Analysis of Differences
Between Organizations With 4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

106
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Analysis of Differences Between Organizations
Overall Risk Concerns for 2019
With and Without Rated Debt
Three-Year Comparison of Risks

We also asked participants to indicate Fifty-four respondents indicated “I’m not Organizations with rated debt are most
Analysis Across Different
Sizes of Organizations
whether their organizations have rated debt sure” in response to this question for 2019. concerned about the risk of existing operations
outstanding, whereby the major credit rating The 298 organizations in our study with and legacy IT infrastructure being able to meet
agencies may evaluate the overall riskiness of rated debt outstanding include 164 public performance expectations, whereas that risk
Analysis Across Executive
Positions Represented the enterprise and, implicitly, the organization’s companies, 78 private companies, and 56 was ranked second for organizations with
risk oversight processes as part of the entity’s governmental or not-for-profit organizations. non-rated debt. In contrast, organizations
overall credit score. We are particularly For the 473 organizations without rated debt, without rated debt are most concerned about
Industry Analysis
interested in observing how organizations 213 are public companies, 169 are private, succession challenges and the ability to recruit
with rated debt perceive their overall risk and 91 are governmental or not-for-profit and retain talent, whereas that was ranked
Analysis of Differences Between
Public and Non-Public Entities
environment in light of the explicit focus of organizations. We report the survey results second by organizations with rated debt.
rating agencies on their management and for 2019 and the two prior years for rated Concerns about regulatory changes and cyber
governance processes, including enterprise- debt outstanding organizations and those threats rank as the third and fourth rated
Analysis of Differences Among
Geographic Regions wide risk management. without rated debt in the bar charts on the risks for organizations with rated debt and are
Two hundred ninety-eight participants in the following pages. switched for organizations without rated debt.
Analysis of Differences survey represent organizations with rated Both organizations list the risk of resistance to
Between Organizations With The top five risks are the same for both types
debt outstanding, while 473 respondents change restricting the ability to make changes
and Without Rated Debt of organizations, but the ordering of the top
represent organizations without rated debt. to the business model and core operations as
five is different among the organizations.
their fifth most impactful risk.

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

107
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Overall, while there is no marked difference escalation of risk issues represented a top five manage succession challenges and to recruit
Executive Summary
between these two groups with respect to 2019 risk issue. In 2019, organizations with rated and retain talent as new top five risks. New
risk concerns, there is a change from 2018. In debt rated concerns about existing operations 2019 risks for organizations without rated debt
Overall Risk Concerns for 2019 2018, concerns about the organization’s culture and legacy IT infrastructure being able to meet included concerns with existing operations and
not encouraging the timely identification and performance expectations and the ability to concerns about regulatory changes.
Three-Year Comparison of Risks

Analysis Across Different

Sizes of Organizations

Analysis Across Executive We believe that the increased scrutiny that debt ratings agencies bring to those organizations with rated debt
Positions Represented
may help mitigate risk concerns. Investments in risk management processes are expected by these agencies,
Industry Analysis and these investments may serve to lower threat levels for those organizations.
— B ruce Branson, Professor of Accounting, Associate Director, Enterprise Risk Management Initiative, Poole College of Management, NC State University
Analysis of Differences Between
Public and Non-Public Entities

Analysis of Differences Among

Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

108
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

With Rated Debt

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Overall Risk Concerns for 2019 cost base for their operations, or established competitors with superior operations

Three-Year Comparison of Risks O

Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Analysis Across Different
Sizes of Organizations

S
Analysis Across Executive Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
Positions Represented which our products or services will be produced or delivered

Industry Analysis
O
Our organization may not be sufficiently prepared to manage cyber threats that
Analysis of Differences Between have the potential to significantly disrupt core operations and/or damage our brand
Public and Non-Public Entities

Analysis of Differences Among O

Geographic Regions Resistance to change may restrict our organization from making necessary
adjustments to the business model and core operations

Analysis of Differences
Between Organizations With
4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

109
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Without Rated Debt

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary
O
Our organization’s succession challenges and ability to attract and retain top talent
in a tightening talent market may limit our ability to achieve operational targets
Overall Risk Concerns for 2019

Three-Year Comparison of Risks Our existing operations and legacy IT infrastructure may not be able to meet O
performance expectations related to quality, time to market, cost and innovation as well
as our competitors, especially new competitors that are “born digital” and with a low
Analysis Across Different cost base for their operations, or established competitors with superior operations
Sizes of Organizations

O
Analysis Across Executive Our organization may not be sufficiently prepared to manage cyber threats that
Positions Represented have the potential to significantly disrupt core operations and/or damage our brand

Industry Analysis
S
Regulatory changes and scrutiny may heighten, noticeably affecting the manner in
Analysis of Differences Between which our products or services will be produced or delivered
Public and Non-Public Entities

Analysis of Differences Among O

Geographic Regions Resistance to change may restrict our organization from making necessary
adjustments to the business model and core operations

Analysis of Differences
Between Organizations With
4 5 6 7 8
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities Legend

M Macroeconomic Risk Issue S Strategic Risk Issue O Operational Risk Issue 2019 2018 2017
A Call to Action:

110
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Plans to Deploy Resources to Enhance Risk
Overall Risk Concerns for 2019
Management Capabilities
Three-Year Comparison of Risks

Recall that we asked respondents about their overall impression of the perceived magnitude and severity of risks to be faced and the likelihood of
Analysis Across Different
Sizes of Organizations
investing additional resources in risk management efforts. The respondents’ overall response suggests an increase in the nature of the overall risk
environment, with an average score of 6.2 in 2019 relative to 6.0 in 2018.

Analysis Across Executive

Positions Represented
2019 2018 2017
Overall, what is your impression of the magnitude and severity of risks your organization will be facing with
Industry Analysis respect to reaching or exceeding profitability (or funding) targets over the next 12 months?
6.2 6.0 6.2

Analysis of Differences Between

Public and Non-Public Entities
In light of the risk environment, we asked Consistent with the finding that respondents continues to grow in complexity and that
Analysis of Differences Among executives to provide insights about whether noted an increase in their impression about there continues to be a need to invest in more
Geographic Regions the organization plans to devote additional the magnitude and severity of overall risks robust risk management capabilities.
resources to improve risk management over for 2019 relative to the prior year, they also
Analysis of Differences the next 12 months. We used a 10-point indicate a higher likelihood of deploying
Between Organizations With scale whereby 1 signifies “Unlikely to Make more resources to risk management in 2019
and Without Rated Debt
Changes” and 10 signifies “Extremely Likely relative to 2018 and 2017. This may be

Protiviti
to Make Changes.” due to an overall realization that the world
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

111
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary 2019 2018 2017

How likely is it that your organization will devote additional time and/or resources to risk identification and
management over the next 12 months?
Overall Risk Concerns for 2019 6.4 6.1 6.0

Three-Year Comparison of Risks

We also asked respondents a new question information among senior management, 6.2. Challenges seem to be highest for
in 2019. Specifically, we asked “Over the front-line business unit and process owners, organizations in the Healthcare and Life
Analysis Across Different
Sizes of Organizations next 12 months, to what degree do you second-line risk management leaders, and Sciences and Manufacturing and Distribution
believe your organization will experience relevant subject-matter experts within industry groups, which have average scores of
Analysis Across Executive
challenges to sustaining and/or strengthening the organization?” On a scale of 1 to 10, 6.7 and 6.4, respectively.
Positions Represented the coordination and exchange of risk the average score for this question was

Industry Analysis

Over the next 12 months, to what degree do you believe your organization will experience challenges to 2019 2018 2017
Analysis of Differences Between sustaining and/or strengthening the coordination and exchange of risk information among senior management,
Public and Non-Public Entities front-line business unit and process owners, second-line risk management leaders, and relevant subject-matter
experts within the organization? 6.2 N/A N/A

Analysis of Differences Among

Geographic Regions
The Financial Services industry group expressed The Energy and Utilities industry group at the “Significant Impact” level (i.e., an average
Analysis of Differences the greatest likelihood to devote additional shows the greatest increase in likelihood to risk rating of 6.0 or higher on our 10-point scale)
Between Organizations With time and resources toward risk management invest more in risk management capabilities and indicate that they anticipate significant
and Without Rated Debt
in 2019, followed by the Technology, Media in 2019 relative to 2018, increasing from 5.2 challenges to sustaining and/or strengthening

Protiviti
and Telecommunications and Healthcare and in 2018 to 6.1 in 2019. That finding is not their risk management processes in the coming
Plans to Deploy Resources to Enhance
Risk Management Capabilities Life Sciences industry groups. surprising given that this industry group had the year (with a score of 6.7).
largest number of risks (14 out of 30 risks) rated

A Call to Action:

112
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Likelihood that the organization plans to devote additional resources to risk management over the next 12 months

Consumer
Overall Risk Concerns for 2019 Manufacturing Technology, Media and Healthcare and Energy and
Full Sample Financial Services Products and
and Distribution Telecommunications Life Sciences Utilities
Services
Three-Year Comparison of Risks
2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017
Analysis Across Different
Sizes of Organizations

6.4 6.1 6.0 6.7 6.4 6.3 6.1 6.0 5.8 6.3 6.3 6.3 6.4 6.3 5.9 6.4 5.9 5.5 6.1 5.2 5.9
Analysis Across Executive
Positions Represented

Over the next 12 months, to what degree do you believe your organization will experience challenges to sustaining and/or strengthening the coordination
Industry Analysis
and exchange of risk information among senior management, front-line business unit and process owners, second-line risk management leaders, and relevant
subject-matter experts within the organization?
Analysis of Differences Between
Public and Non-Public Entities
2019

Analysis of Differences Among Full Sample 6.2

Geographic Regions
Financial Services 6.2

Analysis of Differences Consumer Products and Services 6.0

Between Organizations With
and Without Rated Debt Manufacturing and Distribution 6.4

Protiviti
Technology, Media and Telecommunications 6.1
Plans to Deploy Resources to Enhance
Risk Management Capabilities
Healthcare and Life Sciences 6.7

Energy and Utilities 6.0

A Call to Action:

113
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary

In improving risk management capabilities, companies must focus on how they can better anticipate, adapt
Overall Risk Concerns for 2019
and respond to change, as well as focus management efforts and resources on the risks and opportunities that
Three-Year Comparison of Risks
truly matter in terms of their impact on achieving their strategic objectives and performance goals. This is what
a risk-informed approach is all about.
Analysis Across Different
Sizes of Organizations — D olores Atallo, Managing Director, Protiviti

Analysis Across Executive

Positions Represented
We also analyzed responses to these questions are likely to be most exposed to the overall a higher level of risk management investment
across different sizes of organizations — the risk environment that is growing in complexity. for 2019. Larger organizations also believe
Industry Analysis
largest organizations (those with revenues Interestingly, only the smallest organizations that they may face higher levels of challenges
greater than $10 billion) exhibited the greatest expressed a decreased likelihood that they will in sustaining or strengthening their risk
Analysis of Differences Between increase in the likelihood that they plan to be investing in more robust risk identification management processes.
Public and Non-Public Entities
deploy additional resources to risk management and management over the next 12 months. All
(increasing from 6.4 to 6.9). These organizations other size categories of organizations indicate
Analysis of Differences Among
Geographic Regions

Likelihood that the organization plans to devote additional resources to risk management over the next 12 months
Analysis of Differences
Between Organizations With Revenues Less Revenues Revenues Revenues
and Without Rated Debt Full Sample
than $100M $100M — $999M $1B — $9.9B $10B or Higher

Protiviti
Plans to Deploy Resources to Enhance
2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017
Risk Management Capabilities

A Call to Action: 6.4 6.1 6.0 5.6 6.0 4.9 6.4 6.2 5.9 6.3 6.0 6.4 6.9 6.4 6.1

114
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Over the next 12 months, to what degree do you believe your organization will experience challenges to sustaining and/or strengthening the coordination
and exchange of risk information among senior management, front-line business unit and process owners, second-line risk management leaders, and relevant
subject-matter experts within the organization?
Overall Risk Concerns for 2019

2019
Three-Year Comparison of Risks
Full Sample 6.2
Analysis Across Different Revenues less than $100M 5.4
Sizes of Organizations
Revenues $100M — $999M 6.2
Analysis Across Executive
Revenues $1B — $9.9B 6.3
Positions Represented

Revenues $10B or Higher 6.6

Industry Analysis

Public companies and privately held for- enterprises reflected a greater increase signals a realization that risks affect all types
Analysis of Differences Between
Public and Non-Public Entities profit enterprises expressed similar levels in the levels of likelihood to invest than of entities and that no one organization is
of likelihood that they plan to invest more the slight increase in not-for-profit and immune to that fact. Therefore, no entity
time and resources in building out their governmental organizations. The level of can afford to ignore the importance of risk
Analysis of Differences Among
Geographic Regions risk management infrastructure in 2019 interest in improving risk management management thinking.
relative to 2018. In addition, for-profit capabilities across all types of organizations
Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

115
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Executive Summary Likelihood that the organization plans to devote additional resources to risk management over the next 12 months

Privately Held Not-for-Profit and

Overall Risk Concerns for 2019 Full Sample Publicly Traded Companies
For-Profit Enterprises Governmental Organizations

Three-Year Comparison of Risks

2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017
Analysis Across Different
Sizes of Organizations 6.4 6.1 6.0 6.5 6.2 5.9 6.5 6.3 6.4 5.9 5.8 5.5

Analysis Across Executive

Positions Represented
Over the next 12 months, to what degree do you believe your organization will experience challenges to sustaining and/or strengthening the coordination
and exchange of risk information among senior management, front-line business unit and process owners, second-line risk management leaders, and relevant
Industry Analysis
subject-matter experts within the organization?

Analysis of Differences Between 2019

Public and Non-Public Entities

Full Sample 6.2

Analysis of Differences Among
Geographic Regions Publicly Traded Companies 6.2

Privately Held For-Profit Enterprises 6.3

Analysis of Differences
Between Organizations With Not-for-Profit and Governmental Organizations 6.0
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

116
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Interestingly, board members and all of the respondents appear to be most interested CIOs/CTOs and Other C-Suite executives
Executive Summary
C-suite executives except for chief audit in seeing additional investment in risk indicate similar high levels of likelihood for
executives signal that their organizations management, as reflected by their average additional investments in risk management,
Overall Risk Concerns for 2019 are likely to invest additional resources overall likelihood score of 7.1 for 2019, likely intending investments in infrastructure
in risk management over the next 12 which reflects the largest increase in scores modernization and cybersecurity.
Three-Year Comparison of Risks months relative to the prior year. Board from 2018 among all respondent positions.

Analysis Across Different

Sizes of Organizations
Likelihood that the organization plans to devote additional resources to risk management over the next 12 months

Analysis Across Executive Board

Positions Represented Full Sample CEOs CFOs CROs CAEs CIO/CTOs Other C-Suite
Members
2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017

2019

2018

2017
Industry Analysis

Analysis of Differences Between

Public and Non-Public Entities 6.4 6.1 6.0 7.1 6.3 5.3 6.2 5.9 5.9 6.5 6.3 6.4 6.2 5.8 6.0 5.6 6.2 5.5 7.0 6.5 6.7 7.0 6.4 6.4

Analysis of Differences Among

Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

117
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

In addition, board members and respondents in the CIO/CTO and Other C-Suite categories sense the greatest level of challenges in sustaining and
Executive Summary
strengthening the coordination and exchange of risk information among senior executives.

Overall Risk Concerns for 2019

Over the next 12 months, to what degree do you believe your organization will experience challenges to sustaining and/or strengthening the coordination
Three-Year Comparison of Risks
and exchange of risk information among senior management, front-line business unit and process owners, second-line risk management leaders, and relevant
subject-matter experts within the organization?

Analysis Across Different

2019
Sizes of Organizations

Full Sample 6.2

Analysis Across Executive
Positions Represented Board Members 6.5

CEOs 5.9
Industry Analysis
CFOs 5.8

Analysis of Differences Between CROs 5.7

Public and Non-Public Entities
CAEs 6.2

Analysis of Differences Among CIO/CTOs 6.7

Geographic Regions
Other C-Suite 6.8
Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

118
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Recall that for this year, we had a sufficient in North America, Europe and Africa, as resources to risk management over the next
Executive Summary
number of respondents from different parts shown in the table below. 12 months. Organizations based in North
of the world to perform separate analysis Organizations with headquarters based America and Africa reflected the smallest
Overall Risk Concerns for 2019 across eight different regions around the in Australia/New Zealand, Latin America/ level of likelihood for that kind of investment
globe. As a result, we are only able to show South America and India indicate the greatest in risk management.
Three-Year Comparison of Risks responses for all three years for respondents likelihood that they will devote additional

Analysis Across Different

Sizes of Organizations
Likelihood that the organization plans to devote additional resources to risk management over the next twelve months

Analysis Across Executive 2019 2018 2017

Positions Represented

Full Sample 6.4 6.1 6.0

Industry Analysis
North America 5.8 5.9 5.7

Analysis of Differences Between Europe 6.7 6.4 6.7

Public and Non-Public Entities
Australia/New Zealand 7.0 N/A N/A

Analysis of Differences Among Asia 6.9 N/A N/A

Geographic Regions
Latin America/South America 7.2 N/A N/A

Analysis of Differences Middle East 6.6 N/A N/A

Between Organizations With
and Without Rated Debt India 7.1 N/A N/A

Protiviti
Plans to Deploy Resources to Enhance
Africa 5.7 6.5 N/A
Risk Management Capabilities

A Call to Action:

119
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Organizations based in Latin America/South America, India and Asia seem to face the greatest level of challenges in sustaining and strengthening
Executive Summary
the coordination and exchange of risk information among senior management.

Overall Risk Concerns for 2019

Over the next 12 months, to what degree do you believe your organization will experience challenges to sustaining and/or strengthening the coordination
Three-Year Comparison of Risks
and exchange of risk information among senior management, front-line business unit and process owners, second-line risk management leaders, and relevant
subject-matter experts within the organization?

Analysis Across Different

2019
Sizes of Organizations

Full Sample 6.2

Analysis Across Executive
Positions Represented North America 5.6

Europe 6.5
Industry Analysis
Australia/New Zealand 6.6

Analysis of Differences Between Asia 6.8

Public and Non-Public Entities
Latin America/South America 7.0

Analysis of Differences Among Middle East 6.7

Geographic Regions
India 6.9
Analysis of Differences Africa 5.4
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

120
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
A Call to Action: Questions to Consider
Overall Risk Concerns for 2019

This report provides insights from 825 board risk appetite leaves decision makers to their management and oversight in the digital
Three-Year Comparison of Risks
members and executives about risks that own devices. Soon those organizations may age to pinpoint aspects requiring significant
are likely to affect their organizations over realize, once it's too late, that the level of improvement. Managing today’s risks using
Analysis Across Different the next 12 months. Overall, most rate the investment in risk thinking and their willingness outdated techniques and tools may leave
Sizes of Organizations
business environment as significantly risky, to engage in robust risk management tools the organization exposed to significant,
and on an overall basis, respondents rated 25 and dialogue is inadequate. Now is the time undesirable risk events that could threaten
Analysis Across Executive
Positions Represented
of the 28 risks included in prior year surveys for boards and C-suites to closely examine its brand and reputation, and even its
as higher in 2019 relative to 2018, suggesting how their organization approaches risk very survival.
that there continues to be a number of
Industry Analysis
uncertainties in the marketplace for 2019.
The ever-changing risk landscape and the
Analysis of Differences Between
Public and Non-Public Entities overall perceived increase in the magnitude
and severity of risks should prompt boards
and senior executives to closely scrutinize
In the digital economy, enterprise risk management can be a real
Analysis of Differences Among
Geographic Regions the approaches they use to keep an eye difference maker if it contributes to reshaping strategy in advance
on emerging risks. Unfortunately, many
organizations continue to manage risks the
of disruptive change. When the fundamentals of the business are
Analysis of Differences
Between Organizations With way they have for many years, even though about to change, executive management must be positioned to secure
and Without Rated Debt
the profile of risks is changing as the way
“early mover” positioning in the marketplace to capitalize on market

Protiviti
business is conducted evolves. Their risk
Plans to Deploy Resources to Enhance
Risk Management Capabilities
profile is most certainly not yesterday’s risks, opportunities and emerging risks.
and a focus on financial and compliance
— Jim DeLoach, Managing Director, Protiviti
risks using static analog age tools and
A Call to Action:

121
Questions to Consider without any conception of the organization’s

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Accordingly, in the interest of evaluating ■■ Do we have a “speak up” culture that Evaluate the scope of risk focus
Executive Summary
and improving the risk assessment process encourages transparency and sharing of
Given the pace of change experienced in the
in light of the findings in this report, contrarian information and bad news? Are
industry and the relative riskiness and nature
Overall Risk Concerns for 2019 we offer executives and directors the our employees convinced they can “speak
of the organization’s operations:
following diagnostic questions to consider up” without fear of repercussions to their
when evaluating their organization’s risk careers or to their compensation? For
■■ To what extent are we centering our focus
Three-Year Comparison of Risks
assessment process: example, does the process: on risks in the context of our organization’s
strategy, business objectives and operations?
Analysis Across Different —— Encourage an open, positive dialogue
Sizes of Organizations Assess impact of leadership and culture ■■ Does the process consider a sufficient
for identifying and evaluating
on risk management time horizon to pick up strategic risks, e.g.,
opportunities and risks?
Analysis Across Executive Because culture and leadership the longer the horizon, the more likely
—— Focus on reducing the risk of undue
Positions Represented
significantly impact the organization’s new issues will present themselves? Does
bias and groupthink?
approach to risk oversight: the process consider extreme as well as
Industry Analysis
—— Give adequate attention to differences plausible scenarios?
■■ Is the board’s and the C-suite’s support
in viewpoints that may exist across
for more robust risk management ■■ Is our focus on the identification of risks
different executives and different
Analysis of Differences Between processes evident to key stakeholders mostly on internal operations, people
Public and Non-Public Entities global jurisdictions?
across the organization? and processes with minimal focus on
■■ Is adequate attention given to red external risks linked to geopolitical shifts,
■■ Do we have an accurate read on how our
Analysis of Differences Among flags indicating signs of a dysfunctional emerging innovations, and changes in
Geographic Regions organization’s culture is impacting how
culture that suppresses escalation of macroeconomic factors?
employees engage in risk management
important risk information or encourages
processes and conversations? If so, how ■■ Are we encouraging the identification of
Analysis of Differences unacceptable risk taking? Are warning
Between Organizations With do we know? opportunities to take on more risk on a
and Without Rated Debt signs posted by the risk management
managed basis?
function or internal audit addressed timely

Protiviti
by executive management?
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

122
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

Ensure the robustness of risk assessment ■■ Is there a process for identifying emerging whether changes have occurred requiring
Executive Summary
across the organization risks? Does the risk-identification process corrective action, and the organization
allow the board and management enough operates within established risk tolerances
Because risks are constantly changing, the risk
Overall Risk Concerns for 2019 time to adequately consider response in meeting key business objectives?
management process needs to be definable
plans to these risks? Are we monitoring the business
and repeatable to ensure business leaders are ■■

Three-Year Comparison of Risks environment over time for evidence

staying abreast of emerging issues:
Nail down accountabilities for managing of changes that may invalidate one or
■■ Would most describe our organization’s risks following a risk assessment
Analysis Across Different more critical assumptions underlying
Sizes of Organizations
approach to risk management as one that
Following completion of a formal or informal the organization’s strategy? If so, when
is siloed across disparate functions in the
risk assessment: there is evidence that one or more critical
organization or one that is more ad hoc
Analysis Across Executive ■■ Are risk owners assigned for newly assumptions underlying the strategy are
Positions Represented than structured?
identified risks? becoming, or have become, invalid, does
■■ Is the process supported by an effective management act timely on that knowledge
Industry Analysis methodology that is definable, repeatable ■■ Is there an effort to source the root
to revisit the strategy and undertake
and understood by key stakeholders? causes of certain risks that warrant a
necessary mid-course adjustments?
better understanding? Does the process
Analysis of Differences Between ■■ Do we engage all the right stakeholders in Do decision-making processes consider the
Public and Non-Public Entities look for patterns that connect potential ■■
the risk identification process? impact of a decision on the organization’s
interrelated risk events?
■■ How often are we engaging in a formal or risk profile?
Analysis of Differences Among ■■ Are effective risk response action plans
Geographic Regions an informal risk assessment process? Is it —— Have we sufficiently communicated
developed to address the risk at the source?
frequent enough? the relative value and importance of
Are the risk owners accountable for the
Analysis of Differences ■■ Does the process delineate the critical design and execution of those responses? considering risk in decision making
Between Organizations With enterprise risks from the day-to-day risks across the enterprise?
and Without Rated Debt ■■ Are significant risks related to the
of managing the business so as to focus the —— Is the board sufficiently involved in the
execution of the strategy and business

Protiviti
dialogue in the C-suite and boardroom on decision-making process, particularly
Plans to Deploy Resources to Enhance model monitored over time to consider
the risks that matter? when it involves acquisition of new
Risk Management Capabilities

A Call to Action:

123
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

businesses, entry into new markets, the board in a timely manner of significant ■■ Given the organization’s risk profile, does
Executive Summary
the introduction of innovative emerging risks or significant changes in the the board periodically consider whether
technologies or alteration of key organization’s risk profile? it has access to the diverse expertise
Overall Risk Concerns for 2019 assumptions underlying the strategy? ■■ With respect to the most critical and experience needed — either on the
—— Is there actionable, current risk infor- risks facing the organization, do board itself or through access to external
Three-Year Comparison of Risks mation that is widely shared to enable directors understand at a high level the advisers — to provide the necessary
more informed decision making? organization’s responses to these risks? oversight and advice to management?

Analysis Across Different Is there an enterprisewide process in These and other questions can assist
Sizes of Organizations Communicate an enterprise view of top place that directors can point to that organizations in defining their specific risks
risks and board risk oversight answers these questions and is that and assessing the adequacy of the processes
Analysis Across Executive
With respect to communicating and process informing the board’s risk informing their risk management and board risk
Positions Represented
overseeing the risk profile: oversight effectively? oversight. We hope the important insights
Is there a periodic board-level dialogue about the perceived risks on the horizon for
Industry Analysis
■■ Is the board informed of the results of ■■

regarding management’s appetite for risk 2019 provided in this report prove useful. We
management’s risk assessment on a
and whether the organization’s risk profile also hope that the insights serve as a catalyst
timely basis? Do directors agree with
Analysis of Differences Between
is consistent with that risk appetite? Is for an updated assessment of risks and the
Public and Non-Public Entities management’s determination of the
the board satisfied that the strategy- risk management capabilities in place within
significant risks?
setting process appropriately considers all organizations, as well as improvement
Analysis of Differences Among ■■ Are significant risk issues warranting in their risk assessment processes and risk
Geographic Regions a substantive assessment of the risks
attention by executive management and management capabilities.
the enterprise is taking on as strategic
the board escalated to their attention on
alternatives are considered, and the
Analysis of Differences a timely basis? Does management apprise
Between Organizations With selected strategy is executed?
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

124
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Methodology

Executive Summary
Research Team
Overall Risk Concerns for 2019

This research project was conducted in partnership between Protiviti and North Carolina State University’s Enterprise Risk Management
Three-Year Comparison of Risks
Initiative. Individuals participating in this project include:

Analysis Across Different NORTH CAROLINA STATE UNIVERSITY’S ERM INITIATIVE

Sizes of Organizations
■■ Mark Beasley ■■ Bruce Branson ■■ Don Pagach

Analysis Across Executive

Positions Represented PROTIVITI

■■ Pat Scott ■■ Jim DeLoach ■■ Kevin Donahue

Industry Analysis ■■ Brian Christensen ■■ Emma Marcandalli

■■ Dolores Atallo ■■ Matthew Moore

Analysis of Differences Between
Public and Non-Public Entities

Analysis of Differences Among

Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

125
Questions to Consider

Research Team
 TABLE OF CONTENTS

Introduction

Executive Perspectives on Top Risks for 2019

Methodology

ABOUT PROTIVITI
Executive Summary
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and
our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network
of more than 75 offices in over 20 countries. 
Overall Risk Concerns for 2019
We have served more than 60 percent of Fortune 1000 ® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public,
as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Three-Year Comparison of Risks
ABOUT NORTH CAROLINA STATE UNIVERSITY’S ERM INITIATIVE

Analysis Across Different The Enterprise Risk Management (ERM) Initiative in the Poole College of Management at North Carolina State University provides thought leadership about ERM practices and their
Sizes of Organizations integration with strategy and corporate governance. Faculty in the ERM Initiative frequently work with boards of directors and senior management teams helping them link ERM to
strategy and governance, host executive workshops and educational training sessions, and issue research and thought papers on practical approaches to implementing more effective
risk oversight techniques (www.erm.ncsu.edu).
Analysis Across Executive
Positions Represented

Industry Analysis

Analysis of Differences Between

Public and Non-Public Entities

Analysis of Differences Among

Geographic Regions

Analysis of Differences
Between Organizations With
and Without Rated Debt

Protiviti
Plans to Deploy Resources to Enhance
Risk Management Capabilities

A Call to Action:

126
Questions to Consider

Research Team
www.erm.ncsu.edu www.protiviti.com

© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-1218-101113.

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial
statements or offer attestation services.