We are bombarded by numerous reports of the top risks to companies now and in the future. But what do they really mean for risk managers? Gabriel Souza, risk management specialist takes a detailed look at six risk reports and has this analysis
There has been a lot of discussion about risk approaches and models, but we are forgetting something: the risks itself.
We no longer talk about the essence of our job. Facing such “values confusion” within myself too, I decided to look around and run away from the “noise” to get an idea of what resilience professionals are facing in companies all over the world.
I picked six publications/reports of companies that perform studies around the globe to understand our risk environment. Going further, I took the top five risks of each and consolidated them into a one-view picture to extract information that we cannot see if we read each of them separately.
The result is:
A quick caveat here. The World Economic Forum  separates the risks in probability and impact. It is not right or wrong. It is just another way of looking at it.
I will sort the topics in decreasing order of relevancy.
5. Security and environment
Both security and environment are pushed by the World Economic Forum, which looks at risks on a macro environment level. The interesting thing is that both risk categories have a strong correlation with other risks (which are reviewed extensively by other reports) such as business interruption, resistance to change operations, and damage to reputation/brand. And we don’t see environmental or security risks mentioned in any of the other reports.
So, keep in mind that when you see a company claiming that they are focusing on environmental and/or security issues, remember this: the saddest thing about it is that companies don’t usually place these topics in their “priority list” and they are risks that are barely discussed by most boards around the globe.
4. Operations, people and regulation
These are risks mentioned in numerous reports about top risks. I confess that I see operations more as an impact than a specific risk. When companies view operations as a sole risk, it can mislead the company to tackling the issues related to it. You can see it in the above infographic. Just check how many of the risks exposed generates a business interruption or resistance to change operations.
Almost all of them, right? It seems redundant to insert these two risks into the reports. The other 2 categories, people and regulation, are risks that represent a big concern and are top-of-mind for companies.
Regarding people risks, talent and skills are the biggest topics, especially in a world that is more digitised and has more Millennials and Generation Z (Gen Z) in the job market. People’s perceptions and purposes are changing, and naturally, career options reach different grounds. Just as a reference, the Bureau of Labor Statistics in the US says that a professional stays around four years in a company . Within Millennials and Gen Z, this figure drops two years .
On the regulatory side, the risks are number one in two reports, PwC  and Gartner . The concern here refers to the recent challenges that companies are facing with data privacy among employees, partners, government, and mainly customers. And especially with GDPR, which became a hot topic in every corner.
Market risk is another risk prolifically mentioned in many reports. Competition and market development are inherent for most company, especially now, with new approaches and technologies coming into the marketplace faster than ever. Companies are struggling to keep their core operations running and, at the same time, follow developments in their respective industries and world trends.
Geopolitics is under the spotlight more than ever. Increased world polarization and the US-China trade war are, for sure, leading companies to be more concerned about it. Also, Brexit can be mentioned as one of the factors that heighten concerns. Now more than ever, companies should be making specific plans/scenarios related to the macro aspects of our world. Some of the key points are:
- The US and Europe Union Politics (external and internal)
- China and its “technological appetite”
- Russia interference and willingness to show their role in the international “playground”
- Tensions between major powers and countries of the MENA (the Middle East and North Africa) and LATAM (Latin America) region.
And the winner is…….
Our world is already digitised – we can see this in everything that we do. Even toilets are becoming digitalised. And, more than this, everything is interconnected. And much more than “more than this”, technology is still evolving, and no one can predict where the next tranche of technological advancement will take us.
For technological risks, the only thing that we can do is to practice acceptance. Change is inevitable. If your market has yet to suffer disruption or it was not affected by it, keep it cool, because it will happen. And cybersecurity follows the same mindset. If you are yet to suffer a cyber-attack, one day you will. The reports show this concern clearly. Five out of the six reports that I have analysed, indicate cybersecurity as a significant concern.
Cyber attacks are increasing exponentially year-on-year, not only on quantity but in sophistication. It is getting harder to identify hackers that perpetuate attacks against companies, governments, and people because of the complexity, versatility and intelligence of the attacks. Companies and governments are behind the curve in this regard.
And worst of all, I believe that the reason we are behind the curve is because we still view cyber risks as science fiction: that a hacker who infiltrates a nuclear plant and controls a nuclear reactor from miles away in their homes is simply a “Hollywood thing”.
No, it is a reality.
We can conclude that the biggest problem is our mindset and the way in which we perceive things. In the end, it is people that run companies, governments and any other aspect of life. A change in mindset must be obligatory. We must increase our awareness and training, establish formal cybersecurity procedures, and invest money time and energy. Unfortunately, we have a long road ahead of us, here.
The key point, though, is to ensure that we do not take our eyes of the ball and understand the core risks to our companies. This way, we can provide the value that is expected from a resilience team.
So, what do you think? Do you agree with the risks exposed? Is there is another report that could be included in this consolidated analysis?
 World Economic Forum Report - http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf
 Bureau of Labor Statistics - https://www.bls.gov/news.release/tenure.nr0.htm
 Gartner - https://www.gartner.com/en/audit-risk/trends/top-ten-emerging-risks (requires a free-registration to access)
ERM Initiative (NCSU) - https://erm.ncsu.edu/az/erm/i/chan/library/2019-erm-execs-top-risks-infographic.pdf