Top Risks – A Consolidated Analysis
Gabriel de Souza, Senior Business Risk and Control Specialist, Nordea
We have been discussing a lot about risk approaches and models, but we are forgetting something. The risks itself. We don’t talk anymore about the essence of our job. At least, I still believe it is. Facing such “values confusion” within myself too, I decided to look around again. Run away from the “noise”, and get a glimpse of what resilience professionals are facing in companies all over the World.
So, I picked 6 publications/reports of companies that perform studies around the globe to understand our risk environment. Going further, I took the top 5 Risks of each and consolidated in a one-view picture to extract information that we cannot see if we pick each of them separately.
The result is:
A quick caveat here. The World Economic Forum  separates the risks in probability and impact. It is not right or wrong. It is just another of seeing it.
I will sort the topics in decreasing order of relevancy.
5. Security and Environment
Both topics are pushed exclusively by the World Economic Forum since the entity approaches risks is in a more macro environment level. The interesting fact is that both risk categories have a strong correlation with other risks that are spread throughout the other reports like Business Interruption, Resistance to Change Operations, and Damage to Reputation/Brand. And we don’t see environmental or security risks mentioned in any of them.
So keep in mind that when you see a company claiming that they are focusing on environmental and/or security issues, remember this picture. The saddest thing about it is that not only they don’t put these topics in their “priority list”, but actually they are risks that are barely discussed on most of the Boards around the globe.
4. Operations, People and Regulatory
These are standard risks for these reports. I confess that I see operations more as an impact than a specific risk. When companies bring Operations as a sole risk, it can mislead the company to tackle more precisely the issues related to it. You can see it in the picture. Just check how many of the risks exposed generates a Business Interruption and Resistance to change operations. Almost all of them right? Sounds even redundant to insert these 2 risks in the reports. The other 2 categories, People and Regulatory, have risks that represent a big concern and are top-of-mind for companies.
Regarding People, talent and skills are the biggest topics, especially in a World that is more digitized and has more Millenials and Generation Z (Gen Z) getting into the job market. People’s perspectives and purposes are changing, and naturally, career options reach different grounds. Just as a reference, the Bureau of Labor Statistics in the U.S. says that a professional stays around 4 years in a company . Within Millenials and Gen Z, this figure drops to 2 years .
On the Regulatory side, the risks are number one in two reports, PwC  and Gartner . The concern here refers to the recent challenges that companies are facing with Data Privacy among employees, partners, government, and mainly customers. Especially GDPR that became a hot topic in every corner.
Another one that is a “standard risk” in many reports. Competition and Market Development are inherent for any company. Especially now with new approaches and, mainly technologies coming to light at a faster speed. Companies are struggling to keep their core operations running and at the same time follow their respective industries and World’s trends and developments.
Geopolitics is on the spotlight stronger than ever before. Increased World’s Polarization and the US-China Trade War for sure are leading companies to be more concerned about it. Also, Brexit can be mentioned as one of the factors that lead to it. Now more than ever, companies should be making specific plans/scenarios related to the macro aspects of our World. Some of the key points are:
- The US and Europe Union Politics (external and internal)
- China and its “technological appetite”
- Russia interference and willingness to show their role in the international “playground”
- Tensions between major powers and countries of the MENA (the Middle East and North Africa) and LATAM (Latin America) region.
And the winner is…….
Our World is not becoming, but it is already digitized in everything that we do. Even the toilets are getting digital. And more than this, everything is more interconnected than ever. And much more than “more than this”, technology is still evolving and no one can predict precisely where all this will take us.
For technological risks, the only thing that we can do is to practice, as the Buddhists say, acceptance. Change is inevitable. If your market has not yet suffered any disruption or it was not affected by it, keep it cool, because it will happen. And Cybersecurity follows the same mindset. If you didn’t suffer a cyber-attack, one day you will. The reports show this concern clearly. In the 6 reports selected, 5 shows cybersecurity concerns.
Cyber attacks are increasing exponentially year-by-year, not only on quantity but in sophistication. It is getting harder to get hackers that perpetuate attacks against companies, governments, and people due to the complexity and incredible versatility and intelligence of the attacks. Companies and Governments all over the World are not getting on pace regarding this subject. Actually, they are far behind.
And the worst of all that, and I believe the cause of it, is that all of us are still thinking that a hacker invading a nuclear plant and operate a nuclear reactor from miles away in his/her home using underwear is a “Holywood thing”. No, it is a reality.
We can conclude that the biggest problem is our mindset. The way we perceive things. In the end, it is people that run companies, governments and any other aspect of life. A change in mindset became an obligation. Increase awareness and training, establish formal cybersecurity procedures, and massive-dedicated investment, not only of money but of time and energy are a basic requirement to, maybe, we tie the game between the “Good and Evil”. Unfortunately, we have a long road on this topic.
So what do you think about all this? Do you agree with the risks exposed? There is another report that could be included in this consolidation/analysis?
Of course, that we have space for more, but I think the key point here is to bring our “eyes to the ball again” and understand what is really concerning the companies. On this way, we can provide the real value that is expected from a Resilience team.