GRC Tuesdays: New Risk Priorities
Like most people working in the Governance, Risk, and Compliance arena, I usually start the year by reading the “Top [Enter The Current Year Here] Risk Report” and then compare the results to previous years.
But after reading AON’s Reprioritising Risk and Resilience for a Post-COVID-19 Future, I was reminded that this year will not be like any other. We are operating in a changed – and still evolving, risk landscape. And this must be taken into account.
As a result, not only are comparison to previous year hazardous at best, but they will also not suffice to represent the various views and experiences across industries and geographies.
According to the AON report mentioned just above “82% of respondents said that prior to COVID-19, a pandemic or other major health crisis was not a top 10 risk on their organization’s risk register”. This risk alone changes the whole game sort of say, so I clearly had to broaden my information intake if I was to try and understand how the crisis changed business’ perspectives and the threats they will face in 2021 and going forward.
I have therefore decided to combine data points from different reports to try and paint a simplified picture of what companies, but also the community, have raised as the most pressing concerns in the near future.
In order to create the spider graph below, I organized the risks from the reports in broad risk categories and focused on the top 5 regularly cited:
Top 5 Risk Categories Most Regularly Cited
- Economic Conditions: debt crisis, energy prices, changing market conditions with restricted growth previsions are just a few of the risks from this category;
- Cybersecurity: these are of course linked to cyber threats and data privacy protection concerns. This category has been increasing in ranking over these last few years and is now constantly in the top 5;
- Environmental: climate change is a major concern for the community. And even if some companies don’t include this risk as is in their top 10, many will include related risks such as extreme weather conditions (including draughts and floods) in their regular assessments;
- Disasters and Crisis: we no longer need to present infectious diseases such as COVID-19 as a top risk of course. But this category also includes threats such as scarcity of natural resource, fire & explosions, etc;
- Information Technology (excluding Cyber & Digitalization): Cybersecurity is one of the leading categories as per above, but IT also brings additional challenges that don’t necessarily relate to IT threats or to Digitalization of businesses which is itself a separate category. Risks here would range from data governance to experiencing the limit of controllability of the technology in use for instance.
Other (Selected) Categories
- Regulatory Change: I have already highlighted this category in previous GRC Tuesdays blogs, including Regulatory Super-Inflation Is Here to Stay. So What Can be Done? or Where Can You Expect Most New Regulatory Requirements in 2021?. These are risks associated to changes in legislation and regulations across industries and geographies;
- Geopolitical: political instability and violence are just some of the components of this category that also includes relationships between countries or economic blocs, or political pressures in certain industries;
- HR / Talent Management: no employer would disagree that employees are the most valuable (intangible) asset in an organization. The importance of well-being and talent management especially during these remote-working times when recruitment is hindered have proven crucial for an organization to succeed and keep its key employees;
- Risk Culture: organizational and corporate governance, individual behaviours towards control and fraudulent activities but also ability to report on risk events are all parts of the risk culture;
- Digitalization: as I mentioned in the GRC Tuesdays blog When Governance, Risk, and Compliance Supports the Subscription Based Digital Economy, business models are evolving with some industries being radically changed by subscription models that are often enabled by digitalization. As a result, this risk category is as much an opportunity for some as it is a threat to others and will most likely continue to increase in ranking over the next few years.
Interested in Hearing More?
I am sure many will say that this is only a partial and biased report. And I would perfectly agree with this assessment. Especially since I organized the risks from the various reports in broader categories where I felt they belonged.
But don’t take just my thoughts. I would strongly recommend attending the webinar that my colleagues Michael Heckner and Vincent Doux from EMEA Business Development for Governance, Risk, and Compliance solutions at SAP are hosting on March 11th 2021: Managing Top Risks. If you can’t attend live, it will also be available OnDemand of course.
This webinar will explain the benefits of an embedded GRC umbrella with real live examples of how a digital boardroom dashboard delivers an integrated view of all key business indicators, including risk and control information.
Finally, Michael will also be delivering a session on Risks in Business Processes during the Audit, Control and Security (ACS) Special Interest Group (SIG) of the UK & Ireland SAP User Group (UKISUG) – in short: “UKISUG Security ACS SIG” for the acronym afficionados!, on March 18th 2021. Guests and UKISUG members can register on the following page: Security (ACS) SIG.
During this session, Michael will host a business-level discussion around key business risks in typical business processes. The presentation will address some of the major risks an organisation needs to address in common processes such as: Procure-to-Pay, Order-to-Cash, Fixed Assets, Treasury, Financial Close Process, Human Resources, Information Technology, etc. The session will provide both a strategic level view on top risks in 2021 as well as a detailed view on risks within each of the above business processes.
As mentioned above, I have taken information from many reports and you will find a complete list below in case you’d like some reading material:
- Allianz – Risk Barometer 2021 report
- AON – Reprioritizing Risk and Resilience for a Post-COVID-19 Future
- Compliance Week – Survey: Pandemic pervades executives’ top 10 risks for 2021
- Chartered Institute of Internal Auditors – Risk in Focus 2021
- Deloitte – 2021 Hot Topics for IT Internal Audit in Financial Services
- Eurasia Group – Top Risks for 2021
- Forbes – Top 10 Risks Of 2021 And How You Can Manage Them
- Gartner – 2021 Audit Plan Hot Spots
- Institute of Internal Auditors – OnRisk 2021: A Guide to Understanding, Aligning and Optimizing Risk
- KPMG – Internal Audit: Key risk areas 2021
- KPMG – COVID-19 Insights – Emerging Risks
- Marsh & McLennan – The Global Risks Report 2021
- Poole College of Management, North Carolina State University & Protiviti – Executive Perspectives on Top Risks for 2021 & 2030
- Risk Management Magazine – Risks to Watch in 2021
- TIME – The Top Risks for the World in 2021
- World Economic Forum – The Global Risks Report 2021
What about you, what are the top risks your company is closely scrutinizing at the moment? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard