Top Risks Webinar Question Guide Download Responses to Selected Questions Received During Webinar – January 11, 2023 We received numerous questions during our January webinar on Executive Perspectives on Top Risks for 2023 & 2032. While we responded to some during the webinar, we were unable to cover all of them. We have selected a number of the unanswered questions that we believe to be of general interest and have included responses to each below. In some cases, we grouped multiple questions of a similar nature. Our responses are intended to be brief and concise rather than exhaustive and are likely to become dated with the passage of time. If there are additional questions or a need for assistance, do not hesitate to contact a Protiviti representative. Download Lessons Learned What is your greatest lesson learned from 2022? Response: “Stuff happens.” Expected to finally deliver a reprieve from the COVID-19 pandemic, the last 12 months offered far from it. Persistent inflation, central banks implementing contractionary tightening policies, energy shortages, escalating wages, high employee attrition, evolving work environments, continued supply chain challenges, geopolitical tensions, and that dreaded three-letter word – war – entered boardroom and C-suite conversations. Many of the challenges of 2022 can be attributed to inevitable aftereffects of disruptive market forces triggered by the pandemic. The broader message is that the notion of so-called “black swans” has given way to the inevitability of unexpected surprises, disruptive change, gray rhinos and, simply stated, “stuff happens.” Environmental, Social and Governance (ESG) How will ESG impact organisations in 2023? What are some major risks around ESG that organisations can expect to see? Response: In 2023, ESG requirements will continue to evolve around the world, and expectations for companies to perform ESG activities and disclose more data are expected to increase. With pressure being placed on organisations by both internal and external stakeholders, including investors, customers, employees, business partners and regulators, the requirements for ESG disclosures are still being determined from country to country. As these requirements evolve, companies operating in multiple jurisdictions will experience added complexity. ESG also has its share of critics, particularly in the U.S., which contributes further to this complexity. The impact is an increase in the frequency and depth of the data needed to comply due to increasing stakeholder interest in ESG data and regulatory clarity. EU-headquartered companies and non-EU companies with operations in the EU now have clarity around Corporate Sustainability Reporting Directive (CSRD) reporting requirements, including the “what” and “when.” In the United States, clarity is yet to come, but issuers should expect the U.S. SEC to clarify rules for reporting during 2023. These requirements will impact not only U.S. registrants, but also those that interact with registrants and may have data they need. Following is a summary of some of the risks organisations may face during 2023: Lack of knowledge of, access to, ESG data, or lack of ability to provide this data to all interested parties in a timely and responsive manner. A myopic focus on reporting to the detriment of the underlying ESG activities themselves. ESG actions to address targets communicated to the street are the key, as they will enable reporting improved results over time toward achieving the ESG goals to which they have committed. Failure to address, report and focus on material ESG issues effectively may result in: Lower stock price valuations due to low ESG ratings and rankings Being less attractive as an employer to both existing and prospective employees Difficulty in satisfying and being attractive to customers, especially for corporate B2B customers that are public companies expecting, requesting or requiring their suppliers to disclose certain ESG-related information, including future goals and targets such as reducing their GHG emissions Lower earnings by not focusing on certain ESG-related practices such as reducing energy use and the real estate footprint, developing substitute materials and packaging strategies, more effective use of natural resources used in production, and substituting technology solutions for business travel The above is an industry-agnostic discussion. ESG material issues and factors vary by industry and, therefore, ESG risks may depend upon the specific industry and the impact that those industry-specific issues have on the business model and operations. How will risks associated with climate change evolve? We frequently talk about climate risk from an ESG reporting perspective. Are we paying enough attention to risks to physical infrastructure from climate? How are companies considering climate risks in capital planning? Response: More frequent and intense droughts and storms, heat waves, rising sea levels, melting glaciers and warming oceans can directly harm habitats, significantly impact quality of life in many urban and rural communities, and impair critical infrastructure. Extreme heat can cause roads to buckle, and freeze-thaw cycles can cause pavement to crack, resulting in failure of the roads so critical to a nation’s distribution system. Extreme weather affects power lines, rail lines and airport runways. Ignoring these threats can mean erosion of the sustainability of business models. All these factors and the increased attention given to them by the World Economic Forum, United Nations and other global organisations are driving multiple stakeholders – investors, customers, employees, regulators and communities – to examine more closely what companies are doing to reduce their carbon footprint. These risks are making it a corporate imperative to retain market permission to do business. Is sufficient attention being paid to physical infrastructure? In this era of significant deficits and gridlock, the answer is probably not. Much needs to be done. Investment is needed for water storage, flood defenses, and water supply and sanitation in some regions. There is increasing emphasis on climate-resilient infrastructure, with the objective of anticipating, preparing for and adapting to changing climate conditions. For example: reenforcing the electric grid to better withstand extreme weather; changing the composition of road surfaces so that they do not deteriorate in high temperatures; building seawalls or using permeable paving surfaces to reduce run-off during heavy rainfalls; investing in better housing and more adaptable infrastructure in areas prone to severe flooding or sea level rise; planting trees to reduce extreme heat in cities; reducing forest destruction and degradation; and putting air conditioning in schools. To the above realities, there are two aspects for companies to consider: The resilience of the organisation in managing the effects of climate change on the business The veracity of climate-change-related disclosures to the market Both aspects are important, especially for companies dependent on fossil fuels generation and use. With continued developments in the market through new regulations, increased expectations by institutional investors, evolving customer and employee preferences, access to capital, and the influence of demographic shifts, the risks associated with climate change are complex and dynamic. And investors want straight talk in disclosures to the public. The threat that climate change and climate-related risks pose to the stability of whole industries has been gaining prominence steadily. For example, financial institutions increasingly are expected to use stress testing to evaluate how climate-related risks impact their business across all sectors and geographical locations. From a capital planning standpoint, the obvious implication is the impact on maintenance schedules. More companies are factoring climate risk assessments into their capital improvement planning process by evaluating whether existing physical assets can withstand current and future stresses. This assessment, in turn, impacts their plans for renovating, relocating or replacing critical assets. Of necessity, the assessment must consider infrastructure design with the objective of retaining the asset’s utility over its expected useful life. Risk Management Does the maturity of a company matter on how ERM is approached (i.e., start-up vs. established control environment)? Response: Yes. ERM is a matter of resources and focus, as there is no one-size-fits-all approach. While start-ups as well as some small and mid-size companies may implement their ERM capabilities differently than large companies, the approach is likely to be less formal and less structured in smaller entities than in larger ones. For example, for start-ups and smaller organisations, the oversight structure can be as simple as the executive committee exercising its managerial prerogative to identify and prioritise risks, assign risk owners, analyse gaps, approve action plans and monitor results. For larger and more complex organisations, a chief risk officer and/or a risk management executive committee may be needed under the auspices of the executive team. What risks do you think are especially pressing for governmental agencies? Response: According to our risk survey, governmental agencies indicated their top five risk concerns were: Regulatory changes and scrutiny affecting how processes are designed and services are delivered Resistance to change may restrict the agency from making necessary adjustments to its operations on a timely basis The agency’s ability to attract and retain top talent and address succession challenges may limit its ability to sustain operations The agency’s approach to managing ongoing demands on or expectations of a significant portion of the workforce to “work remotely” or in a hybrid work environment may negatively impact its ability to retain talent as well as the effectiveness of its operations Economic conditions (including inflationary pressures) may impact operations Do you see operational risk decreasing and credit risk increasing in 2023? Response: While all companies are different, in general we see mixed signals on operational risk. We expect supply chains to work themselves out, alleviating the congestion that has plagued many companies. Labor costs are likely to stabilise as inflation is brought under control. Adjustments to remote and hybrid work are expected to continue. The pandemic has transitioned to an endemic state. While these developments may require more time beyond 2023 to achieve some form of equilibrium, they should help reduce the operational risk profile of many companies over the next 12 months. However, other risks remain that significantly impact operational risk, including cybersecurity, data privacy and third-party risks. Few consider cybersecurity risks to be on the decline as they are a moving target in the face of emerging technologies. Data privacy concerns continue to increase as regulations proliferate all over the world and state by state. Third-party risks are complex and vary by company. Overall, the trend line on operational risks is decidedly mixed. Credit risk is a different animal, as economists continue to send mixed signals as to whether the economy will fall into a recession. If GDP growth, globally and in the U.S., were to go negative, then credit risk can be expected to increase. Higher sustained interest rates affect all borrowers, and rates are expected by many to remain elevated for a prolonged period. For businesses, credit risk is influenced by access to capital and liquidity and the uncertainty over how much more tightening the Fed will do. For individuals, the erosion of savings to meet the higher costs of living, the impact of inflation on the purchasing power of government stimulus funds and ever-increasing consumer credit card debt are relevant factors. For lenders, changes in underwriting standards can influence credit risk. All these factors are germane to an assessment of whether credit risk is likely to increase, with the big one being the direction the economy is headed. Looking back, what in our ERM processes caused firms to miss the supply chain issues driven by the pandemic. What may be missing in our approach? How do you see the risk arising from dependence on a few suppliers, which can lead to shortages of inputs in the face of geopolitical events or pandemics? Response: The supply chain disruptions we have experienced are not entirely new. Since the 1990s, globalisation, outsourcing, increased cross-border sourcing, information technology and shared services centers encouraged many organisations to consolidate facilities and streamline processes to eliminate nonessential and redundant activities as well as focus and automate remaining activities. The successive waves of total quality management, process re-engineering and Six Sigma process improvements created a bias for strong supplier relationships and tight coupling within supply chains and distribution channels with the objective of driving costs out of processes and products while adhering to quality standards. As a result, decisions to decrease inventory levels to near zero, have a sole-source or single-source strategic supplier in a far-off country offering low-cost provider advantages, and adopt just-in-time manufacturing and delivery techniques on the one hand versus higher inventory levels, multiple suppliers and other buffers in the process on the other hand often involved trade-off decisions where quality, time and cost considerations won out over business continuity considerations. Over recent years, the exposure to supply chain disruption has received significant play in the market. The disruption resulting from the Japanese tsunami and Thailand floods over the past 10 years clearly illustrated that the above trade-off decisions are not without risk. So have subsequent events (Hurricanes Katrina and Sandy, for example). Thus, we believe that most companies were aware of the risks they were taking even though many may not have taken it seriously enough. But the effects of logistics complications within and across international borders and China’s COVID lockdown policy during the pandemic took the supply chain disruption issue to a whole new level. Russia’s war in Ukraine straining energy sources in Europe and threatening global food supplies added an exclamation point. Now the conversation about near-shoring, reshoring, onshoring and friend-shoring has become commonplace in C-suites and boardrooms. More companies are using scenario analysis and tabletop crisis management exercises to assess what they would do if any key component of the value chain – such as a major supplier – were taken away through an unexpected event. Which top risk trends do you anticipate increasing in the coming years? Response: Our risk survey addresses this question. The long-term outlook for risks indicates an overarching intersection of disruptive innovation, advancing technologies and talent challenges. Risks relating to emerging innovations altering the nature of work and the ability of organisations to attract, afford, develop and retain the skills needed to embrace change are expected to play out over the coming years amid shifting labor markets and workplace dynamics. Sustaining skills currency will be a challenge for many companies. Looking out 10 years, the five largest increases in the level of risk according to our survey are risks related to geopolitical shifts and regional conflicts, activist shareholder risk triggered by performance shortfalls (including lack of progress on ESG targets and expectations), global trade and changing assumptions underlying globalisation, adjusting to a remote and hybrid work environment, and uncertainty surrounding the influence and continued tenure of key global leaders and political extremism. There are also several important trends as we look forward to the future. Markets are transitioning on multiple fronts – from globalisation to regionalisation, fossil fuels to renewables, dysfunctional to reliable supply chains, rising to stable labor costs, persistent to target inflation, and a tight to a neutral or an easing monetary policy. The effect of these and other trends around proliferating technological advances, increased bandwidth and accessibility, and evolving customer preferences and demographic shifts adds “moving parts” to the overall risk landscape, contributing to uncertainty regarding long-term growth projections and current business models. With some anticipating a possible global recession on the horizon, the question arises as to the duration and severity of that scenario, i.e., a “hard” or “soft” landing. In summary, the world is changing now, with more change to come. Rapid change forces two business realities: Companies will need to focus on innovation and transformation so they can seize market opportunities and address emerging risks to retain their relevance in the marketplace. These companies will have to compete for the talent needed to formulate and execute the differentiating strategies that embrace inevitable change effectively. Needless to say, companies choosing to cling to the status quo will likely be left behind. The above risks and trends sustain the ongoing narrative that the 2020s is indeed a decade of disruption. How should a small nonprofit start a risk management programme on a small budget? Response: An enterprisewide risk assessment (ERA) to identify and prioritise the critical risks using the nonprofit’s most important business objectives as a context is a useful way to begin. An effective ERA facilitates informed decisions as to where to focus. Possible starting points might include specific problem areas based on past experience; compliance with applicable laws, regulations and internal policies; or addressing the information supporting the nonprofit’s most important decision-making processes. To what extent are boards reviewing risk registers and making changes, and if so, what are the changes directors are asking for? Response: In general, boards do not review risk registers. Risk registers are too granular for directors. They expect a more global view of risk. Globally, our survey results indicate that directors have several significant concerns that are driving their inquiries and requests of management: people-related issues that impact execution of the business model, including inability to attract and retain top talent, succession challenges, and adjusting to a remote or hybrid work environment; cultural dysfunction involving organisational resistance to change and lack of resiliency in managing an unexpected crisis; issues related to the economy; uncertainty over the reliability of the organisation’s core supply chain; and the impact of data privacy regulations on the business model. U.S. directors also rate political uncertainty, inability to access sufficient capital and liquidity, third-party risks, the ever-present specter of cyber threats, and the risk of regulatory changes on the business. What is your perspective on the interconnection of the top risks and how that is evolving? Response: The global risk picture encompasses highly interrelated risks. Looking out 12 months, myriad risks fall under the broader people and culture theme. Looking out 10 years, several risks fall under the technology theme. Resistance to change is both a near- and long-term issue, and it has people and culture and technology underpinnings. New technologies require new skills and the talent necessary to adjust business models and implement digital strategies. Talented people and culture are related, as the latter attracts the former and, effectively led, the best and brightest engender innovative cultures that can compete and win in the digital age. Rising labor costs and geopolitical tensions are contributing to higher inflation and, correspondingly, to tightening policies of central banks. Advances in technology create fresh cybersecurity risks. We could go on, but the message is that we live in a highly connected world. And the world is changing as it transitions from globalisation to regionalisation, fossil fuels to renewables, dysfunctional to reliable supply chains, human labor to digital labor for selected job functions, rising to stable labor costs, persistent to target inflation, and a tight to a neutral or an easing monetary policy. The effects of these and other trends add “moving parts” to the overall picture, altering how risks interact with each other. What level of detail do you go into when sharing risk specific to IT/cybersecurity with the business? Is there a best method for measuring cyber-related risk? Response: We recommend using the FAIR (Factor Analysis of Information Risk) methodology to convey and measure cyber risk. This method allows an organisation to identify and quantify information risk, aligned with an organisation’s risk appetite and risk tolerance. This quantification of cyber risk creates a shared understanding of potential impacts to the organisation and supports alignment in risk mitigation/reduction initiatives. What data protection solutions should we consider due to the rollout of quantum computing breaking every current encryption method? Response: The National Institute of Standards and Technology (NIST) is expected to publish new post-quantum cryptographic (PQC) standards in 2024, and the White House has already released a memorandum (see www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/) articulating how federal agencies will need to respond. We expect regulators to follow suit with respect to the private sector. The most important first step is to perform a crypto-agility assessment, which includes an inventory of ciphers in use, an examination of the “crown jewels” in the organisation that will need PQC migration early, and an analysis of how third-party hardware and software may affect the future security of the organisation if they do not also provide a path forward to meeting PQC standards. Miscellaneous Macro labor trends are an ongoing risk. Are there moves underway to better educate U.S. students for the jobs that need analytics and engineering expertise? Response: Yes, there has been a steady increase in and focus on STEM and/or STEAM programmes through the United States; however, the demand for this type of talent will likely be higher than the supply for at least the next decade. Should companies expect to do more training than in prior decades? Response: It depends on your industry and skillsets you’re looking for, but generally, yes – especially with the increased usage of newer technologies like RPA and AI. Both require new skillsets including roles organisations likely haven’t thought about (i.e., an AI bias auditor). How long will the conflict in the Ukraine likely continue, and what influence will this conflict likely have on global energy prices and supply chain reliability? Response: No one knows how long the war will continue. Putin has no way out and the West and Ukraine have not shown any signs of giving him one. Ukraine shows no willingness to grant concessions on Russia‘s gains in the east. Russia appears to be preparing for a major offensive. Ukraine is receiving new weapons from the West to pursue its offensive and defensive aims, as well. Thus, all signs as of now point to a continuing conflict with no end in sight – an assessment that could change quickly as conditions on the ground change. Europe has benefited from a relatively mild winter. After spiking to $120 a barrel, oil prices have fallen sharply due to declining demand. Gas prices at the pump are much higher globally than they were a year ago. Many believe that if Russian oil goes off the market for many countries, prices will rise significantly. As for supply chains, the war has driven increases in the prices of fertilizers and food products in addition to oil and gas. The war also resulted in several ports being shut down, contributing to higher ocean shipping costs. Ships have been rerouted, causing congestion and leading to delays in cargo flows which made an already congested global supply chain even worse. The West’s sanctions and restrictions targeting Russia have led to a shift from rail transport to ocean transport, creating still more pressure through increased container scarcity, reduced warehousing space availability and port congestion. What role, if any, do regulators at the Office of the Comptroller of the Currency play with respect to foreign corporations doing business in the United States? Response: The Office of the Comptroller of the Currency has licensing and supervisory authority over foreign banks operating in the United States that opt for a federal license. This includes both commercial banks and branches and agencies of foreign banks. These organisations are subject to the principle of “national treatment,” which means that they essentially have the same powers and are subject to the same requirements as their domestic counterparts. About the Executive Perspectives on Top Risks Survey We surveyed 1,304 board members and executives across a number of industries and from around the globe, asking them to assess the impact of 38 unique risks on their organisation over the next 12 months and over the next decade. Our survey was conducted online in September and October 2022 to capture perspectives on the minds of executives as they peered into 2023 and 10 years out. Respondents rated the impact of each risk on their organisation using a 10-point scale, where 1 reflects “No Impact at All” and 10 reflects “Extensive Impact.” For each of the 38 risks, we computed the average score reported by all respondents and rank-ordered the risks from highest to lowest impact. Read our Executive Perspectives on Top Risks Survey for 2023 and 2032 executive summary and full report at www.protiviti.com/toprisks or https://erm.ncsu.edu.