Talent, culture, cybersecurity and data privacy represent top risk issues for public sector organizations

The level of uncertainty in today’s global marketplace and the velocity of change continue to produce a multitude of potential risks that can disrupt an organization’s business model and strategy on very short notice. Unfolding events in Eastern Europe, changes in government leadership in several countries around the globe, escalating inflation, rising interest rates, ever-present cyber threats, competition for talent and specialized skill sets, continued disruptions in global supply chains, rapidly developing technologies … these represent just a sampling of the complex web of drivers of risks that may threaten an organization’s achievement of its objectives. Uncertainty and risk are here to stay. Keeping abreast of emerging risk issues and market opportunities is critical to improving organizational resilience.

The need for robust, strategic approaches to anticipating and managing risks cannot be overemphasized. Boards of directors and executive management teams who choose to manage risks on a reactive basis are likely to be left behind those who embrace the reality that risk and return are interconnected and recognize the benefits of proactively managing risks through a strategic lens. Those leaders who understand how insights about emerging risks can be used to navigate the world of uncertainty nimbly increase their organization’s ability to pivot when the unexpected occurs. That can translate into sustainable competitive advantage.

In this 11th annual survey, Protiviti and NC State University’s ERM Initiative report on the top risks on the minds of global boards of directors and executives in 2023 and over the next 10 years, into 2032. Our respondent group, which includes 1,304 board members and C-suite executives from around the world, provided their perspectives about the potential impact over the next 12 months and next decade of 38 risk issues across these three dimensions:[1]

  • Macroeconomic risks likely to affect their organization’s growth opportunities
  • Strategic risks the organization faces that may affect the validity of its strategy for pursuing growth opportunities
  • Operational risks that might affect key operations of the organization in executing its strategy

Commentary – Public Sector Industry Group

In assessing the global risk landscape for public sector organizations in 2023 and 2032, familiar themes emerge: talent and the future of work, culture, cyber threats and data privacy.

The top risk issue in the public sector for 2023 is succession challenges and the ability to attract and retain top talent, while the second-ranked risk issue for these organizations is anticipated increases in the cost of labor. These are ongoing concerns for public sector organizations, as they compete with the private sector for talent and skills, particularly those required to drive innovation programs and technology transformation.

Interestingly, economic conditions potentially restricting growth opportunities are ranked in the top five risk issues for public sector organizations for 2023, even though federal, state and local public sector entities tend to be less affected by economic cycles. That said, the coming year appears to present potential challenges that public sector leaders do not see 10 years out, as economic conditions are not in the top 10 list of risks for this period.

Public sector leaders also expressed concerns about uncertainty in core supply chain ecosystems as well as organizational resilience and agility to manage an unexpected crisis. Because public sector agencies purchase large quantities of products and services, these understandably are significant issues. Supply chain and resilience challenges are of particular concern as they relate to IT and operational technology hardware and software.

Beyond these challenges, prevalent themes in the top risks for public sector organizations in the coming year as well as the next decade include cybersecurity, privacy and third-party risk. There are a number of important factors at play here that are driving these concerns. First, in the United States, the U.S. Government Accountability Office (GAO), in its latest cybersecurity guidance, notes that the federal government needs to elevate the nation's cybersecurity as the country faces grave and rapidly evolving threats.

Although the federal government has made some improvements, it needs to move with a greater sense of urgency commensurate with the rapidly evolving and grave threats to the country. Specific recommendations include the following:

  • Establish a comprehensive cybersecurity strategy and perform effective oversight. In September 2018, the U.S. administration delivered a national cybersecurity strategy, followed by an implementation plan in June 2019 that details the executive branch's approach to managing the nation's cybersecurity. In September 2020, GAO reported that the national strategy and implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources needed. The current administration needs to either update the existing strategy and plan or develop a new comprehensive strategy that addresses those characteristics. GAO also highlighted the need to define a central role for leading the implementation of the national strategy. In January 2021, the U.S. Congress established the Office of the National Cyber Director within the Executive Office of the President. Although establishing this position is an essential step forward, critical risks remain within supply chains, workforce management and emerging technologies. For example, in December 2020, GAO reported that none of the 23 U.S. government agencies in its review had fully implemented key foundational practices for managing information and communications technology supply chains.
Image
Discover the top risks faced by the public sector, including cybersecurity threats, regulatory compliance, budget constraints, political instability, public perception, and talent management.
Prevalent themes in the top risks for public sector organizations in the coming year as well as the next decade include cybersecurity, privacy and third-party risk.
  • Secure federal systems and information. The U.S. government has made some progress in securing systems. Nevertheless, federal agencies continue to have numerous cybersecurity weaknesses, due in large part to ineffective information security programs. Further, cyber incidents increasingly are posing a threat to government and private sector entities. The gravity of the threat was reinforced by the December 2020 discovery of a cyberattack that has had widespread impact on government agencies, critical infrastructure and the private sector. In 2019, GAO reported that most of the 16 agencies reviewed had incident response processes with key shortcomings, thereby limiting their ability to minimize damage from attacks.
  • Protect cyber critical infrastructure. Critical infrastructure in the United States involves both public and private systems vital to national security. Since 2010, GAO has made nearly 80 recommendations to enhance infrastructure cybersecurity; for example, GAO recommended that agencies better measure the adoption of the National Institute of Standards and Technology (NIST) framework of voluntary cyber standards and correct sector-specific weaknesses. However, most of these recommendations (nearly 50) have not been implemented. As a result, the risks of unprotected infrastructures being harmed are heightened. Without question, this is a global challenge. In Australia, for example, the Security of Critical Infrastructure Act 2018 requires owners and operators of critical infrastructure to take steps to safeguard vital assets. The Act subsequently was amended to broaden the scope of industry sectors, through a combination of The Security Legislation Amendment (Critical Infrastructure) Act 2021 and The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022. These two legislative reforms form the Commonwealth framework for critical infrastructure protection, as well as legislated last resort powers in the event of a catastrophic cyber security incident.
  • Protect privacy and sensitive data. The U.S. federal government and private sector have struggled to protect privacy and sensitive data. Advances in technology have made it easy to collect information about individuals and ubiquitous internet connectivity has facilitated sophisticated tracking of individuals and their activities. The vast number of individuals affected by various data breaches has underscored concerns that personally identifiable information is not being protected adequately. GAO's reviews of agency practices to protect sensitive data have identified weaknesses and have resulted in numerous recommendations for agencies such as the U.S. Department of Housing and Urban Development, U.S. Department of Education and U.S. Internal Revenue Service.
Image
Explore the top 10 risk issues anticipated for 2032, including cybersecurity threats, climate change, geopolitical instability etc.

 

About the Executive Perspectives on Top Risks Survey

We surveyed 1,304 board members and executives across a number of industries and from around the globe, asking them to assess the impact of 38 unique risks on their organization over the next 12 months and over the next decade. Our survey was conducted online in September and October 2022 to capture perspectives on the minds of executives as they peered into 2023 and 10 years out.

Respondents rated the impact of each risk on their organization using a 10-point scale, where 1 reflects “No Impact at All” and 10 reflects “Extensive Impact.” For each of the 38 risks, we computed the average score reported by all respondents and rank-ordered the risks from highest to lowest impact.

Read our Executive Perspectives on Top Risks Survey for 2023 and 2032 executive summary and full report at www.protiviti.com/toprisks or https://erm.ncsu.edu.


1. Each respondent rated 38 individual risk issues using a 10-point scale, where a score of 1 reflects “No Impact at All” and a score of 10 reflects “Extensive Impact” to their organization. For each of the 38 risk issues, we computed the average score reported by all respondents.

Advances in technology have made it easy to collect information about individuals and ubiquitous internet connectivity has facilitated sophisticated tracking of individuals and their activities. The vast number of individuals affected by various data breaches has underscored concerns that personally identifiable information is not being protected adequately.
Loading...