Some risks haven’t changed since the beginning of time. Others that never existed may materialize before you finish reading this sentence. It is difficult — perhaps even disingenuous — to call any list of threats the “greatest” risks. There is just too much room for interpretation and all organizations have different priorities.
The greatest exposure for energy moguls like the Koch brothers may not even be on Facebook magnate Mark Zuckerberg’s radar. But for 2012, the following seven risks are the concerns that every company needs to consider. These are the issues that, if they don’t keep up you up at night, might bring down your business.
1. Economic Stagnation Continues to Strain Budgets, Hurt Earnings
The eurozone is a mess that won’t be cleaned up soon. As this has become increasingly clear, many economists have downgraded the region’s growth potential for the upcoming year, leaving the rest of the world vulnerable to the fallout of a stagnant EU. Austerity has become the go-to policy for many nations, but the uncertainty-driven, penny-pinching sentiment has trickled down to Europe’s business community and its masses. Consumer spending and industry confidence both tumbled at the end of 2011, and most have become resigned to just hoping for no growth in the months ahead.
“This has recession written all over it, I think,” said Martin van Vliet, a eurozone economist at ING, to reporters in early January. “The European Commission’s economic confidence indicator slipped to its lowest level since November 2009. There was a sharp and unexpected drop in retail sales, confirming that the escalating debt crisis, the prospect of a recession and the fiscal squeeze is taking its toll on consumer spending.”
By comparison, the U.S. economic outlook looks positively rosy. But it remains precarious with falling, yet still-troubling, unemployment figures. Some economists continue to fear that a double-dip recession is ahead. That may be overstating the dim prospects for the U.S. economy in 2012, but very few economists have projected anything more than modest growth.
For companies, this means continued difficulty in retail, housing, construction and virtually everywhere else. Revenue will remain difficult to find in most sectors, and some will forge ahead with more of the expense slashing that has plagued the past three years, according to the Corporate Executive Board (CEB) in its list of the largest business risks for 2012. “Companies are again looking to cost-cutting measures to maintain margins, increasing the risk of fraud, poor product and service quality, unwanted turnover of high-performing staff, and breakdowns in processes and internal controls,” states the CEB report.
The bottom line seems to be that companies cannot hope a wave of economic recovery will buoy all ships. Meeting growth projections will still be a challenge, and the specter of an EU fallout that is even greater than expected remains a potential economic catastrophe on the horizon.
2. Advanced Persistent Threats Become Your Greatest Cyber-Risk
By now, all risk managers should be acutely aware of the vast number of cyberthreats facing their organizations. Viruses, botnets and other malware should be terms every risk professional is familiar with. But there is now something that may exploit an even more dramatic vulnerability: advanced persistent threats (APT).
APT attacks aim to “extract IP without a lot of noise,” said Jose Granado, leader of Ernst & Young’s U.S. information security services. They have a standard life cycle in which attackers start with intelligence gathering on their victim. This intel may be acquired through social media, other IT architecture or more traditional deceit (e.g., infiltrating an office or dumpster diving). Then, the cybercriminals develop some piece of malware specific to the target that allows them to establish command-and-control servers (virtually, via software) within the company. Once all of this is in place, they elevate access privileges so that they have free reign within the system to extract any information they come across.
If you are just learning about this threat now, it might be too late. Even before the end of 2011, Granado had seen up to 40 advanced persistent threat attacks at “large” companies. “We’ve seen an explosion of client requests for help where they were a victim of an APT,” he said. When it comes to requests from CEOs and CIOs for informative briefings on this threat, Granado has had “more in the last 12 months than I’ve had in, well, ever.”
And those are just the ones he has worked on directly. Another E&Y cyber-risk expert, George (Chip) Tsantes, balked when asked if the number of known affected organizations — those he has advised and the many others reported in the press — represented the bulk of those that have actually occurred. “That’s miniscule. Are you kidding?” said Tsantes. “I tell clients that everyone has data leakage.”
We have heard about Operation Shady RAT (an acronym for remote access tool), an attack that exploited information at more than 72 organizations worldwide, including 49 in the United States. The target included military institutions, defense contractors, corporations and the International Olympic Committee. If the names of those victimized isn’t enough to scare you, try this: the attack began in 2006 and was reportedly first detected in 2009 at some locations. Others remained clueless until early 2011.
Public reports have detailed similar extended, persistent attacks, many of which are initiated in China, Russia and other emerging nations. If you wait for an interested third party to discover an attack for you, however, the damage has already been done.
“I tell CEOs and CIOs that their mind-set needs to change,” said Granado. “Instead of trying to build the biggest wall, you need to presume that something has already infected your system.”
This makes protection all about detection. Virtually every system can be exploited. Even the Pentagon has been hacked, and your security certainly doesn’t compare with that of the Defense Department. There is really only one solution: constant monitoring and proven methods that help recognize when an illicit presence is lurking in your network.
“The human being is the perimeter today,” said Granado. “It’s not the firewall … It’s about the personal behavior, not the systems.”
Until this mind-set switch occurs in corporate IT security, those behind these advanced persistent threat attacks will continue to steal data, intellectual property and even trade secrets. It’s time to better train personnel to understand the nature of the threat as opposed to simply buying expensive, supposedly bullet-proof technology that will not necessarily help.
“The misallocation of resources is a large reason that many companies have such a room for improvement,” said Tsantes. “Rather than fighting yesterday’s war-that is, building bigger firewalls and hiring personnel to constantly patch systems — [organizations] can change their mind-set and push their IT investments into better security. It isn’t always about more security. It’s about better security. And security more focused on tomorrow’s threats-or at least today’s — as opposed to those of yesterday.”
3. Supply Chain Vulnerability
In 2007, Jeff Jarvis, a journalist, author and professor, coined a phrase that has been invaluable to writers like myself operating in the digital age: “Do what you do best, link to the rest.” He is saying that there is no need to re-invent the wheel. Make your reputation — and revenue — on your strengths and rely on others for everything else.
The business world has embraced a similar sentiment in recent decades. The outsourcing revolution has won, and nearly all of today’s most efficient companies rely on a staggering number of third parties, whether they be foreign or domestic vendors. If these partners fail, or if something arises that even temporarily prevents them from providing the goods or services on which your core business relies, you are out of luck. And perhaps out of business.
Look at the fallout after the Japan earthquake. Toshiba and Sony, which make up about 19% of the cell phone image sensor market, were forced to shutter plants, leaving the cell phone producers waiting on much-needed parts. Japanese automakers, especially Honda and Nissan, saw production fall 40% in the second quarter even though many of their domestic manufacturing locations were closed for a shorter time frame than initially expected. One major reason was supplier related. Plants in countries like the United Kingdom couldn’t assemble vehicles for one simple reason: they were waiting on parts. One result was an increased market share for Korean carmakers, which were less affected by the disaster.
While the earthquake and tsunami were an unprecedented disaster, there is a greater supply chain risk on the horizon: a China catastrophe. While some companies depend on Japan, most rely on the Chinese manufacturing industry at least indirectly. According to a recent report by insurer FM Global, 86% of companies’ supply chains are more reliant on China than Japan, meaning that the effects of an earthquake, typhoon or flooding in a key region could be monumental.
“A natural disaster-related supply chain disruption in China would have far-reaching and long-lasting negative economic impact,” said Vinod Singhal, a professor at the Georgia Institute of Technology’s College of Management and contributor to FM Global’s supply chain risk study. “It would slow down the global economy because China is not only a major exporter of goods, but also a major importer of goods. It would cause shortages in many consumer and industrial products that could lead to inflation and devastate the share price of companies.”
Fortunately, the Japan quake did serve as a wake-up call. Seventy percent of companies are now looking at alternative sourcing options, and 65% have considered partnering with their Chinese suppliers to help mitigate risk. “Considering” is not doing, mind you, so the risk will likely remain great for the foreseeable future. You can’t just turn around a battleship midstream, both when it comes to the largest exposure (China) or the other preparedness gaps that exist domestically and in other foreign markets for many companies. But an acknowledgement of the problem and a desire to mitigate it (at least rhetorically) is a start.
What this all tells us is that if you haven’t yet seriously re-evaluated your third parties and what you would do if those you buy from and sell to disappear tomorrow, you remain highly vulnerable. In 2012, there is seemingly no limit to the number — or scope — of unexpected disruptions that could knock your business off line.
4. The Next Bubble
The housing bubble is over. It collapsed spectacularly, and there is now such a surplus of homes in the United States that the nation should be safe from a repeat of this fiasco for some time. But there is always some bubble out there, lurking, ready to devastate some sector of the economy. Determining what it might be, however, depends on who you talk to.
Shaky stock performance for some tech firms following high-profile IPOs has given further credence to those claiming that the tech sector valuation is artificially high. The daily deal website Groupon went public on November 7 with a sky-high price near $30 per share. But things soured quickly: the bottom fell out within a week as the stock price was cut in half. Shares have rallied and fallen again as analysts have disagreed over the company’s long-term future, some calling it an overheated Ponzi scheme while others see a solid company trying to find its footing in the market.
Other tech companies, like the game maker Zynga and the online music provider Pandora, have seen similar stock volatility. The stories of these three marquee firms — after years of proliferating high-growth social media companies and other Silicon Valley darlings — have many investors uneasy about how the sector will look a few years from now.
College tuition, and the debt it creates, is another popular bubble candidate. It is easy to see why. The cost of a public, four-year college education rose 8.3% in 2011 compared to 2010, according to the College Board. And in October, total outstanding college loans exceeded $1 trillion for the first time ever, making the total tuition debt in the United States larger than total credit card debt. Moreover, this is more than twice the figure from just five years ago, and there are no signs of slowdown: adjusting for inflation, the $100 billion taken out in loans in 2011 was twice the amount borrowed 10 years ago.
Ultimately, from a corporate risk management perspective, neither of these potential bubbles may be all that meaningful to any individual company. The entire business world would obviously be affected somewhat by a widespread market correction of tech stocks. A runaway tuition government-funded debt could have a generation-long effect on the labor market. And overpriced farm land, commodity inflation or sovereign debt crises could all be major market movers that impact everyone.
But even if any of these candidates do burst soon, none are likely to have the macroeconomic fallout the housing bubble — and the mortgage-backed securities tied up in it — did when it exploded. But just remaining cognizant that bubbles may be currently inflating is an important realization for risk managers.
Chances are that your business is involved — perhaps overly involved — in some current trend. What are the related risks? Does this align with your core area of operations? Or are you over-exposed to risks that are making you vulnerable short term while adding little long-term value?
Of course, figuring out how to leverage emerging opportunities while avoiding fads of the mob mentality is a lot easier said than done. But that is exactly why companies should be hiring risk managers in the first place.
5. Bridging the Talent Gap
Unemployment has fallen but remains alarmingly high. Meanwhile, many companies will tell you that they cannot find qualified employees for the vacancies they are looking to fill. What gives?
Right now, demand for talent exceeds supply, according to Lloyd’s of London’s “Risk Index 2011” report. “We have gone from a credit crunch to a talent crunch, despite the unemployment picture,” said Richard Ward, chief executive of Lloyd’s. “CEOs feel they are lacking people with specific skills, but they are also concerned about having leaders and managers who can help them navigate the difficult global business environment. Extraordinary conditions require exceptional leaders.”
The report showed that nearly half (45%) of U.S. companies rated talent as a high priority over the next year, pushing this risk from 22nd place on Lloyd’s 2009 index to second last year. And retaining and acquiring talent will only become more important in the years and decades ahead as the United States continues its shift toward a service economy. Moreover, with a workforce growing at a much slower rate than in the past, the talent shortage may only get worse.
This talent management process is a two-front war. The first battle is obvious: don’t lose the talented workers you already employ. Doing so requires a focused effort. Highly skilled employees are generally the most ambitious, and they want to see the opportunity to continue and expand their career path quickly. Thus, training and development becomes critical.
A 2010 Deloitte survey also revealed that honesty and transparency are increasingly important. Nearly half (48%) of all employees who were planning to look for new work cited a lack of trust in their employer as the cause.
The second aspect is hiring new talent, and this comes with different — but equally important — challenges. In one respect, talent recruitment should be done in combination with retention; the company must work to identify where gaps exist and create methods to attract skilled employees who can move into new roles. Fortunately, according to a January 2012 Deloitte report on gaining a “talent edge,” companies are beginning to focus on this goal. Of those executives who responded, 40% identified the need for better leadership acceleration as a focus for the upcoming year.
“This focus makes sense as the goal of accelerated leadership development is to create a deep pipeline of potential leaders with capabilities that match each organization’s particular business needs,” states the report. “It also creates a strong talent brand that inspires employees and helps attract high-potential candidates from the outside.”
As with everything, globalization will also play a part. Over the next three years, nearly one-third of executives listed competing for talent globally and in emerging markets as a top talent concern.
While the current labor market makes this issue more important than ever, it really isn’t new. Every company faces a litany of risks from all angles. The fact that they must all be managed simultaneously makes just waking up in the morning a daunting task. But no one risk manager, no one department and not even the best CEO can do it alone. It takes an entire organization to manage risk. An organization is no better than the people that comprise it. Find the right ones — and keep them once you do — and everything else becomes that much easier.
6. Regulatory Unpreparedness
Regulators keep adding to the list of rules that companies must follow, but they never take anything off. Thus is the sentiment of the modern compliance officer, who at this point must become a walking encyclopedia of statutes, procedures, forms and deadlines. And while keeping up isn’t getting any easier, it sure is getting more expensive.
It is hard to put an exact price tag on Dodd-Frank, but Republicans on the House Financial Services Committee have claimed that compliance for U.S. firms will take 10.2 million hours per year — a number that exceeds the time it took to build the Empire State Building. The costs may be astronomical.
While this (partisan and perhaps greatly exaggerated) figure is abnormally large, devoting more and more man-hours to compliance isn’t new. A “cost of compliance” survey published by Thomson Reuters in February 2011 found that 71% of global compliance officers planned to allot more time and resources toward meeting regulatory requirements. Twelve months later, little has changed — other than more deadlines closing in.
The dates of many aspects of health care reform, Dodd-Frank and Solvency II are all growing closer by the day, and state privacy mandates are slowly being adopted as federal regulations. To this end, a survey from the tech research firm Ponemon Institute, found that complying with data protection mandates costs an average of $3.5 million.
Some of this regulatory increase is rooted in market-driven growth areas, such as globalization and technology. The scope of the Foreign Corrupt Practices Act, for example, was narrower back when it was signed into law in 1977. Fewer companies operated outside U.S. borders 35 years ago so fewer were engaged in potentially illicit behavior. Similarly, the data privacy acts that have so far moved from state legislatures to the federal law books largely the by-product of modernity, namely online commerce and electronic medical records.
Other regulatory expansion is coming from an increased role of government in the business world. It is hard to feel much remorse for companies in the financial sector, however, since they basically brought this on themselves. The Dodd-Frank Act is a headache, sure. And the rolling deadlines and uncertainty of how the provisions it has spawned will eventually look is a nightmare. In theory, Congress’ goal was to curtail the poor risk-taking practices that the sector recently proved it was unable to manage without harsher oversight.
But regulators have failed to meet the initial deadlines on more than three-fourths of the rules that were supposed to be written by now. The widespread criticism is that this feet-dragging is just lawmakers — many of whom offered only tepid support of the mandates in the first place — trying to help out their Wall Street pals. But if they are merely delaying the inevitable, they are kicking a can down the road and just pushing the compliance burden into another year.
If that is the case, who does it actually help? In the short-term, this may provide some savings. And if the GOP does succeed in getting some of its provisions overturned, it may be cause for celebration on trading room floors worldwide.
A major retreat on Dodd-Frank seems increasingly unlikely, however, and companies should be preparing for at least its core provisions to go forward eventually. Those who simply cross their fingers and watch the calendar flip over without making any progress towards compliance will find that they could have used the extra time to prepare.
7. Not Recognizing the Upside of Risk
It’s 2012. We are two decades removed from Hurricane Andrew, more than a decade after 9/11 and over three years beyond the biggest financial meltdown since the Great Depression. Those are not the types of catastrophes that can be probably managed after they occur. So if you still aren’t handling the “little stuff” with tried-and-true risk management protocols, how can you possibly expect to handle the other threats listed here?
The past decade has provided the world with so much disaster, uncertainty and financial fallout that if you haven’t heard the wake-up call yet, you may not actually be asleep at all. You must be in a coma. In the business climate of today — and tomorrow — the companies that succeed will be the ones that understand how to navigate uncertain times.
Increasingly, it is also vital to not just see unpredictability through a negative lens. Risk can be looked at as any uncertain future outcome that can either improve or worsen a company’s position. That’s all there is to it. If you can only see the downside, that is more a statement on who you are than what risk is.
There are countless examples of how risk can be exploited for financial gain. In a presentation at the 2011 RIMS Canada Conference in Ottawa, an apt anecdote was detailed by Carol Fox, director of strategic and enterprise risk practice for RIMS (which publishes this magazine).
The University of California, Davis has some 1,200 olive trees on its campus. Over the course of the year, the olives they produce grow and then fall to the ground. This creates a slip-and-fall hazard that has led to various — and sometimes large — claims. Facing one major lawsuit for a related accident, the grounds crew and university administrators gathered to determine how they could solve the issue.
Option one was to cut down all the trees. This was the most certain way to eliminate the risk entirely. Ultimately, this was deemed unfeasible due to the negative aesthetic affect it would have. The olive trees had become part of the campus landscape and officials wanted to maintain that.
Option two was to increase the cleaning schedule: ramp up the frequency of rounds to pick the olives up off the ground. This method — mitigation — was seemingly the only realistic means to lowering the university’s exposure. And as is always the case with mitigation, it was an imperfect solution that would require additional costs and still leave some legal risk for the school.
Then, the head of the grounds crew threw out an idea: why not harvest them, make olive oil, put it in a bottle with a U.C. Davis logo, and sell it? He was initially laughed at. Then the others thought about it more. They were planning to spend more money for additional staff to clean up the olives. So why not try the olive oil route that wouldn’t cost that much more?
Ultimately, that is exactly what they did. The goal was just eliminating a trip-and-fall risk but the outcome was an olive oil that won awards at local fairs. Better still, before long, they were turning a profit.
There are countless ways that companies with the right risk mind-set can exploit opportunities to outpace their peers. It isn’t about avoiding risk; it’s about taking the right risks. Too many risk managers spend all their effort trumpeting negativity. So it’s no surprise that this is how they are viewed within their organizations.
For 2012, all risk professionals must learn how to get senior decision makers to listen. That alone is easier said than done, but the next step is even tougher: getting them to actually follow your advice. But it is only then that all the time spent analyzing operations and forecasting the future will pay off.
There are no short cuts, but you must start by showing the value you provide to the organization. The modern risk manager needs to understand that his role, if he wants a seat at the big table, is as much about creating a process for hurdling pitfalls — something that should be old hat by now — as it is about telling the CEO exactly how the company can leap tall buildings in a single bound.