Cyber-attacks and data breaches rank first on the top 10 risks of 2021
Aon’s Global Risk Management Survey reveals that Covid-19 has shone a spotlight on interconnected risks.
With ransomware attacks filling the headlines and the Covid-19 pandemic pushing organisations to embrace remote working and online business models, cybersecurity has become a top-of-mind concern for many business leaders. It should come as no surprise, then, that cyber-attacks and data breaches rank first on the list of the top 10 risks in Aon’s 2021 Global Risk Management Survey.
Looking across the survey, the pandemic had a clear impact on the top concerns facing the top decision-makers Aon surveyed. Perhaps unsurprisingly, pandemic risk/health crises have moved into the top 10 for the first time to seventh place, up from 60th in Aon’s last biennial survey.
Other top 10 risks reflecting the pandemic’s impact include business interruption risks, supply chain exposures and economic risks.
“The impact of the Covid-19 pandemic has demonstrated the interconnected nature of risk. Risk profiles have been and continue to be in a state of flux as businesses and economies emerge from the pandemic,” says Rory Moloney, COO of global enterprise clients at Aon. “As our survey shows, long-tail risks have become an important part of the risk landscape, with ripple effects already seen in heightened awareness of reputation and pandemic risk as well as cyber, which has magnified due to an accelerated reliance on technology, as well as impacts to global economics and trade, as businesses all over the world went into unprecedented lockdowns.”
The 2021 Global Risk Management Survey drew online responses from 2,344 risk decision-makers from 16 industrial sectors, representing small, medium and large-sized companies across 60 countries. The report details the leading risks and provides guidance on addressing them.
Top 10 Risks
1. Cyber-attack/data breach
Respondents to our 2019 survey ranked cyber-attack/data breach in sixth place. Since then, they’ve come to see online attacks as an epidemic of their own.
Cyber criminals were quick to capitalise on the move to remote work and online business during the pandemic. For example, ransomware attacks grew dramatically, increasing 400 percent from the first quarter of 2018 to the fourth quarter of 2020, according to Aon’s 2021 Cyber Security Risk Report. The report suggests that business costs associated with ransomware attacks could reach $20 billion this year.
The spike in losses have pushed cyber-insurers to increase their rates while reducing capacity. However, cyber-insurance is just part of the solution to online attacks. Businesses must strive to keep pace with hackers and those initiating ransomware attacks, investing in cybersecurity and constantly assessing their potential exposures.
2. Business interruption
Businesses around the world saw operations come to a screeching halt in early 2020 as governments imposed lockdowns and travel restrictions to combat the Covid-19 pandemic.
The experience – along with the increased reliance on technology and a connected world – changed the way many think about business interruption, recognising that such disruptions can be systemic and not just local events. That changed perspective drove business interruption’s jump to the second spot in this year’s ranking, up from fourth place in 2019.
As the business interruption threat evolves, organisations should strive to better understand how they might be affected by the changed threat. Then, they must build solutions to address the risk, including appropriate risk transfer and building resilience against the potential for more frequent extreme scenarios that could disrupt business.
3. Economic slowdown/slow recovery
The global economy contracted 3.2 percent in 2020 due to the impact of the pandemic, and while a recovery is underway, troubling signs of volatility remain. The Delta variant’s recent impact on economic activity shows that uncertainties still surround the world’s economies.
Economic slowdown/slow recovery was the top risk in the 2019 survey, as business leaders eyed the possibility of an impending recession.
Faced with ongoing economic uncertainty, businesses should look for ways to maintain and increase revenue, control expenses and take steps to build resilient operations and workforces. A sound enterprise risk management programme can contribute to that resilience and help improve businesses’ competitiveness and agility.
4. Commodity price risk/scarcity of materials
The disruptions to manufacturing and consumer activity, along with transportation interruptions and port closures in the pandemic’s early days, led to scarcities of materials and commodities. Now, as businesses look to return to normal levels of activity, many commodity producers are unable to keep up with surging demand.
The result? Commodity price risk/scarcity of materials reached its highest level ever in our survey, up from seventh place in 2019. Meanwhile, as businesses wait for commodity supply to rebalance with demand, there is uncertainty about whether the global economy has experienced fundamental changes that will lead to permanent increases in the prices of some commodities and materials, fueling inflation.
In this risk environment, businesses will need to take such steps as implementing detailed cost tracking, examining various scenarios and taking advantage of risk analytics. Meanwhile, procurement departments should strive for agility and familiarise themselves with the full range of hedging opportunities.
5. Damage to reputation/brand
As the Covid-19 pandemic advanced, some observers suggested that it might offer a distraction from reputation-threatening events. A look at the negative fallout many businesses experienced in 2020 as a result of various events, mistakes and transgressions showed the reputation threat remained in full force.
Reputation and brand damage slipped a bit in this year’s ranking – down from second place in 2019 – but the threat is still significant. A joint Aon-Pentland Analytics study found that a major reputational crisis causes a company’s shareholders to lose an average of 26 percent of value at some point during the post-crisis year.
Given the impact of social media on the speed and spread of potential reputation-damaging news, businesses should identify their exposures and make addressing them part of their enterprise risk management programmes. Scenario analysis and developing and testing response plans can also reduce the risk.
6. Regulatory/legislative changes
The global regulatory landscape for businesses grows ever more challenging. With governments around the world looking to increase their authority in such areas as public health, financial markets, climate change, taxation and technology, regulatory complexity will likely grow.
Faced with that regulatory environment, survey respondents moved regulatory and legislative changes up four spots in this year’s ranking, from 10th in 2019. As laws and regulations become both more far-reaching and detailed, the risk of non-compliance becomes more severe.
Regulatory risk should be an element of an organisation's enterprise risk management programmes. Multinational organisations should develop integrated global compliance efforts that can respond quickly to the enforcement environments across various jurisdictions. And the compliance team should be involved at the product development, risk assessment and design stage to ensure compliance across various markets.
7. Pandemic risk/health crises
As they continue to address the broad and numerous impacts of the Covid-19 pandemic, respondents to our 2021 survey clearly recognise the potential threat of pandemic risks and health crises. The peril made a massive leap in this year’s survey, finding a place in the top 10 after being ranked 60th in 2019.
The nature of the current crisis is testing business leaders in new ways. Both countries and businesses will be changed by this pandemic as consumer behaviours change, supply chains are reshaped, business models rewritten and expectations of governments shift.
For all organisations looking to deal with this risk, the pandemic has underscored the importance of four key components of resilience: leadership that provides a sense of reassurance and common purpose; accurate, honest and frequent communication; the use of available information to craft new business models, operating methods and communications channels, adjusting as needed; and the use of data to build agile and resilient workforces.
8. Supply chain or distribution failure
Beyond the impact of the Covid-19 pandemic on supply chains, additional disruptions have resulted from climate change, natural catastrophes and even a container ship wedged in the Suez Canal. Among the results: risk decision-makers moved supply chain/distribution failure into the Top 10 Risks in this year’s survey, from 12th place in 2019.
Other perils can also threaten supply chains, including cyber-attacks, political unrest, credit failure and product recalls. With consumers and governments increasing their focus on environmental, social and governance (ESG) issues, ESG risk could pose a future supply chain threat.
To lessen the impact of supply chain risks, businesses should take a holistic view of their supply chains. They should strive to understand the entire length of their supply chain and who touches what at each link on the chain. In many cases, data and sensor technology can provide insights into supply chains that were previously unavailable.
9. Increasing competition
The risk of increased competition has long been a top 10 risk in Aon’s Global Risk Management Survey. While it slipped in this year’s ranking – down from fifth place in 2019 – that is likely to have more to do with respondents increasing concerns over other perils highlighted by the Covid-19 pandemic.
A number of factors can influence an organisation’s own competitive position. Its own comparative resilience, new competitors, changing consumer trends, technological advances, regulatory changes, economic trends and changing competitor strategies can all play a part.
Faced with the risk of increasing competition, organisations should identify all the factors that might result in loss of market share and take steps to address them. Having identified the areas that might affect its competitive position, a business can take steps to address those potential threats. Meanwhile, factoring those insights into the organisation’s enterprise risk management programme can contribute to increased resilience.
10. Failure to innovate/meet customer needs
Innovation is critical to future business success. One silver lining of the Covid-19 pandemic has been many organisations’ successful efforts to develop new products and services to address pandemic challenges – innovations that may play an important role in their businesses going forward.
Businesses clearly recognise the threat posed by a failure to innovate or keep up with customer needs. The risk has been part of the top 10 since 2011, ranking at number nine in 2019.
Innovation involves taking a step into the unknown. Organisations must become more comfortable with uncertainty and ambiguity, fundamental aspects of the innovation process. A lack of resilience, lagging digital capability or a failure to manage volatility can impair an organisation’s ability to innovate, underscoring the importance of effective and comprehensive enterprise risk management programmes in helping organisations innovate successfully and anticipate and meet customer demand.
Succeeding in a world of interconnected risks
By highlighting the interconnectedness of a large number of risks, the Covid-19 pandemic has shown that preparing for each peril on its own is insufficient. In today’s global marketplace, a variety of perils can pose systemic threats and need to be assessed, managed and monitored in an integrated way at enterprise level.
Organisations that adopt that enterprise-level approach need to focus on three key priorities to support their decision-making in managing risk: understanding new forms of volatility affecting their business, considering new capital alternatives that can support risk taking while preserving existing capital and building a resilient workforce and workplace in which employees are best prepared to address future challenges.