What keeps the CEO awake at night? Paul Pilkington and Jane Woolcott discuss the findings of a recent CEO survey on key risks

T he high public profile of terrorism, climate change and pandemics such as bird flu might suggest that these risks currently dominate the global risk agenda of UK corporations. However in the tenth Pricewaterhouse Coopers' Global CEO survey, few UK CEOs highlight these risks as major concerns. Instead, their top five key risks are over-regulation, lack of key skills, a downturn in major economies, low-cost competition and technological disruptions.

Table 1 shows a breakdown of the UK CEOs’ responses compared with the top five risks highlighted by all respondents worldwide.

It is useful to compare the UK and global findings. As multinationals, the UK's largest companies share several major global risks with their counterparts elsewhere – notably those concerning regulation, skills, low-cost competition and technology disruptions, the last of which ranks fifth in the UK and seventh globally.

However, there are also differences between the UK and global responses. The UK's comparatively high reliance on services is reflected in UK CEOs' relatively lower concern about energy and commodity prices. Meanwhile, UK CEOs are more concerned than their global peers about economic downturns, perhaps reflecting the UK's past boom-and-bust environment. Taking these findings as a starting point, we will now examine current developments in each of the top five global risks for UK CEOs.

Regulation: a rising global tide

For multinationals, a key trend is the increasingly complex and transnational nature of the business environment. In this context, the remorseless increase in the regulatory burden represents the number one risk for CEOs based both in the UK and worldwide. US regulators in particular are flexing their muscles extra-territorially, widening the impact of regulations ranging from the Foreign Corrupt Practices Act to Sarbanes-Oxley. The EU is also increasingly active. As a result, companies in the UK must now look far beyond the UK's national rules – as well as facing up to the rising costs of compliance.

More positively, the perceived burden of regulation has helped companies better understand their risk and control processes. Rules ranging from International Financial Reporting Standards (IFRS) to Sarbanes-Oxley have underlined the benefits of effective controls in financial areas. Now this same rigour is being applied to the non-financial metrics that drive the majority of companies' value and decision making.

The growth of emerging market economies, particularly the BRICs (Brazil, Russia, India, China) adds further complexity for companies managing regulatory risk. As emerging markets develop, so will their regulation. Our latest economic research looks at the crucial relationship between risk and reward, and the impact that factors, including regulatory risk, can have on investment decisions. Indeed, the PricewaterhouseCoopers EM20 Index, which was published in July 2007, suggests that the BRICs – although hugely important markets due to their sheer size – may not always offer the highest risk-adjusted returns, and that companies should look beyond these locations when deciding where to invest.

Key skills: adapting to a global workforce

Risks concerning the lack of key skills are another major concern both for UK and non-UK CEOs, ranked second by both groups. One example of these risks is the offshoring of transactional activities in recent years to lower-cost centres around the world – a change that has transformed the roles and skills required of the 'leave-behind' onshore workforce.

This shift requires substantial training and development in skills, behaviour and culture, and demands a more commercial and strategic mindset that may be very different from the traditional skill-set of many 'leave-behind' staff. One approach taken by a major UK-based financial services client that outsourced its back-office processing to India, was to re-engineer and retrain its UK workforce for the new operating model. In essence, corporations are asking people to carry out a role fundamentally different from the one they joined to do. The risk is that many may not be equipped to do their job, or will simply walk away.

The global regulatory risk agenda also affects skills. An increasingly common view in corporations is 'we are all risk managers now'. To be effective and compliant, employees must look beyond the day-to-day operational aspects of what they do. Employees need to recognise the key risks to their business, understand their role in managing those risks, and respond in an integrated way. This behaviour is crucial both in maintaining compliance and tackling competitive threats. Embedding such behaviour requires risk awareness education, such as a programme to embed risk awareness and responsiveness into management at all levels.

“Efforts to manage risks around costs and market downturns must be integrated with other risk areas

Downturns and competition: the need for sustainable costs

The high ranking given to the global threat from low-cost competition by both UK and global CEOs reflects the costs challenge faced by multinationals. Managing this risk, and the risk of a downturn in major economies, boils down to running a robust operating model at a sustainable level of costs, and responding in an agile way to market change. One element is keeping costs under control in positive market conditions, since failing to do so will store up problems in a downturn.

The costs agenda also overlaps with other risks highlighted by CEOs. Businesses must maintain regulatory compliance, but do so at a sustainable cost. And the costs of compliance become greater when a company approaches compliance through several different silos. As our panel points out, a holistic and integrated approach to risk – one that looks across both the risk universe and the whole organisation – is more effective and, in the regulatory sphere, much less expensive.

So corporations facing the remorseless wave of regulation should step back and assess the overlaps in order to take advantage of opportunities to remove duplication. For example, some global corporations have explicitly shifted the focus of their Sarbanes-Oxley compliance projects from controls to risks – thereby enabling them to integrate their responses to different regulations, and achieve comprehensive compliance at lower cost.

Similarly, efforts to manage risks around costs and market downturns must be integrated with other risk areas. So companies using offshoring to reduce operating costs and boost competitiveness must manage the impact on people and skills. And their efforts to enhance their systems architectures must avoid additional complexity, which would boost both IT costs and the risk of disruption. The underlying need is for an integrated approach.

Technology disruption: rising importance, rising vulnerability

We have already highlighted the impact of rising complexity on global regulatory risk – and the same driver is equally evident in technology disruption risk, which is ranked fifth by UK CEOs and seventh globally. While this ranking may be higher on the UK CEO agenda, it is actually cited by 53% of CEOs worldwide. Whereas a few years ago organisations could cope for a while without their IT systems, today most companies would be unable to function.

While the primary risk of IT disruption is often seen as external threats, the most common causes are actually internal and accidental, caused by staff failing to follow the right processes. Internal users and process failure also represent the biggest IT security risk. At the same time, there are several specific risk issues concerning IT availability.

Making the most of risk

Our analysis of UK CEOs' perception of the global risks facing them clearly underlines the need for a holistic approach. But it also highlights something else: the need to integrate risk management with the pursuit of opportunities. Each of the key risk areas named by CEOs also presents the potential for differentiation, growth and improved sustainability across regulatory compliance, people, costs and technology. The same metrics and KPIs that keep management informed about risks can be used to identify opportunities and track how successfully they are used. They are also key to maintaining and building the organisation's reputation.

UK CEOs have a good grasp of the global risks facing their businesses. However, in our view they need to explore that knowledge more fully, by integrating their management of various risks and incorporating it more closely into their growth strategies. According to the CEOs participating in our survey, the outlook is bright. Holistic management of risk is the key to making the most of this promising future.

A holistic approach to global corporate risk

PricewaterhouseCoopers Tenth Annual Global CEO Survey underlines how non-financial risks – primarily regulation, people and technology risks – are rising up the agenda. In the UK, this trend has been strengthened by the mandatory Business Review, which emphasises holistic performance measures and non-financial Key Performance Indicators (KPIs). The interdependent nature of the non-financial risks facing today's global multinationals, coupled with the rising importance of issues such as corporate responsibility, reputation risk and climate change, means a holistic approach is crucial in managing corporate risk as well as corporate performance.

Our client experience and research highlight three ways in which boards control and manage risks:

1 People and culture codes of conduct and embedded values that the employees stand for, in turn driving behaviour.

2 Delegation of authority companies adopt flat or hierarchical delegation structures depending on the risks they face. Typically, creative 'people' businesses have flat structures, while a heavily-regulated business is more hierarchical.

3 Management systems and processes controlling activities through functions such as sales, finance and HR.
While all three levers give comfort over risk, companies still tend to use them in isolation, with little coordination. This prevents management from getting an overall picture of the business's risks, business performance and their interdependencies. Instead, to manage risk effectively and holistically, boards need to be able to pull together a diverse and formerly unconnected range of KPIs in a format they can easily analyse – thus creating an early warning system for emerging risks.