Emerging Risks Monitor Report Also Highlights New Risks Around Cyber-Physical Infrastructure
Concerns that the assumptions underpinning organizational strategy may be outdated or misaligned to current growth objectives topped business leaders’ concerns in Gartner, Inc.’s latest Emerging Risks Monitor Report.
Gartner surveyed 136 senior executives across industries and geographies and the results showed that “strategic assumptions” had risen to the top emerging risk in the 4Q19 Emerging Risks Monitor survey, up from the third position the previous quarter (see Table 1). Last quarter’s top emerging risk, “digitalization misconceptions,” has now become an established risk after ranking on four previous emerging risk reports.
“This quarter saw a number of external risks converge in executives’ thinking, from increasing concerns about the impact of extreme weather events to trade policy,” said Matt Shinkman, vice president with Gartner’s Risk and Audit Practice. “Currently, however, business leaders are most acutely concerned with the beliefs underpinning their own strategic assumptions and the ramifications of getting them wrong.”
Table 1. Top Five Risks by Overall Risk Score: 1Q19-4Q19
Rank | 1Q19 | 2Q19 | 3Q19 | 4Q19 |
1 | Accelerating Privacy Regulation | Pace of Change | Digitalization Misconceptions | Strategic Assumptions |
2 | Pace of Change | Lagging Digitalization | Lagging Digitalization | Cyber-Physical Convergence |
3 | Talent Shortage | Talent Shortage | Strategic Assumptions | Extreme Weather Events |
4 | Lagging Digitalization | Digitalization Misconceptions | Data Localization | Data Localization |
5 | Digitalization Misconceptions | Data Localization | U.S.-China Trade Talks | U.S.-China Trade Talks |
Source: Gartner (February 2020)
Strategic Planning Must Account for Critical Uncertainties
The study defined a strategic assumption as a plan based on a belief that a certain set of events must occur. Gartner research has found that executives believe more than half of their time spent in strategic planning is wasted, and the quality of those plans fail to meet expectations. Incorrect strategic assumptions often result in stalled growth that can derail planned results.
“Strategic assumptions are often sound when they are first formed, but in today’s environment are more vulnerable to becoming outdated or obsolete due to a rapid increase in the pace of change,” noted Mr. Shinkman. Senior executives ranked the pace of change as a top emerging risk in the second quarter of 2019.
Organizations with a poorly formed set of strategic assumptions typically produce a high number of projects that are not aligned with their stated objectives. Moreover, time and budget for the execution of key initiatives consistently overrun planned targets.
“Risk teams should play a vital role in mitigating the impact of inaccurate strategic assumptions. A key component of clarifying strategic assumptions is discerning between likely truths and critical uncertainties,” Mr. Shinkman said. “Risk leaders should involve themselves early in the strategic planning process and add value by developing a set of criteria to stress-test assumptions and root out biases and flaws before they become cemented in a strategic plan.”
Cyber-Physical Convergence Presents New Risks
The second most cited risk was a convergence of cyber-physical risks, as previously unconnected physical assets become part of an organization’s cyber network. Nearly 90 percent of organizations with connected operational technology (OT) have already experienced a breach related to cyber-physical architecture. Despite these threats, organizations continue to move forward with integrating Internet of Things devices, smart buildings and other OT, often without dedicated security policies.
“The risks of OT are still not widely appreciated throughout most organizations,” said Mr. Shinkman. “Top risk teams partner with IT to develop dedicated strategies that account for the security deficiencies in such assets and include regular meetings to review issues such as access rights and employee training.”