CEO Survey DT - with logo for Hermes

CEO and board risk management survey

Download the full report

Illuminating a path forward on strategic risk

How can leaders navigate today’s complex risk environment while accelerating performance and growth? By shifting their focus from isolated risks to emerging, interconnected strategic risks. Our survey uncovers how 400 CEOs and board members are prioritizing and managing investments in four critical risk areas. It turns out that many leaders are still relying mainly on very traditional approaches, tools, and technologies to detect and manage threats. But today’s environment demands a different way of thinking—one that challenges the status quo, senses threats before they emerge, and seizes the right opportunities at the right time.

Top disruptors

Nearly all CEOs and board members surveyed believe their organizations will face serious threats and disruptions to their growth prospects in the next two to three years.

CEO and board member perspectives on four strategic risk areas

CEOs

Board members

Disruptive technologies and cyber incidents were cited as the two greatest threats.

34%

Cyber risk

Culture risk

New disruptive technologies and innovations

Extended enterprise

Brand and reputation

Cyber incidents/events

27%

Eroding trust in brand and reputation

24%

Weak or unhealthy organizational culture

20%

Culture risk

Extended enterprise

Cybersecurity is their greatest concern, yet CEOs and board members still lack engagement in this area

Somewhat engaged

Highly engaged

Not engaged

Key findings

Deloitte’s perspective

Internet of Things (IoT) and artificial intelligence pose significant risk to cybersecurity programs. Many leaders are misaligned about where to invest to protect against cyber incidents. Only 25% of surveyed organizations plan to invest in cyber war-gaming and scenario planning to combat cyber threats in the next 12 months.

Corporate response and planning may be underappreciated. The growing dependence on technology heightens cyber risks and warrants full senior leadership engagement. Greater cyber risk governance and management frameworks will be critical.

CEOs

54%

38%

Board members

72%

23%

Two-thirds of surveyed leaders lack a process for identifying culture risk signals

Key findings

Deloitte’s perspective

Digital transformation was ranked as the highest risk to culture in the next two to three years. One in three organizations plans to invest in an improved process to identify culture risk signals in the next 12 months. Just one in three organizations receives regular reporting at the CEO and board level on culture and conduct risks.

Culture is a significant risk that can affect every aspect of the organization. CEOs and board members should prioritize investments that consider employee engagement, employee behaviors, and market signals. Collectively, these insights can inform actions to proactively manage risk and foster a culture where employees embrace an organization’s shared core values.

62% of CEOs—but only 39% of boards—think their extended enterprise's risk management standards are weaker than their own.

Key findings

Deloitte’s perspective

CEOs and board members agree that information technology partners pose the greatest risk. Many leaders are largely aligned on where they plan to invest to manage this risk—professional development, assessment programs, and new technology. More leaders plan to manage extended enterprise risk in-house versus leveraging a managed services model.

Many organizations fail to hold information technology and cybersecurity partners to the same risk standards they set for themselves, potentially leaving the organization exposed. Leaders should create an ecosystem of partners that match their own risk profile, risk appetite, and risk management policies.

CEOs

Board members

62%

39%

CEOs and board members cite cyber and physical incidents as the greatest threat to their reputation

41%

Key findings

Deloitte’s perspective

Roughly half of respondents lack the ability to detect, monitor, and analyze reputation risks. More than 50% of leaders lack a plan to develop or acquire tools to address reputational risks, including crisis response capabilities. While leaders recognize the importance of reputational risks, they’re not completely aligned on which risks pose the greatest threats.

It only takes a second to damage an organization’s brand equity and reputation. Managing, protecting, and enhancing reputation should be a high priority for leadership. And it requires a rigorous focus on risk sensing tools, processes to monitor and predict, and governance models.

Download the full report

Our take

Addressing risk takes more than technology. Technology is one part of an integrated approach to risk management. Organizations should also:

Define

Align

Integrate

Define the impact of technology on strategy, operating model, organizational culture, security, and reputation.

Align technology investments with overall risk strategy.

Integrate people, process, and technology to drive risk governance and management.

How are leaders prioritizing strategic risk investments?

Boards

CEOs

CEOs and board members cite cybersecurity and technology acquisitions as top priorities

CEOs and board members are least likely to invest in maturing their brand and reputational risk programs

75%

62%

31%

30%

Download the full report

37%

35%

Security, including physical and cyber breaches

Extended enterprise/business partners

Product quality and safety

Crisis response capabilities

Visit our Leader’s Corner for more insights on cyber risk.

Visit our Leader’s Corner for more insights on culture risk.

Visit our Leader’s Corner for more insights on extended enterprise risk.

Visit our Leader’s Corner for more insights on reputation risk.

Illuminating a path forward on strategic risk

Reputation and culture risk were underrated, ranking low as concerns.

Brand and reputation

Cyber risk

Keeping fit + active