2021 Global Risk Management Survey: Cyber attacks, reputational risk and innovation gaps in Australia

The business climate in 2021 has experienced a perfect storm: Business models are being reshaped, while organisations across the globe are responding to and, at the same time, recovering from the once-in-a-lifetime set of challenges posed by the COVID-19 pandemic.

There are also exposures that are still relatively new for many businesses. Companies’ understanding of, readiness for and ability to manage and transfer risks such as climate-change risk, supply-chain /distribution risk and ESG-related risk leaves much room for improvement.

What our research shows is that a failure – or unwillingness – to prepare can be catastrophic to an organisation’s reputation and survival. The pandemic is a stark reminder that it is not enough to focus on a specific event or exposure, but of the impact events can carry in a globally connected marketplace.

The latest survey has also highlighted the growing interconnectivity of risks, with cyber-attacks, damage to brand, and failure to innovate and meet customer demand identified as the top three risks facing Australian businesses in 2021.

Key findings – top 10 risks identified in Australia

The top risk in Australia: Cyber attacks and data breaches

COVID-19 ushered in a substantial shift in the pace of business, and in turn exponentially intensified cyber risk.

It is notable that the sharp move of cyber from the fifth position to first in the course of two years speaks to the pervasiveness of the risk.

In fact, cyber security is perceived as a top 10 risk by every surveyed sector and for all job roles, including CFOs, CEOs and chief people officers.

Ransomware exploded in 2020, and we have seen hundreds of Australian businesses of all sizes and in all industries impacted by extortion attempts of various levels of sophistication with ransoms ranging from the thousands to the millions.

In Australia in the future, it is predicted we will continue to see ransomware, supply chain risk, business email compromise and attacks against operational technology as the primary cyber threats to Australian businesses.

Australian organisations have become acutely aware of the severity of these attacks as we’ve seen businesses brought to their knees overnight with some never to recover. Failure to appropriately assess, quantify and transfer your cyber risk is also the root cause of many of the other risks ranked in the top five – notably, brand and reputation, business interruption, legislative changes to name a few.

We encourage businesses to be prepared with robust controls, well prepared incident response processes and tested business continuity management and disaster recovery plans.

Damage to reputation and brand still a key issue

In Aon’s 2019 survey, Australian businesses rated damage to reputation and brand as their number one risk, and in 2021 it again featured high on the list at number two.  While it has ranked consistently in the top five globally, it has remained in the top three in Australia for several years.

Australian businesses recognise that reputational crises can have a substantial impact on a company’s future. In 2021 and beyond, the continuing impact of COVID-19 and then on businesses’ responses to the changing economy, the prevalence of social media threats and the 24/7 news cycle has the potential to create rapid impacts which can have an immediate and lasting impact on an organisation’s shareholder value and reputation.

The drive to innovate and meet customer demands

While COVID-19 has caused devastating disruptions to the global economy, decimating many famous brands, it is also forcing companies across different industries to innovate and reinvent themselves. Businesses have found new ways to sell, service and operate during the crisis.

The challenge is this: How can these innovations bring systematic growth after the pandemic abates?

The COVID-19 crisis has taught us that it is important for organisations and leaders to become more comfortable with uncertainty and ambiguity, which are fundamental parts of the innovation process. Failure to innovate is a commercial risk that can also be directly impacted by impaired resilience and a failure to manage volatility. It highlights the importance of a comprehensive and forward-looking approach to enterprise risk management.

Business Interruption

Ranked at number four in Australia and number one in APAC, business interruption is an ever-present threat across all organisations and industries.

Meanwhile, the increasing complexity of business-interruption insurance is also contributing to respondents’ concerns about the wider issue.

Globally, it is not surprising that participants in the hospitality, travel and leisure industry rated business interruption as a number one risk. This sector faced the biggest interruption issues because of continued travel restrictions and a precipitous drop in consumer demand.

While business interruption is a traditional risk by name, its profile is evolving fast. Businesses need to improve their understanding of this new form of volatility and build market solutions to manage this risk.

The pandemic serves as a reminder that risk management and business-continuity management need to evolve further in order to help businesses prepare for, and survive, extreme events.

The war for talent remains a top concern

The risk of failure to attract or retain top talent remains top of mind for Australian businesses, creeping up into the top five concerns, up two spots from last year, and yet again not featuring in the top 10 list globally.  This is particularly interesting in light of the wide spread reports across the world on the ‘great resignation’ or mass movement of employees from their current positions following COVID-19.

While in Australia we have not yet seen this, what we are seeing is employees demanding more from their employers, rejecting the traditional employer-led model and re-examining what is important to them in their roles, careers and work/life balance.

Organisations therefore need to examine their employee value proposition closely and consider what they are offering their employees in terms of benefits and flexibility. To accurately assess this they need data to analyse which benefits are most valued by their employees to ensure they have the right programs in place to retain and attract that top talent.

Future risks and outlook in Australia

In contrast to cyber attacks and data breaches, the risk of damage to reputation/brand has remained at a relatively stable level from the last survey in 2019 and is the only risk in the top 10 risk list that has not seen increased readiness globally. This could be as it is a very complex risk, and Australian businesses are still struggling with it. It has remained on the top 10 risk list since the inception of this survey in 2007 globally, whereas readiness for other risks has been steadily improving as more mitigants become available to manage their impact and associated exposures.

Australian survey participants anticipate that the risks over the next few years will continue to be cyber attacks, reputational risk, the need to innovate, as well as increasing fears of an economic slowdown, increasing competition and ever-present risk of regulatory change.

Again, it is very interesting to note that climate change entered the top 10 future risk list for Australian businesses, joining only a few countries and regions globally who also ranked this as a future issue such as the UK (rated five), Brazil and Japan (six), Chile (eight) and France (nine).

About the survey

Aon’s 2021 Global Risk Management Survey, a biennial web-based research report, was conducted in the second quarter (Q2) of 2021 in 11 languages. The research gathered the responses of 2344 risk decision makers from 16 industry groups, which included small, medium and large companies in 60 countries around the world.

In Australia, we captured 121 responses across various industries with the top represented industries being public sector; energy, utilities and natural resources; financial institutions; construction and real estate; and retail and consumer goods.