Home > Risk > Hype and top risks

Hype and top risks

My good friend, Alexei Sidorenko, challenged me on my last post. He said:

Norman Marks, too much cyber lately, too much jumping on the hype train, cyber is not even top 10 important risk in today’s business. Write about something that is important and was important 10 years ago and still is.

Now, just as it is wrong to jump on the hype train and believe that cyber is always a top risk, it is also wrong to believe that it is not. What is needed is a disciplined assessment of the likelihood of a breach that would have a material adverse effect on the likelihood of achieving enterprise objectives at your organization. In other words, is it a “top risk” for you?

But if (as Alex says – and as borne out by many studies of the effect of breaches) cyber is not a top risk, what is?

There are quite a few surveys. For example, Protiviti says these are the top risks for 2021[1]:

  1. Pandemic-related policies and regulation impact business performance
  2. Economic conditions constrain growth opportunities
  3. Pandemic-related market conditions reduce customer demand
  4. Adoption of digital technologies may require new skills or significant efforts to upskill/reskill existing employees
  5. Privacy/identity management and information security
  6. Cyber threats
  7. Impact of regulatory change and scrutiny on operational resilience, products, and services
  8. Succession challenges, ability to attract and retain top talent
  9. Resistance to change operations and business model
  10. Ability to compete with “born digital” and other competitors

The World Economic Forum sees things a little differently. Note that they don’t indicate the likelihood of the more serious impacts in their report, excerpted below.

WEF top risks 2021

Risk.net has a list as well:

  1. IT disruption
  2. Data compromise
  3. Resilience risk
  4. Theft and fraud
  5. Third party risk
  6. Conduct risk
  7. Regulatory risk
  8. Organizational change
  9. Geopolitical risk
  10. Employee wellbeing


All of these may be risks worth considering – if you want to develop a list of risks.

But are they the top things that could go wrong and cause your organization to fail, or at least suffer such significant harm that it would not achieve its objectives?


Why not take each of the organization’s objectives (including any not formalized, such as being in compliance with applicable laws and regulations) and identify:

  • What could go wrong such that the objective is not achieved? What is the likelihood of that happening?
  • What needs to go right if the objective is to be achieved? What is the likelihood that not happening?
  • What could happen that would allow the objective to be exceeded? What is that likelihood?
  • Overall, is the likelihood of achieving the objective acceptable?


In Auditing that Matters, I opened with a discussion of the more significant risks facing each of my various companies. They ranged from cash flow to cost control, to obsolete technology, to a poor executive management team and culture.

The point is that each organization is likely to have a unique set of things that could go wrong, as well as what could go well.


In this time of COVID and geopolitical uncertainty, there are a number of risks that typically don’t make it into the disclosures to the SEC but should be top-of-mind to the board. For example:

  • The company must be able to adapt to the new environment, including changes to the economy, customer needs, working conditions – and the need to continue to adapt as things continue to change. While decisions may be made requiring change, can the organization (including its processes and systems) make that change with agility?
  • Quality decisions that may have a lasting impact have to be made at speed. Are they made by the right people and are they based on reliable, complete, and timely information? Are all who should be involved part of the decision? Are decisions made at an appropriate speed – neither too fast nor too slow?
  • When the environment and business conditions change, the organization needs to be willing to change its objectives. What was a solid and practical goal in 2020 (let alone 2019) may be impractical in 2021. In addition, as the world changes new opportunities are opening up; is the organization able to recognize them and change direction, change its goals and strategies?


‘Effective risk management[2]’ is essential if an organization is going to see not only where it is but what lies ahead and then make the decisions necessary for success.

That requires considering all the things that are at least reasonably likely to happen, both good and bad, for your specific organization.

Set aside consultants’ and regulators’ hype (not only about cyber but also about issues such as third-party risk management[3]) and make that determination for your organization’s specific and unique circumstances.


I welcome your thoughts.

[1] The North Carolina State University’s ERM Initiative has the same list.

[2] Explained in Risk Management for Success

[3] Third party risks are even more specific and different for each organization

  1. March 23, 2021 at 11:23 AM

    Cyber is associated with at least the first 5 top risks as pointed out by Risk.Net: IT Disruption, Data compromise, Resilience risk, Theft and fraud and Third party risk. It is a mistake not to consider it a top risk in these days and age. In fact, with the COVID uprise, these type of risks only amplified.

    My opinion is that considering the complexities around these kind of issues, many times surrounded by lots of technical aspects, this category MUST be at the Boards of Directors agendas, rather sooner than later.

    Thanks for a great blog and resources.

    • Norman Marks
      March 23, 2021 at 12:21 PM

      But it may be unlikely to have a massive impact, especially when compared to other sources of risk. Why assume it is a top risk without a disciplined assessment?

  2. Chris Specht
    March 23, 2021 at 4:21 PM

    Thankfully you said what I was thinking when ready those “Top Risks” lists. Each company has different (same same but different) objectives, and these objectives may not be included within an arbitrary list of Top Risks developed by a 3rd party. There’s nothing worse than someone coming into an organisation and preaching to that organisation what their Top Risks should include, without first understanding the business and conducting a thorough assessment.
    Having said all this, we are also assuming that organisations have developed useful Objectives that are real, can be tracked and produce benefit and value for the client, shareholders and employees.

  3. March 23, 2021 at 5:03 PM

    Agreed that each organization needs to assess its own (cybersecurity) risks. With 70% of all ransomware breaches hitting healthcare, I would be hard pressed to think that cyber would not make the Top 10. Then you have the close call in Oldsmar, Florida where an excessive amount of lye was almost released into the water supply– each entity better address its risks. Internal and compensating controls better be considered.

  4. March 24, 2021 at 4:08 AM

    I fully agree with your ingoing questions “What has to happen that may us not meet our objectives” and “how likely are we to meet our objectives (and is that satisfactory)”.

    Among major risks I have seen, and which were important 10 years ago, and which are still important are:
    – Overfeeding the market e.g. for short term profits, leaving next years in shambles)
    – Changes in competitive landscape e.g. new competitors, new customer preferences, new business systems, …
    – Lack of strategic follow-through. i.e. management pursuing a strategy but fail to ensure organizational setup and capabilities matches what is needed

  5. March 24, 2021 at 6:37 AM

    When I was in the military we never discussed risks! Guns, bullets and being put in harms way has a strange effect on thinking.

    What matters most is:
    – situational awareness aka sensing and anticipating what’s around the corner,
    – quality thinking and weighing off the odds,
    – understanding capabilities, capacity and deployment of scarce resources,
    – violent focus on achievement of objectives.

    I tend to leave lists of risks to people in offices. People who’s days are now numbered as more AI, blockchain and other use cases emerge.


    • Roy
      March 30, 2021 at 12:41 AM

      That is an interesting thought. However, who do you think will develop these technologies and, moreover, provide assurance on the algorithms behind this?

  6. Bill Spoehr
    March 24, 2021 at 8:07 AM

    I’m not sure in what industry/function/cave Alexi works and lives in these days, but cyber – and all of its sub-categories of risk (Deloitte lists 8 components) – is a major threat to any organization unless that organization uses paper-based books & records, written mail for all communications, only takes cash (currency) for payment, and keeps that cash in a coffee can buried in the ground.

    Norman has been hammering this issue a lot lately. That doesn’t mean it’s THE only issue/risk out there, or that it’s even #1 for your organization, but to say “not even a top 10 risk” is really …………… um, amazing. Good luck with your next hack, Alexi!

    • Norman Marks
      March 24, 2021 at 8:17 AM

      Bill, I did some work for a major Canadian agency that managed the funds of the provincial government. While cyber was clearly a source of risk, it was not one of their top risks. A breach was unlikely to result in a direct loss given other business controls. Disruption was also less significant than you might think because they didn’t trade actively and could manage the portfolio of investments from a spreadsheet for several weeks without great impact.

  7. Anonymous
    March 29, 2021 at 5:04 PM

    There are many ways to develop the ‘top risks’ to a business and typically from what i have seen they are bottom up driven.

    So there is quite often a disconnect between what the Board views them to be and what management see them to be. And this of course ignores the challenges of having a ‘shopping list’ as long as your arm.

    So we need to come up with a ‘happy medium’ which encompasses both views. With that in mind, i prefer the top risks to be key business questions that:
    1. Should be asked of every part of the business, and
    2. Every part of the business should be able to answer regularly (through the lens of what they do for the business).

    I’ve landed on a manageable number of questions (around 13-15 depending on business context) – here are 3 examples
    1. Are our Costs to operate appropriate?
    2. Does our workforce understand and meet obligations?
    3, Do we have a healthy culture?

    On a dashboard they are truncated to
    Costs to operate
    Workforce understand and meets obligations
    Healthy Culture


  8. Walter Ehrlich
    April 6, 2021 at 6:39 AM

    Thanks Norman for your continued thought-leadership. From my perspective, the problem with many of these “Top Risk Lists” is that they are compiled without citing the tangible objective(s) they are identified against. As such, they can never be more than very generic and very wide. My practice is to view the risk lists that are periodically “put out there” and assess the likelihood and the consequence of occurring in a particular organisation against the specific objectives of the business or business area I am advising. It would be foolish not to consider cyber-related threats in any business but there may well be, and likely are, more important risks to keep the CEO awake at night as s/he considers all the risk events that could help or hinder the achievement of the specific enterprise objectives. On the positive side, lists of risks are useful in avoiding blind spots whilst on the negative side, they can make organisations lazy by just considering what is on the list and consider it good risk governance if they can check the box for having considered the most popular top 10 lists instead of properly scoping their own risk assessment and grappling to find the specific risks that could sink their own ship.

  1. March 23, 2021 at 11:09 AM
  2. March 24, 2021 at 12:23 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: