Geopolitical tensions are escalating, economic conditions are volatile, and workforce talent is in short supply. But the top risk driver is cybersecurity, according to a new Riskonnect survey.

Concerns over AI also continue to mount. AI permeates cybersecurity, geopolitics, and a host of other areas, supercharging the risks of everything in its path. Meantime, hackers are getting their own AI boost, launching increasingly sophisticated cyberattacks.

Are risk management strategies and tactics prepared to keep up with this new generation of risk?

To find out, Riskonnect surveyed more than 200 risk, compliance, and resilience professionals worldwide about today’s biggest threats and if risk management playbooks are ready for this uncharted territory.

The 2024 New Generation of Risk Report revealed that while top concerns have shifted over the past year, risk management efforts are lagging, and key gaps remain. The data also suggests that risk management is increasingly seen as a strategic function, but continued investment is necessary to keep up with the changing risk landscape.

Top Risk Drivers

Nearly three-quarters of respondents – 72% – said cybersecurity risks are having a significant or severe impact on their organization. That’s up sharply from last year’s survey where 47% ranked ransomware and security breaches in the top spot.

Rounding out the top five risk drivers this year were economic risks (59%), talent risks (53%), political risks (37%), and third-party/Nth-party risks (37%).

Concerns about cybersecurity are understandable. AI-powered cybersecurity threats – ransomware, phishing, deepfakes – are rising. Nearly a quarter of respondents said that over the next year, these threats will have the biggest impact on their organizations.

Generative AI Risks Largely Unaddressed

Despite the rising use of generative AI, only 8% of respondents feel prepared for AI and AI-governance risks. Most organizations (80%) don’t have a dedicated plan to address generative AI risks, nor do most (65%) have policies in place to govern the use of generative AI by partners and suppliers.

Just 19% of organizations have formally trained or briefed their entire organization on generative AI risks, and only 16% have a budget specifically aimed at mitigating AI-related risks.

“If you don’t have a plan for generative AI and third-party risks, you don’t have a cybersecurity plan. AI risk is cyber risk. Cyber risk is third-party risk. These risks are also ever-changing in nature. You might feel prepared for what’s out there today, but the landscape will change – and fast.”

– Roger Duncan, co-founder and chief strategy officer at Riskonnect

The majority of respondents (59%) said their leadership isn’t actively supporting generative AI initiatives with specific plans and strategies. As it stands now, risk management teams aren’t usually invited to weigh in on organizational decisions related to AI. This may reflect the lack of training and equipping staff on generative AI risks, including when and why to involve the risk department.

While the absence of training and top-level engagement can impede effective risk management, the lack of executive support could be unintentional. Senior leaders might not know any more than the rank and file about these risks.

The survey data suggests that companies can’t advance their own practices at the pace cybercriminals are advancing theirs and are waiting for the government to step in. Nearly two-thirds of respondents said risks related to AI-driven fraud and manipulation tactics would be more important for AI regulation to address.

On a more positive note, the data indicates that AI is not seen as a replacement for employees but rather a tool to help risk management teams do their jobs better. Just 5% of respondents plan to reduce their risk management, compliance, or resilience workforce because of AI.

Spreadsheets Still a Favorite

Even with the rise of generative AI and other technology, many respondents appear to be hanging on tightly to spreadsheets. More than half those surveyed (53%) said they rely only or mostly on spreadsheets to manage risk. More than a quarter (27%) said they exclusively use spreadsheets.

Because of their limitations – manual entry, lack of data controls, out-of-sync versioning – spreadsheets often have data integrity issues. Only 21% of respondents said they have high confidence in the accuracy and actionability of their risk data. Most companies said there are some gaps in the breadth, accuracy, and timeliness of their data. Some 16% said their data can’t be trusted at all.

Within a year, 40% of companies say they will have made some investments in risk management tools. One-quarter say they will have adopted modern risk management software, and 20% will have dedicated risk software that is integrated with other functional areas of the organization. Still, 16% said they will continue to exclusively use spreadsheets.

Note that the driving force behind technology adoption is most often to equip risk, compliance, and resilience teams to be more efficient and focus on strategic work (62%). Better visibility into risk to effectively manage threats (60%) and increasing the department’s performance and business performance (40%) were close behind.

Rev Up Your Playbook

If your own risk strategies aren’t keeping pace with changing threats, here are a few steps to take now:

  1. Create an AI plan.
  2. Train your workforce in AI.
  3. Conduct scenario planning.
  4. Ditch the spreadsheets.

For a complete look at the survey findings, download The 2024 New Generation of Risk report, and check out Riskonnect’s risk management software solutions.