“The two new emerging risks relate to complexities of the IT and political environment made highly visible to executives and boards by current events,” said Zachary Ginsburg, Senior Director, Research in the Gartner Risk & Audit Practice. “While the upcoming U.S. election generates headlines over the candidates’ regulatory, trade and other proposals, organizations have difficulty considering the actual risk implications from the many scenarios that might unfold. Amplifying this uncertainty are recent U.S. Supreme Court decisions on federal agencies’ authority to set and enforce regulations.”
“Beyond politics, other global events, such as the July CrowdStrike outage, have raised questions about whether organizations over-rely on their largest IT vendors. For example, customers with a concentration of services with one vendor may face elevated risk in the event of outages, or they may face unanticipated changes in services depending on new regulations or legal decisions in the EU, U.S. or elsewhere. Because third parties, like SaaS vendors, rely on other vendors, organizations may not realize the full extent of their exposure,” said Ginsburg.
Two of the top five most cited emerging risks are in the technology category and two reflect political concern related to uncertainty around the regulatory and legal environment and the outcomes of global elections (see Table 1). Misaligned organizational talent profile moved down from the fourth-place ranking in the second quarter to the fifth most cited risk in the third quarter.
Table 1: Top Five Most Commonly Cited Emerging Risks in Q3 2024
Increased Range of Potential Risks from Political, Legal and Regulatory Events
“Political and legal events may have complex risk implications, but events that are contingent on a defined set of outcomes, like an election, are good candidates for scenario planning,” said Ginsburg.
Additional Steps to Manage Associated Risks
If organizational leaders can generate specific, cost-effective actions that can meaningfully address risks over the duration of a risk event, these are ones that both have a high likelihood of mitigating risk as well as generating executive support.
Finally, beyond assessing the need to act on specific events, risk management leaders should assess organizational capacity to manage disruptions. Factors to consider include the capability to conduct preliminary impact assessment, compliance impact monitoring, and external and internal engagement.
“By going beyond specific risks events to assessing organizational capacity to manage disruption, enterprise risk leaders can both reduce their organizations’ exposure to identified risks as well as enhance resilience to unforeseen events.” said Ginsburg.