Artificial intelligence (AI)-enhanced malicious attacks are the top emerging risk for enterprises in the third quarter of 2024, according to Gartner – for the third consecutive quarter. IT vendor criticality and an unsettled regulatory and legal environment are new, top emerging enterprise risks.
During the third quarter of 2024, Gartner surveyed 286 senior risk and assurance executives and managers to examine and compare emerging risks – which are those whose effects may not yet have been realised by enterprises, but have the potential for significant impact. Their evolution is highly uncertain because it is rapid, nonlinear, or both.
“The two new emerging risks relate to complexities of the IT and political environment made highly visible to executives and boards by current events,” says Zachary Ginsburg, senior director, Research in the Gartner Risk & Audit practice. “While the upcoming US election generates headlines over the candidates’ regulatory, trade, and other proposals organisations have difficulty considering the actual risk implications from the many scenarios that might unfold.
“Amplifying this uncertainty are recent US Supreme Court decisions on federal agencies’ authority to set and enforce regulations,” Ginsburg adds.
“Beyond politics, other global events, such as the July CrowdStrike outage, have raised questions about whether organisations over-rely on their largest IT vendors,” he continues. “For example, customers with a concentration of services with one vendor may face elevated risk in the event of outages, or they may face unanticipated changes in services depending on new regulations or legal decisions in the EU, US, or elsewhere. Because third-parties – like SaaS vendors – rely on other vendors, organisations may not realise the full extent of their exposure.”
Two of the top five most cited emerging risks are in the technology category and two reflect political concern related to uncertainty around the regulatory and legal environment and the outcomes of global elections. Misaligned organisational talent profile moved down from the fourth-place ranking in the second quarter to the fifth most cited risk in the third quarter.
Increased range of potential risks from political, legal, and regulatory events
In the current political, legal, and regulatory landscape there is a wider range of potential risks to consider regarding legal and regulatory uncertainty. Beyond the usual legal and regulatory impacts, additional risks related to talent and employment laws, economic policies and their trade and supply chain implications also pose many potential outcomes.
Complex, interrelated political, legal, and regulatory events that are contingent on a defined set of outcomes are ideal for scenario planning or similar exercises to identify and map event-based outcomes to better understand and plan for emerging risk implications.
“Political and legal events may have complex risk implications, but events that are contingent on a defined set of outcomes – like an election – are good candidates for scenario planning,” says Ginsburg.
Additional steps to manage associated risks
The first action to take when anticipating political, legal, and regulatory events is to identify the risks associated with those events and to designate which risks are more contingent on imminent events, such as elections, versus more systemic risks that are likely to persist regardless of an event’s outcome, such as logistics issues from trade route disruptions.
From there, legal and risk leaders should identify and map those risks that have the most potential to affect high-priority enterprise risks and objectives. Next, leaders should determine the value of pre-emptive actions to assess if planning for a potential disruption could reduce risks’ likelihood or impact.
If organisational leaders can generate specific, cost-effective actions that can meaningfully address risks over the duration of a risk event these are ones that both have a high likelihood of mitigating risk as well as generating executive support.
Finally, beyond assessing the need to act on specific events, risk management leaders should assess organisational capacity to manage disruptions. Factors to consider include the capability to conduct preliminary impact assessment, compliance impact monitoring, and external and internal engagement.
“By going beyond specific risks events to assessing organisational capacity to manage disruption, enterprise risk leaders can both reduce their organisations’ exposure to identified risks as well as enhance resilience to unforeseen events,” says Ginsburg.