Executive Summary

At a recent U.S. Congressional hearing, when U.S. Federal Reserve Chair Jerome Powell was asked to rate the greatest systemic threats to global financial stability, he responded, “The thing that worries me the most is really cyber risk.” Calling it “another epidemic,” Powell pointed out that cyber risk is even more damaging than the lending and liquidity risks that led to the 2008 global financial meltdown.

President Joe Biden went one step further. If this country has a “real shooting war,” it could be the result of cyber attacks, he warned while delivering a speech to the American intelligence community in July 2021.

Meanwhile, the finance ministers of the G-7 countries have voiced similar concerns over the rise in "malicious cyber attacks" in the midst of the coronavirus (COVID-19) pandemic. Cyber attacks "have been growing in scale, sophistication and frequency,” causing “significant economic damage and [threatening] customer protection and data privacy," the ministers said.

Their concerns are justified. Over the past year, hackers and criminals have exploited the COVID-19 pandemic and escalated their attacks on every business sector in many countries around the world. The sheer number of cyber crimes broke all records in 2020. Aon’s 2021 Cyber Security Risk Report shows that the global number of ransomware attacks grew dramatically — up 400 percent from the first quarter of 2018 to the fourth quarter of 2020. Cyber security firm SonicWall also points out that in the first half of 2021, ransomware attacks surged globally to a total of $304.7 million in payments, surpassing 2020’s full-year total of $304.6 million.

Needless to say, cyber security has also risen to the top of the agenda for organizations taking part in Aon’s 2021 Global Risk Management Survey, the highlight of which is the top 10 risk list, a ranking of the top risks organizations face today. The risk of cyber attacks and data breaches ranked number one and is also projected to be a top risk in 2024. In fact, cyber security is perceived as a top 10 risk by every surveyed sector and for all job roles, including CFOs, CEOs and chief people officers.

These insights related to cyber threats are just one part of Aon’s 2021 Global Risk Management Survey, which illustrates today’s traditional and emerging corporate risk portfolio. This biennial web-based survey has gathered the responses of 2,344 risk decision makers from 16 industry clusters, which include small, medium and large companies in 60 countries/territories around the world. Its robust representation has enabled Aon to provide intelligence about risk management practices by geography and industry and has validated the data about risks common to all industries.

Key Findings: Top 10 Risk List

Respondents have selected and rated 10 top risks that their organizations face today:

A New Entry That Casts a Long Shadow Over the Top Risks

As COVID-19 continues to mutate and spread, rendering vaccines less effective, fear and anxiety, together with confusing and conflicting information over its unpredictable impact, have aggravated concerns about pandemic risk and health crises. This has seen the risk enter the top 10 risk list for the first time this year, jumping from number 60 in the previous survey to number seven in the current one. As expected, reported loss of income from pandemic risk in the past 12 months has risen from 2 percent in 2019 to 79 percent in 2021.

For more than a decade, the risk of pandemics and health crises lay buried at the bottom of Aon’s risk list, despite the constant threats of bird flu and the SARS, MERS, Ebola and Zika viruses. Having foreseen the potentially devastating impact of these diseases, experts at Aon repeatedly called out this risk in various reports, characterizing it as an underrated threat.

In 2013, Aon polled more than 100 captive directors and asked participants whether the risk of pandemics and health crises, ranked number 44 in Aon’s previous surveys, was underrated. Much to our surprise, respondents seemed undecided on this question, with only 39 percent considering it to be underrated.

Then came the COVID-19 pandemic, the largest in modern history. Unlike a typical crisis that takes a linear path to its conclusion, the COVID-19 pandemic has played out in multiple waves of infection, requiring organizations to pivot quickly between reacting, responding, recovering and reshaping. This pandemic is an event driven by a host of as-yet-unknown factors and hidden interconnectivities that combine to amplify the pandemic’s impacts and ripple effects.

Pandemic risk is an issue on its own right but has also acted as a catalyst and magnifier, accelerating changes in the way companies operate and, in turn, other existing risks on the Top 10 List.

For example, during the COVID-19 lockdowns, remote working for office-based environments quickly transitioned from being an option to a necessity almost overnight. This required companies to bring forward the investment and transformation of a ‘digital-at-scale’ model by two to five years. Technology played a central role during the lockdowns of 2020 and acceleration of economic activity during the reopening in 2021, but this dependency has also created more Cyber “attack surface”, presenting more potential security vulnerabilities to bad actors.

At the same time, business interruption, which was predicted to be at number seven, comes in a close second on the Top 10 List. Participants in Asia Pacific and Europe, as well as those from the energy, utilities and natural resources, hospitality, travel and leisure, and life sciences sectors have ranked it number one. The pandemic-induced lockdowns, along with an ever-adapting threat profile, have helped to deliver this high ranking.

The pandemic has been one catalyst for the high-ranking of supply chain/distribution failure, along with a spate of high-profile events, regulatory change and significant weather events. As a consequence, supply chain has surged back into the Top 10 List, having been rated at number 19 as recently as 2017.

For many organizations, the definition of supply chain failure and business interruption have broadened, from event-based to impact-based but also from property to non-property. The challenge facing companies today is to build resilience at a time when many will be looking to continue removing perceived cost and inefficiencies.

COVID-19 triggered a global economic recession, ensuring that economic slowdown/slow economic recovery remained a top three risk in Aon’s survey. A related threat, commodity price risk /scarcity of materials has registered its highest ever ranking (at number four) since it was added to Aon’s list in 2009. In the early days of the pandemic, when entire industries came to an abrupt halt, the commodity market experienced similar volatility. Prices for oil and metals plunged as coronavirus lockdowns reduced demand. Supply chain disruptions also led to severe scarcity of materials. Now that the world is slowly recovering from the pandemic, the risk has been redefined, as the availability of raw materials to make the products that are suddenly in high demand is now under pressure.

As we move at a rapid pace to reshape, the pandemic has changed the profile of many of our existing risks, casting doubt over our ability to manage and finance them, and making new demands of the insurance market to be relevant.

Back to top >

Underrated Risks

We believe that survey participants have underrated the following risks:

Environmental, Social, and Governance (ESG)

In Aon’s 2021 survey, ESG ranks only in 31st place overall. (However, it is ranked sixth by respondents in Japan.) ESG strategies sit at the heart of most business plans today, and with these strategies comes new risk. Companies are increasingly required by regulators to adopt transparent and effective ESG initiatives. The underrated status of this risk could be attributable to the fact that many participants classify ESG to predominantly be a regulatory exposure today, or a driver of reputational damage, both of which feature in the Top 10 List. Regardless, we predict that climate change will become the next big focus for companies and enter the top fifteen in the future survey.

Climate Change

This risk has risen from 31 in Aon’s 2019 survey to 23 in the current one. Despite its jump, it’s not rated as a Top 10 Risk. Participants do not consider climate change will pose a top threat, even in 3 years’ time, which surprises us. From Aon’s perspective, climate change is not only an emerging risk. It is an urgent risk. According to Aon’s Global Catastrophe Recap: First Half of 2021 report, which evaluates the impact of natural disaster events that occurred worldwide, insured losses from natural disasters hit a 10-year high of $42 billion in the first half of 2021. Planning in new ways has become a must for the reality of climate change, which presents a systemic threat that is going to justify a completely fundamental change in terms of how companies think and how we plan for the future.

Personal Liability (D&O Risk)

This risk has dropped to its lowest ever ranking, at 45, despite the obvious pressures on D&O capacity and cost in the market. Perhaps participants don’t perceive personal liability to be a risk in its own right, but rather an impact of a range of other risk events or a solution in the form of insurance.

Disruptive Technologies

This risk was introduced as new in 2017 and landed at number 20 before rising to 14 in the 2019 survey. Disruptive technologies was predicted to come in at number eight in Europe and nine in North America, but has dropped to 30. However, as the pandemic has accelerated technological advances in some industries, participants may consider it less of an unknown going forward.

Back to top >

Projected Risks for 2024

Respondents are not predicting wholesale changes to the relative importance of risks in the future. For example, cyber risk is projected to occupy the top spot globally and in North America in the future. Behind this trend may be rapidly changing definitions and profiles of existing risks, in areas such as business interruption, supply chain and cyber.

Three years from now, surveyed businesses in North America have predicted failure to attract and retain talent to return as a priority, having dropped from the overall Top 10 Risk list in the current survey. This heightened perception reflects the direction of travel of the workforce in the US. The 2020 census shows the lowest birth rate since the Depression decade of the 1930s. The data reflects fewer people in their prime working years, fewer working-age immigrants and more baby boom retirees. The situation in the U.S. is further compounded by the changes in the country’s immigration policy and by what many believe the pandemic related subsidies, which discouraged employment.

Failure to attract and retain talent is also considered as a future Top 10 Risk by organizations in the Asia and Pacific region, where the problems of lower birth rate and aging population are beginning to make an impact on available workers. Overall, this risk may also be connected with developments in employee value proposition, and workers now choosing their employers not only based on role and remuneration but also the companies’ values.

Businesses in the UK, which have experienced workforce shortages as a result of Brexit, perceive the risk to be in the top six risk today but are not expecting it to remain a key threat in the future. Even though the pandemic may have temporarily upstaged the UK’s fallout from Brexit in the first half for 2021, we predict that failure to attract/retain talents will emerge as a bigger issue in years to come for the country and for the EU in general.

Climate change is not predicted to be in the global top 10 risk list, but many individual countries expect it to be a top threat in 2024: number five in the U.K., number six in Brazil and Japan, number eight for Chile and number nine for France.

Back to top >

Risk Readiness and Reported Loss of Income

We investigate an organization's risk readiness every year because it serves as a good barometer of risk management activity, sophistication and dynamism.

Despite (or perhaps because of) the exceptional circumstances surrounding the global pandemic, more organizations now have plans to address and manage risks. Overall readiness for the top 10 risks increased from 51 percent in 2019 to 58 percent in 2021 as awareness of them has heightened, reversing the downward trend in previous surveys.

However, the growing volatility and changing nature of the top 10 risks have led to the highest-ever reported loss of income for businesses, despite a spike in reported levels of risk readiness. The average reported loss of income due to the top 10 risks has seen a 10 percent increase, the biggest hike since Aon’s first survey in 2007.

Despite the rising amount of reported loss of income only 29 percent of respondents plan on increasing their investment level in risk management resources. About 63 percent state that they will maintain investment levels in risk management resources to support their risk agenda in the next 12 months, with four percent even planning on reducing their resources. Nearly 60 percent of survey participants do not measure total cost of insurable risk, with Asia Pacific reporting the lowest percentage of participants measuring total cost of insurable risk, at 33 percent.

Only 36 percent report that their company proactively assesses their most critical and emerging risks through M&A and divestiture processes. This shows that most companies, regardless of industries and sizes, do not proactively assess their critical and emerging risks as part of the deal-making process, likely because risk management is generally not an integral part of M&A and divestitures planning processes. This lack of risk oversight in corporate deal making may ultimately impact the value or security of the investment.

Back to top >

Regional Divergence

From a regional perspective, there is some consistency, as four key risks — the risk of cyber attacks/data breaches, the risk of business interruption, the risk of economic slowdown/slow recovery, and the risk of regulatory/legislative change — are cited across all geographies.

At the same time, the risk of pandemics and health crises occupies a top spot in the current and future top 10 risk list for all regions except North America, where participants have ranked it at number 12 and remain undecided about its future ranking. This could be attributed to the rising optimism seen back in the second quarter of 2021, when new infections were on an overall decline and more people were being fully vaccinated. With surging COVID-19 cases in the summer and fall, such perceptions could change.

Commodity price risk/scarcity of materials is perceived as a Top 10 Risk by all regions except Asia Pacific, which ranks it at 12. The difference in rating could be a reflection of the industry profile of our respondents from Asia: as well as elevated commodity prices and scarcity of materials, from the rebound in economic growth in Europe and North America.

Similarly, companies in Europe and North America ranked supply chain/distribution failure risk at number five and number six, respectively, whereas other regions perceive it as a lesser threat. This is because the advanced economies in the West depend heavily on global suppliers to improve the cost and efficiency of their operations. Lockdowns and border closings have disproportionately affected businesses in these regions.

In North America, corporate reputational crises from financial fraud and neglect of employee health to racially offensive messages in advertising and inappropriate executive tweets frequently dominate headlines. As a result, North American participants ranked damage to reputation or brand in third place. At the same time, respondents in Latin America and the Middle East and Africa only ranked it in 13th place. A veteran public-relations (PR) expert joked, “If you were going to have a PR disaster, this was the year to do it.” In other words, the devasting impact of the global pandemic on businesses in these regions has overshadowed the public’s concerns for corporate reputational issues.

Back to top >

Strategic Insights: Long-Tail Risks

The rapid pace of societal and technological transformation have brought increased focus on new forms of volatility, and what Aon calls the six “long-tail” risks – cyber security, damage to brand and reputation, complex supply chain risk, pandemic, intellectual property, and climate transition. If we examine the survey results, four of the six long-tail risks are represented on the Top 10 List.

These interconnected risks are at the forefront of companies’ mind because of their complex nature and long-tail exposures. Companies tend to understand these risks less well, either because they are new or because they are accelerating or changing in profile. This requires companies to take a fresh look at risk assessment and scenario quantification, and to rigorously test the validity of existing risk management and financing programs.

Back to top >

Making Better Decisions to Shape the Future

The impact of the COVID-19 pandemic has demonstrated the interconnected nature of risk. Risk profiles have been and continue to be in a state of flux as businesses and economies emerge from the pandemic. As our survey shows, long-tail risks have become an important part of the risk landscape: cyber risk has increased as reliance on technology has increased, and global economics and trade have been impacted by unprecedented lockdowns all over the world.

There are also exposures that are still relatively new for many businesses. Companies’ understanding of, readiness for and ability to manage and transfer risks such as climate change risk, supply chain/distribution risk and ESG-related risk leaves much room for improvement.

The business climate in 2021 has experienced a perfect storm: Business models are being reshaped, while organizations across the globe are responding to and, at the same time, recovering from the once-in-a-lifetime set of challenges posed by the COVID-19 pandemic. Large financial losses from large-scale natural disasters and man-made events continue to loom and adversely impact livelihoods and businesses. All the while, insurance markets see tough market conditions for traditional exposures and a limited appetite for emerging ones.

As an organization, we are dedicated to innovative solutions that address both known and emerging risks. Whether through proprietary data or state-of-the-art analytics, our purpose is to enable our clients to make better decisions and manage volatility at scale.

Historically, we have learned and made decisions by analyzing data from loss events as they have occurred. With the current absence of historical data, the challenge will be to forward-think how to best develop solutions to properly prepare for and manage through them.

To address these challenges, we suggest that organizations focus on these key priorities:

  1. Understanding new forms of volatility: Building an understanding of holistic risk management solutions to solve for emerging threats and long tail risks.
  2. Considering access to new forms of capital: Understanding how to create alternative sources of capital that support risk taking and preserve existing capital to address recent hard market cycles and lack of capacity for emerging risks.
  3. Building a resilient workforce: Considering the role of all employees in building solutions for, and addressing challenges stemming from various threats; including how the future of work will be impacted and continue to evolve.

2021 Global Risk Management Survey Risk Ranking

Respondent Profile

©2021 Aon plc. All rights reserved | Contact Us | Privacy Policy | Legal