Reprint of article published in on April 23, 2012, quoting Mel Croner.

By Amanda Gerut

Directors and executives say the biggest risks their companies face are related to government regulation, the economy and data security. However, some observers think those risks may not actually be the most dangerous ones.

In Agenda’s Q2 Directors’ and Officers’ Outlook survey, executives and directors were asked to write in the three most important risk factors their companies had to manage and boards had to oversee for the remainder of 2012. From the 105 responses, Agenda created a list of the most frequently named risks, including strategic, operational, financial and compliance concerns (see table).

Strategy ranked only No. 5, and last year so few respondents mentioned it that it didn’t make the list at all. Meanwhile, regulatory risk topped the charts in both 2011 and this year. Risk experts and a few directors say this may be a red flag.

Henry Ristuccia, a partner with Deloitte & Touche and co-leader of the firm’s governance and risk management services, says the critical aspects of a company’s business strategy are typically where its biggest risks reside. CEOs, who usually serve as companies’ de facto chief risk officers, often require that a risk management program both protect and create value. That means managements and boards must strike a balance between mitigating compliance and regulatory risks and those related to strategy.

To do this, Ristuccia says, he often asks senior executives and board members to screen out the usual compliance concerns and focus on other risks that could kill their company’s reputation, brand value, stock price or market capitalization. That list is then boiled down to about 10 risk items, which Ristuccia calls the “desert island risks.” He explains: “If the senior stakeholders were trapped on a desert island, what would that short list look like?”

Looking at Agenda’s list of risks, he says his client companies often name the same ones our respondents did. But if he were prioritizing, he would move strategic risk to the top. And he would add reputational or brand risk as an issue that requires urgent attention.

Chuck Kissner, chairman of Aviat Networks and a director on the ShoreTel board, also expressed surprise that a few areas he considers crucial to risk management didn’t appear higher on the list. Kissner says issues such as natural disasters, geopolitical conflicts and shifts in technology may actually be more challenging to companies than regulation. He notes that, while he doesn’t underestimate regulatory and economic risks, they may loom large in respondents’ minds not because they threaten companies the most but because they eat up so much of directors’ time.

To prevent regulatory issues from dominating their agenda, Kissner says, his boards review risk management at every meeting, covering 10 or so critical issues on a rolling basis. A management team member presents the risk mitigation plan for one or two risks at every board meeting, and a discussion follows. The presentations keep management and directors focused on risk oversight.

Kissner says directors add value by looking at the bigger picture instead of getting mired in everyday issues that are important but might cause a company to miss the forest for the trees.

Natural disasters, for example, could completely disrupt a company’s business or supply chain. Yet even though 2011 was a year of tornadoes, river floods, earthquakes and a blizzard that hobbled much of the Midwest, few directors and executives highlighted natural disasters as a significant risk to their companies. A risk report released last week by Marsh found that 75% of C-suite executives and risk officers whose companies endured a natural disaster in 2011 were re-examining their risk approaches, and about two thirds had already begun making major changes.

Risk Staples

Agenda’s 2012 list reflects several notable changes from 2011 in the way respondents think about risk. Cyber security, a daily story subject in major newspapers, moved up to risk No. 3 from No. 4 last year. Concerns about attracting and retaining talent rose to No. 4 from No. 12, perhaps reflecting a tighter labor market. Succession planning moved to the very bottom of the list this year; last year it was risk No. 6.

Bob Gerard, chairman of the H&R Block board and a director at Gleacher & Co., says the increasing focus on data security isn’t surprising, given the complexity of the issue. He says H&R Block CEO William Cobb is “hypersensitive” about it, and the company spends an enormous amount of attention, time and money on issues related to information technology security.

“Even a fairly sophisticated person with some level of scientific knowledge… can’t really envision how one hacks into an information system,” says Gerard. “It’s not surprising to hear that it’s a major concern for people. It’s also a problem… [in which] every time you find a defense, somebody comes up with a new offense.”

A white paper published this year by Deloitte on IT security found that the incidence of successful cyber attacks mushroomed by 44% from 2010 to 2011, with some companies averaging more than one successful attack per week. The report recommends that boards maintain an ongoing dialogue with management on IT security and agree on metrics related to cyber threats that management can monitor in real time.

As for staffing, Ristuccia of Deloitte says that retention concerns almost always make it onto the top five desert island risks, and executives often talk about the best ways to train, motivate and incentivize employees.

Mel Croner, founder and chairman of compensation consulting firm The Croner Company, explains that, as companies have cut costs since the recession, employees and executives alike are working harder for less pay. And with institutional investors so keenly focused on executive comp, companies can’t necessarily make up the difference without angering shareholders. Therefore, Croner says, there’s an “ambient risk” currently surrounding high-level staff at large companies. In this environment, top managers are more likely to be tempted by start-ups funded by private equity or venture capital, which don’t have to worry about whether or not ISS likes their executive pay packages.

“Many of these small companies are extremely competitive, not only for talent, but many times for the best talent,” says Croner. “So there’s a risk of loss of key staff to start-ups that are sexy.”