For the third consecutive quarter, artificial intelligence (AI)-enhanced malicious attacks are the top emerging risk for enterprises, according to Gartner, Inc.
IT vendor criticality and an unsettled regulatory and legal environment are new emerging enterprise risks.
“The two new emerging risks relate to complexities of the IT and political environment made highly visible to executives and boards by current events,” said Zachary Ginsburg, senior director, Research in the Gartner Risk & Audit Practice. “While the upcoming U.S. election generates headlines over the candidates’ regulatory, trade and other proposals, organizations have difficulty considering the actual risk implications from the many scenarios that might unfold. Amplifying this uncertainty are recent U.S. Supreme Court decisions on federal agencies’ authority to set and enforce regulations.”
“Beyond politics, other global events, such as the July CrowdStrike outage, have raised questions about whether organizations over-rely on their largest IT vendors. For example, customers with a concentration of services with one vendor may face elevated risk in the event of outages, or they may face unanticipated changes in services depending on new regulations or legal decisions in the EU, U.S. or elsewhere. Because third parties, like SaaS vendors, rely on other vendors, organizations may not realize the full extent of their exposure,” said Ginsburg.
During the third quarter of 2024, Gartner surveyed 286 senior risk and assurance executives and managers to examine and compare emerging risks, which are those whose effects may not yet have been realized by enterprises but have the potential for significant impact. Their evolution is highly uncertain because it is rapid, nonlinear, or both.
The other four top risks are as follows:
- AI-Assisted Misinformation --66%
- Escalating Political Polarization --66%
- Globally Consequential --61%
- Misaligned Organizational Talent Profile --66%
Potential Risks from Political, Legal and Regulatory Events
In the current political, legal and regulatory landscape, there is a wider range of potential risks to consider regarding legal and regulatory uncertainty. Beyond the usual legal and regulatory impacts, additional risks related to talent and employment laws, economic policies and their trade and supply chain implications also pose many potential outcomes.
Complex, interrelated political, legal and regulatory events that are contingent on a defined set of outcomes are ideal for scenario planning or similar exercises to identify and map event-based outcomes to better understand and plan for emerging risk implications.
“Political and legal events may have complex risk implications, but events that are contingent on a defined set of outcomes, like an election, are good candidates for scenario planning,” said Ginsburg.
Steps to Manage Associated Risks
The first action to take when anticipating political, legal and regulatory events is to identify the risks associated with those events, and to designate which risks are more contingent on imminent events, such as elections, versus more systemic risks that are likely to persist regardless of an event’s outcome, such as logistics issues from trade route disruptions.
From there, legal and risk leaders should identify and map those risks that have the most potential to affect high-priority enterprise risks and objectives. Next, leaders should determine the value of preemptive actions to assess if planning for a potential disruption could reduce risks’ likelihood or impact.
If organizational leaders can generate specific, cost-effective actions that can meaningfully address risks over the duration of a risk event, these are ones that both have a high likelihood of mitigating risk as well as generating executive support.
Finally, beyond assessing the need to act on specific events, risk management leaders should assess organizational capacity to manage disruptions. Factors to consider include the capability to conduct preliminary impact assessment, compliance impact monitoring, and external and internal engagement.
“By going beyond specific risks events to assessing organizational capacity to manage disruption, enterprise risk leaders can both reduce their organizations’ exposure to identified risks as well as enhance resilience to unforeseen events.” said Ginsburg.