The Changing Landscape of Business Risk 

89% of Australian business leaders believe risk and security challenges will worsen over the next 12 months, but our latest Risk and Security Report reveals a critical gap.

Our findings indicate that many organisations are struggling to recognise the ‘flow on’ effects of different risk areas and implement effective mitigation frameworks. New cyber security obligations were introduced this month under the Security of Critical Infrastructure Act 2018. Australian organisations operating in sectors such as communications, defence, higher education, financial services, healthcare, energy, and transport, may also be required to submit a Critical Infrastructure Risk Management Program by 28 September—many for the first time.

Key findings

1. Businesses underestimating the secondary impacts of geopolitics

Despite months of chaos in the Middle East and Ukraine, and rising tensions in the South China Sea, only a quarter of organisations (25 percent) rate ‘geopolitical risks’ as a top 3 risk—down from 41 percent in 2023. Trade issues and disputes are a concern for more than a third of Australian organisations (37 percent), but surprisingly only 9 percent believe that the uncertain outcome of the US election will pose a significant challenge to their business.

2. Cyber concerns grow, as supply chains increasingly targeted

Cyber risk has now overtaken financial risk as the number one concern of 2024. As threat actors strategically target businesses along the supply chain, almost half of surveyed organisations (44 percent) are preparing for cyber risks and security concerns to increase in the year ahead. Alarmingly, 70 percent of organisations surveyed do not have basic controls in place to manage cyber risks in their supply chain including contractual obligations that require mandatory reporting by suppliers of any cyber or data breaches.

3. Insider risk is a ‘human’ problem

While many organisations are required to possess an insider risk management program under new Security of Critical Infrastructure (SOCI) legislation, no more than a third (ranging from 18 to 34 percent) of surveyed organisations have the basic insider risk controls in place that McGrathNicol would consider fundamental. These include risk-based vetting and due diligence frameworks for employees, suppliers and contractors.

4. Practical testing of supply chains is required

Awareness of supply chain risk is growing, with 80 percent of surveyed organisations now incorporating some element of supply chain risk into their broader risk management program (up from 26 percent in our 2023 survey). While nearly all organisations (96 percent) are confident in their ability to navigate risks and security issues impacting the supply chain, 74 percent continue to face internal challenges addressing supply chain risk including a lack of expertise, insufficient data, budgetary constraints, and limited access to tools.

5. Data management adds new layers of legal and regulatory complexity

More than half of all surveyed organisations (55 percent) rank legal and regulatory risks as a ‘top five’ concern, with 27 percent believing that these risks will increase in severity over the next 12 months. Data management, retention and privacy changes are posing significant challenges for business leaders, as regulators like the OAIC take a more proactive stance. Organisations must ensure they have good quality data to allow them to better understand compliance issues, and in the event of a dispute, defend or remediate appropriately.

6. Multiple risk factors fuel financial pressure

High inflation, wage increases, interest rate rises, and higher energy costs mean that the spotlight is on the CFO to identify areas where costs can be reduced. Newer categories of risk as well as their organisation-wide impacts will require CFOs to upskill, learn to interrogate risk investments in areas outside of their expertise, and recognise the intrinsic link between risk management and cost management.