Executive Perspectives on Top Risks for 2013

1. Executive Perspectives on Top Risks for 2013 • Key Issues Being Discussed in the Boardroom and C-Suite • May 17th, 2013 For further inquiries, please contact: Keith Keller, Managing Director Protiviti, Inc. 3343 Peachtree Road NE Suite 600 Atlanta, Georgia 30326 Phone: 404.443.8224 keith.keller@protiviti.com

2. Introduction • Protiviti and North Carolina State University’s ERM Initiative surveyed more than 200 board members and C-suite executives on risks likely to affect their organizations over the next 12 months • The survey provides perspectives on the potential impact of 20 specific risks across three dimensions: • Macroeconomic Risks:Likely to affect organization’s growth opportunities • Strategic Risks:Likely to affect the validity of the organization’s strategy for the pursuit of growth opportunities • Operational Risks:Likely to affect key operations of the organization in executing its strategy

3. Survey Methodology • Respondents were asked to rate 20 individual risk issues using a 10-point scale: • A score of 10 reflects Extensive Impact to their organizations over the next year • A score of 1 reflects No Impact at All • Based on average scores, the risks were categorized into one of three classifications: • Significant Impact: Risks with an average score of 6.0 or higher • Potential Impact: Risks with an average score of 4.5 through 5.9 • Less Significant Impact: Risks with an average score of 4.4 or lower

4. Survey Respondent Breakdown

5. Top 10 Risks

6. Top 10 Risks

7. #1 – Regulatory risk Regulatory changes and heightened regulatory scrutiny may affect the manner in which our products or services will be produced or delivered.

8. #2 and #3 – Economic Conditions and Sovereignty risk/political gridlock Economic conditions in markets we currently serve will significantly restrict growth opportunities for our organization. Uncertainty surrounding political leadership in national and international markets will limit growth opportunities.

9. #4 and #5 – Organic growth concerns and Succession/Talent Organic growth through customer acquisition and/or enhancement presents a significant challenge. Succession challenges and the ability to attract and retain top talent may limit our ability to achieve operational targets.

10. #6 – Financial markets/currencies Anticipated volatility in global financial markets and currencies will create challenging issues for our organization to address.

11. #7 – Cyber threats Cyber threats have the potential to significantly disrupt core operations for our organization.

12. #8 – Security/Privacy Ensuring privacy/identity management and information security/system protection will require significant resources for us.

13. #9 and #10 – Resiliency and Performance gaps risk Resistance to change will restrict our organization from making necessary adjustments to the business model and core operations. Our existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as our competitors.

14. Industry Analysis

15. Analysis Across Industry – Top 5 Risks*

16. Analysis Across Respondent Role

17. Analysis Across Respondent Role – Top 5 Risks*

18. Analysis Across Organization Size

19. Analysis Across Organization Size – Top 5 Risks*

20. Plans to Deploy Resources to EnhanceRisk Management Capabilities

21. Additional Resources to Risk Management – By Industry On a scale of 1-10, respondents rated whether the organization plans to devote additional resources to risk management over the next 12 months. (1 – “Unlikely to make changes”; 10 – “Extremely likely to make changes”)

22. Additional Resources to Risk Management – By Organization Size

23. Additional Resources to Risk Management – By Organization Type

24. Additional Resources to Risk Management – By Respondent Role

25. Calls to Action Ensure there is sufficient focus on the implications of a changing environment • Is management periodically evaluating changes in the business environment to identify the risks inherent in the corporate strategy?  • Is the board sufficiently involved in the process, particularly when such changes involve acquisition of new businesses, entry into new markets, the introduction of new products or alteration of key assumptions underlying the strategy? Ensure the risk assessment is sufficiently robust to inform board/management communications • Does management apprise the board in a timely manner of significant risks or significant changes in the organization’s risk profile?  • Is there a process for identifying emerging risks?  • Does it result in consideration of response plans on a timely basis?

26. Calls to Action Ensure the board is knowledgeable of the key enterprise risks and the capabilities in place for managing those risks • Is the board aware of the most critical risks facing the company?  • Does the board agree on why these risks are significant?  • Do directors understand the organization’s responses to these risks?  • Is there an enterprise wide process in place that directors can point to that answers these questions and is that process informing the board’s risk oversight? Enrich the strategy setting process with a risk appetite dialogue between management and the board • Is there a periodic board-level dialogue regarding management’s appetite for risk and whether the organization’s risk profile is consistent with that risk appetite?  • Is the board satisfied that the strategy-setting process appropriately considers a substantive assessment of the risks the enterprise is taking on as it formulates and executes its strategy?

27. Q&A

28. For more information and to download the full report Executive Perspectives on Top Risks in 2013 visit: www.protiviti.com/toprisks and www.erm.ncsu.edu Thank you!