Top Risks Facing Professional Service Firms
Professional Service respondents to our Global Risk Management Survey (GRMS) ranked cyber attack or data breach and failure to attract or retain top talent as their two most critical risks.
Professional service firms are facing an increasing number of challenges. Rapidly evolving client needs, changing legal and regulatory requirements, changes in service lines, accelerated technology evolution and the need to attract and retain high-quality talent in an environment of intense competition were at the forefront of participants’ minds when selecting their top 10 current and future risks.
A series of transformative trends are reshaping the risk landscape of the sector, driving the evolution of firms. These include an increased emphasis on remote work and collaboration, an enhanced need for IT and data security, personalization of the client experience, the adoption of artificial intelligence (AI) and automation.
While these challenges are not unique to professional service firms, they are having a profound impact on the sector and are causing rapid change across business and operating models. At the same time, firms are finding that they need different skill sets if they are to succeed, which in turn is impacting talent attraction and retention and workforce planning. The 2023 survey results indicate that the sector’s reported risk readiness is 6 percent lower than the global average of 60 percent and slightly lower than it was in 2021. This suggests that while professional service firms are embracing risk change, the complexity of current risk environment is proving challenging.
Current Risks
New technology and the increasing digitalization of the sector have increased the risk of cyber attacks and data breaches; perennial concerns for professional service firms and their clients. Indeed, cyber attack or data breach is the top risk for the professional service firms, as identified in our 2023 survey. Cyber threats loom large for the sector as firms hold large amounts of sensitive commercial and personal information. As the data comes from many clients, theft, manipulation or abuse of the information could magnify the impact of a loss event.
Top 10 Current Risks
- Cyber Attack or Data Breach
- Failure to Attract or Retain Top Talent
- Damage to Brand or Reputation
- Economic Slowdown or Slow Recovery
- Failure to Innovate or Meet Customer Needs
- Increasing Competition
- Workforce Shortage
- Business Interruption
- Tech or System Failure
- Regulatory or Legislative Changes
Related Products and Solutions
As global economies recover from the interruptions caused by COVID-19, concerns regarding talent are common across the sector. Failure to attract or retain top talent was ranked by respondents from professional service firms as the sector’s number two risk and workforce shortage as its number seven risk.
Competition for top talent has always been intense, but the stakes are particularly high for professional service firms because human capital is their most crucial asset and a key source of growth and innovation. As firms enter new practice areas—including specialized, technical fields that require scarce and sought-after competencies in areas such as AI and environmental, social and governance (ESG) issues—their progress, success and failure may hinge on their ability to attract, manage and retain top talent.
Concerns remain related to traditional risks to business operations, such as damage to brand or reputation (number three), economic slowdown or slow recovery (number four), and failure to innovate or meet customer needs (number five). This is to be expected for a sector in which competition is fierce, client needs and requirements frequently change and innovation is a prerequisite for survival.
Investment in technology remains a business priority in the sector. Professional service firms often partner with third-party providers and subcontractors for critical infrastructure and service delivery, so the need to avoid problems and interruptions is imperative. Due to this reliance on IT and enabling technology, it is perhaps unsurprising that risks such as tech or system failure and business interruption have been ranked numbers nine and seven, respectively, in this year’s survey.
The 2023 survey responses from sector participants reflect an uptick in concern about the risk of increasing competition (number six, up from number eight in 2021). The survey data suggests that some professional service firms may be facing challenges with customer acquisition and retention, problems related to capturing and maintaining buyer attention, the rapidly changing business needs of clients and hyper competitive markets.
Underrated Risks
Data privacy (including GDPR) requirements or non-compliance no longer appears in the top 10, likely because of the significant risk mitigation efforts that professional service firms have already committed to compliance risk. But new requirements have arisen with new data-privacy laws and increased regulation.
Traditional professional liability risk, including the risk of high judgements, does not appear in the top 10, but in our view, it remains a major—and evolving—risk. Part of this evolution includes so-called nuclear verdicts, in which juries award exceptionally high judgments, and social inflation linked to civil litigation, which have contributed to large professional liability losses. Variety in sources of claims appears to have materially grown since the last survey, as has non-privacy regulatory enforcement by a variety of regulators, both in and outside the U.S., particularly for accounting firms.
The increased prominence of ESG matters in the past two years has affected the professional services sector. In our view, there is a potential risk for the firms based both on their own ESG footprint and policies and from client work. Accounting firms, for example, can be involved in the creation and deployment of systems and processes that generate and record the data necessary to discuss ESG issues, and they are also involved in the auditing and affirmation of this data for stakeholders. Both represent evolving risk for firms. At this time, it is unclear what level of additional risk will be associated with involvement in the measurement or attestation of ESG compliance.
Losses and preparedness
Over forty percent of Professional Service respondents suffered a loss due to the risks in the top ten, while more than half have plans in place to respond to them.
-
43%
average percentage of respondents who indicated risks in the top ten contributed to a loss for their organization in the 12 months prior to the survey.
Source: Aon's 2023 Global Risk Management Survey
-
54%
average percentage of respondents who stated their organizations have set up a plan to respond to risks in the top ten.
Source: Aon's 2023 Global Risk Management Survey
Future Risks
Cyber attack or data breach is again the top future risk (as well as the top current risk), and its importance is unlikely to decline. Cyber is a complex and fast-moving risk, and it is necessary for firms to keep up with the latest trends and tactics of threat actors. Technology will continue to play a central role as an enabler of business and as a contributor to economic growth. However, this ongoing reliance on technology will create an even larger digital “attack surface" and is likely to present more potential security vulnerabilities. It is not surprising that this risk remains the top future concern.
Top 10 Future Risks
- Cyber Attack or Data Breach
- Failure to Attract or Retain Top Talent
- Economic Slowdown or Slow Recovery
- Artificial Intelligence (AI)
- Failure to Innovate or Meet Customer Needs
- Regulatory or Legislative Changes
- Workforce Shortage
- Damage to Brand or Reputation
- Increasing Competition
- Geopolitical Volatility
AI, number four on the list of future risks, has become a more prominent risk as its adoption and use increases. While AI may help professional services firms create and deliver more innovative offerings—perhaps counterbalancing failure to innovate or meet customer needs, the number five future risk—it will also likely be an important source of risk. AI has already been embraced by many in the professional services sector and, as is the case with the rapid adoption of any new and disruptive technology, the opportunity of AI will transform the sector’s enterprise risk landscape. AI will likely introduce new risks and change the severity and impact of many existing risks, including professional liability, cyber, IP and others.
Also noteworthy is the number 10 ranking of geopolitical volatility. The conflict in Ukraine was showing no sign of abating when the survey data was captured, and concerns about the Middle East and the increasingly hostile relationship between China and Taiwan featured prominently in the news.
Mitigating this complex risk requires horizon scanning, and according to the Financial Times, many firms are seeking geopolitical advice as tensions rise, consulting former diplomats to inform decision making or even join their leadership teams. It might well be that this was what led participants to prioritize this risk as a future concern above business interruption and tech or system failure, which have dropped out of the sector’s future top 10.
5%
Despite it being the industry's second-most critical risk both now and in the future, only 5 percent of Professional Service respondents stated they had quantified the impact of failing to attract or retain top talent.
Source: Aon's 2023 Global Risk Management Survey
How Can Professional Service Firms Mitigate These Risks Effectively?
With its reported readiness at 54 percent, the professional services sector indicates lower levels of preparedness for 2023’s top 10 risks compared to the 2021 survey. Consistent with the level of self-assessed readiness, the sector also reported the highest share of loss of income from the top 10 risks across all sectors: 43 percent, up from 37 percent in 2021. Since the industry also had a relatively low percentage of respondents who reported having mitigation actions in place for their top 10 risks, firms should consider revisiting and upgrading their mitigation plans.
A key area of focus should be cyber security—specifically in mitigation, risk management, resilience and response planning. With the application of new technologies such as generative AI being a key concern, risk management departments and firm leadership need to understand the potential risks and insurance implications of using and relying on AI.
Firms should also consider a review, assessment and (if necessary) refinement of their risk financing to make sure that they adequately address and cover their evolving risks. Enterprise risk management should be deployed to help drive operational resilience. This should include continuous risk scanning to identify and address emerging risks.
To attract and retain talent, firms should consider a review, benchmarking and (if necessary) enhancement of their health and benefits programs to ensure that they are competitive and responsive to employees’ changing needs. Tools that help identify and assess talent can help. At the leadership level, firms should consider reviewing the composition of their management structures and teams to assess whether they have the risk management experience needed to monitor existing risks and respond to new ones.
Additionally, the composition of firms’ leadership teams can be easily overlooked as the business navigates emerging risks. As leadership grapples with emerging risks in areas such as AI, ESG and talent, a diverse management team—including members with technical backgrounds and experience in risk management—will be crucial to helping firms navigate these risks.
General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss caused by reliance on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Related Products & Solutions