Top Risks Facing Public Sector Organizations

November 28, 2023 18 mins

Top Risks Facing Public Sector Organizations

Top Risks Facing Public Sector Organizations Hero Banner

Public Sector respondents to our Global Risk Management Survey (GRMS) ranked cyber attack or data breach and damage to brand or reputation as their two most critical risks.

The macroeconomic conditions driving risk exposure in the public sector include a stubborn talent gap, geopolitical volatility and an economic downturn characterized by high inflation and reduced revenue.

Against this backdrop, and amid escalating cyber threats and property losses from increasingly frequent severe weather events, public sector entities must try to expand their services to meet new needs — essentially, do more with less. But effecting change in the public sector can be cumbersome, making it difficult to quickly address challenges.

At the same time, demand for public sector resources is increasing in every area, from personnel to managing local government-funded infrastructure projects to new regulatory requirements in locations where cannabis use has been legalized.

Current Risks

State and municipal government organizations remain prime targets for cyber attacks amid geopolitical volatility, as participants from the public sector noted in their survey responses, ranking cyber attack or data breach as their number one current risk — one spot higher than in the 2021 survey. Meanwhile, as networks and security in the public sector are subjected to heightened regulatory and underwriting scrutiny, needs for further improvement in operations, infrastructure and technological capabilities are identified. Complicating matters is that financial risk mitigation and cyber security are often funded and managed by different government departments, disrupting communication and decision making around improving cyber security profiles.

Top 10 Current Risks
  1. Cyber Attack or Data Breach
  2. Damage to Brand or Reputation
  3. Failure to Attract or Retain Top Talent
  4. Regulatory or Legislative Changes
  5. Economic Slowdown or Slow Recovery
  6. Cash Flow or Liquidity Risk
  7. Property Damage
  8. Business Interruption
  9. Political Risk
  10. Failure to Innovate or Meet Customer Needs

The perpetual race to upgrade technology to deliver services and improve governance and public administration is also closely tied to the sector’s 10th-ranked risk, failure to innovate or meet customer needs. The public sector’s difficulties related to innovation are multiple and mainly people related. Lack of available specialized talent makes setting up the organizational structures to support innovation a key risk. Both short-term skills shortages and reskilling (or upskilling) the workforce are affecting the delivery of public services to meet the evolving needs of citizens.

The talent gap is far wider in the public sector than in the private sector. The vacancy rates for some government jobs are in the double digits, evident in public sector respondents’ number three ranking of failure to attract or retain top talent on the 2023 current risk list. Meanwhile, chronic understaffing puts strain on remaining employees, who often abandon the public sector for jobs in the private sector, where the pay is often substantially more competitive and the job stress lower. Tied closely to the struggle to recruit and retain talent are public sector respondents’ concerns about the budget constraints many of them face.

In some regions, budget shortages are compounding the difficulty of attracting talent to the public sector workforce, reflected in respondents’ inclusion of economic slowdown or slow recovery and cash flow or liquidity risk in their current top risks, at five and six, respectively. For example, in September 2023, Birmingham City Council, the UK’s largest public authority, issued a section 114 notice, akin to a public entity declaring bankruptcy. The notice froze spending for all but the council’s core services and cited a budget gap of £87 million. Woking Borough Council also issued a section 114 notice in 2023, when its budget deficit was forecast to be £2.6 billion. Some of the councils’ financial issues have resulted from attempts to create new income streams (such as commercial real estate investments) that failed to take hold during an economic downturn. Because of this, public sentiment regarding government entities has soured, exacerbating an already challenging talent recruitment problem. Participants from the public sector noted this trend in their survey responses, ranking damage to brand or reputation as their number two risk. And because of the economic downturn, the demand for public services is greater. These public-sector entities are forced to deliver more with fewer resources, tighter budgets and skeleton crews.

Survey participants in the public sector also noted increased concern over property damage, ranking it as their number seven risk for 2023. Indeed, insurance markets have been reacting in real time to catastrophic events, reassessing how coverage is provided and what limits should be. Under these conditions, property programs can become unstable and volatile. For example, Vermont and other parts of the northeast U.S. were devastated by 1,000-year flash floods in July 2023, with record-breaking rainfall and flooding causing damages and economic losses estimated at $3 billion – $5 billion. The following month, heavy rains led to flash floods in Kenosha County, Wisconsin, overwhelming clogged storm drains and flooding homes and businesses, submerging streets and parking lots and temporarily closing the Kenosha city and county emergency services and public safety department building.

Underrated Risks

Public sector survey respondents did not rank climate change among their top 10 current or future risks. Although two related risks, property damage and business interruption, were included as current top 10 risks for the public sector — numbers seven and eight, respectively — neither appears on the future risks list. As the effects of climate change accelerate, 100-, 500-, and 1,000-year weather events are beginning to occur with increasing regularity and in locations that were previously at low risk for weather-related property damage, business interruption and other climate-related impacts. According to the annual State of the Climate report published in September 2023, numerous indicators of climate change reached record highs in 2022, including greenhouse-gas concentrations, ocean heat and sea levels.

But exposures related to climate change go beyond risks to property and business continuity. The 2023 status report of the Task Force on Climate-related Financial Disclosures (TCFD) lists 19 jurisdictions, accounting for close to 60 percent of the world’s economy, that have final or proposed TCFD-aligned disclosure requirements in place that focus on risks and opportunities related to transitioning to a lower-carbon economy. With climate transition risk gaining more prominence and attention for public entities, they need to ensure that they pay as much attention to the long-term climate transition risks as to the short-term physical climate risks.

Workforce shortage is another risk that did not make it into the top 10 current risks for public sector participants, which is surprising. In the UK, for example, the Royal College of General Practitioners states that there are 250,000 vacant posts across the National Health Service and social care sectors alone. This well-documented and frequently debated issue has led to several strikes and not only caused distress to public sector workers and patients alike but also created a cycle in which demand for services consistently outpaces the available workforce, negatively affecting both service quality and morale among public sector employees.

Losses and preparedness

Nearly a third of Public Sector respondents suffered a loss due to the risks in the top ten, while half have plans in place to respond to them.

  • 31%

    average percentage of respondents who indicated risks in the top ten contributed to a loss for their organization in the 12 months prior to the survey.

    Source: Aon's 2023 Global Risk Management Survey

  • 49%

    average percentage of respondents who stated their organizations have set up a plan to respond to risks in the top ten.

    Source: Aon's 2023 Global Risk Management Survey

Future Risks

Cyber attack or data breach is the number one future risk for public sector participants. It is such a complex and fast-moving risk that public entities struggle to keep up with technology trends and the tactics of threat actors. Because the sector is planning to further increase its use of new technology, both as an enabler of business survival and as a contributor toward economic growth, it will create an enlarged digital “attack surface" with more potential security vulnerabilities for bad actors to exploit. Digitalization programs — together with increases in remote working and the widespread use of automation and service centers — mean that cyber exposure will remain a critical aspect of overall organizational success.

Top 10 Future Risks
  1. Cyber Attack or Data Breach
  2. Failure to Attract or Retain Top Talent
  3. Economic Slowdown or Slow Recovery
  4. Regulatory or Legislative Changes
  5. Cash Flow or Liquidity Risk
  6. Damage to Brand or Reputation
  7. Capital Availability
  8. Failure to Innovate or Meet Customer Needs
  9. Workforce Shortage
  10. Artificial Intelligence (AI)

A risk continuing to gain in importance is failure to attract and retain top talent, second on the future risk ranking for the public sector participants. Risk issues are continuing to blur the line between human capital and business operations. The availability and skills of workforces are a source and accelerant of business risks such as supply chain and business interruption, and the growing profile of strategic threats — such as failure to innovate or meet customer needs and increasing competition — create an environment in which talent gaps become one of the most significant issues on the minds of leaders, so it is no surprise that public sector participants are highly concerned, too.

Government use of artificial intelligence (AI) — ranked as the public sector’s number 10 future risk — to help in implementing policy and decision making creates exposures not only on the cyber security front but also related to the possibility that AI will entrench and accelerate bias in implementing policy. In an attempt to improve a service or allocation of funding to individuals, AI could potentially be trained on historical data that is based on biases in past decision making regarding eligibility for and disbursement of funding. This creates concerns around fair and equitable governance and makes AI a particularly difficult challenge for a body such as a government entity tasked with creating and implementing public policy, run by elected officials and accountable to the public.


Despite being the number one risk both now and in the future, only 14 percent of public sector organizations stated they had quantified their cyber exposure.

Source: Aon's 2023 Global Risk Management Survey

How Can Public Sector Organizations Mitigate These Risks Effectively?

Data collection in the public sector — from current valuation data to information about cyber security measures — is often of low quality and siloed in various agencies. Determining which segment of a particular public entity is charged with overseeing data collection is critical because without the proper data, public entities will face difficulties in underwriting and making informed, data-supported decisions about how to invest and allocate resources.

In addition, forward-looking cyber resilience strategies are essential in minimizing financial, operational, and reputational risks. Cyber resilience journeys require a holistic, proactive approach that combines risk identification and assessment, risk mitigation, response preparation and recovery and risk transfer mechanisms. This holistic approach includes cyber defense training for all individuals so everyone understands their role in upholding and advancing the organization’s security. Because stressed and disengaged employees are more likely to make mistakes or deliberately circumvent cyber security measures, safeguarding employee wellbeing is crucial. Preparing in advance for cyber security incidents is imperative for public sector entities to initiate the recovery process quickly and minimize downtime of citizen services and other essential functions.

While budgetary issues and talent shortages can be particularly difficult to navigate in the public sector, both can be addressed with the appropriate risk and people management strategies to build overall resilience. Improving health, benefit and rewards offerings can boost resilience for the existing workforce and help attract new talent as well as realize operational efficiencies and resilience. Increasing cash on hand and modifying capital strategies can help public sector entities support continuity in meeting financial and service obligations, while increased liquidity can help support investments in innovation.

While pay is clearly a draw for potential talent, it is often challenging — or not possible — for the public sector to compete with private-sector offerings. Finding the right balance between investing in the workforce to attract and maintain a talent pool while keeping salaries, benefits and other people-related costs within a manageable threshold is key. Reimagining the employee value proposition is one strategy that can be helpful in attracting and retaining top talent. Armed with insights into what current and prospective employees value, public sector entities can personalize employee benefits to meet diverse workforce needs and attract top talent.

General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss caused by reliance on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Contact Us

Let’s Connect

Talk to Our Team

Contact our team today to learn more about how we can help your business.