With profound economic, geopolitical, demographic, and technological changes taking place around the world, the business environment is rife with risk and uncertainty, but also opportunity. In such an environment, the need for risk-informed decision making has never been greater.
A recent Deloitte survey asked several hundred board members and C-level executives about their views on risk and their organization’s risk management prowess. The response was encouraging—at least on the surface. They believe in their organization’s ability to balance risk and reward and understand risk in the context of opportunities. Nearly all say they take the right amount of risks, and that the work their company does to manage those risks is optimizing outcomes across the enterprise.
But a closer look at the results revealed a more nuanced picture. Although 87% of respondents believe risk should actively contribute to value creation, only 18% say they purposefully pursue risk in this way today. Even where risk-taking could deliver value, from improving customer loyalty to ensuring the success of mergers and acquisitions, many organizations are simply not taking advantage of it. This apparent gap between perception and reality is surprising given the confidence executives have in their companies’ risk management activities.
Part of the disconnect may simply be a lack of clear insight into the forces of disruption and their potentially negative risk impacts. For example, despite rapid evolution in digital platforms and processes, survey respondents tend to downplay the significance that digital disruption has to their business strategies. But where data and technology use goes, so go the risks—namely, heightened exposure to cyberattacks.
The automotive sector offers a glimpse of how digital disruption can affect strategy and risk. Robotics, sensors, artificial intelligence, the internet of things and mobile applications are blurring the lines between vehicles and computers. This means automakers, along with companies upstream and downstream of them, are venturing into a realm where overall business success can hinge on the way they manage online security and data privacy.
Airlines face their own version of disruption. In that business, vast amounts of customer data flow throughout the value chain. Meanwhile, individual carriers have their own models, financial data, and intellectual property to protect. Given airlines’ reliance on digital assets for both market competitiveness and business continuity, a risk mitigation tool like insurance is not sufficient. Cyberrisk must be part of the company’s operational infrastructure.
Defending against threats is only one side of the risk value coin, however. The other side is looking for opportunities to transform and innovate for competitive advantage. Without risk awareness and its emphasis on visionary thinking, companies can find themselves on the wrong side of market trends.
Digital disruption serves as an example here as well. Consider food producers, who operate in a consumer landscape where concerns are growing about meat consumption and agriculture as a contributor to climate change. Here, potentially disruptive technologies include test tube-cultured meat proteins and 3D-printed food. Risk-oriented thinking enhances food processors’ ability to anticipate where these forces are likely to converge and develop strategies to respond.
Investment managers, for their part, must evaluate ways that digital disruption can affect the movement of money. A venture fund dedicated to “sharing economy” business models, for instance, would need to anticipate the risks and rewards of emerging technologies such as self-driving cars, remote monitoring, and incident prevention. Risk management can help firms deliver returns to investors by helping decision makers confront biases and ruthlessly scan the marketplace for innovative or disruptive trends.
Positioning the Risk Management Role
Further raising risk management’s visibility and improving its effectiveness in the face of today’s rapid changes may be challenging if there is no full-time chief risk officer (CRO)—or the CRO is consumed with process at the expense of strategy.
For the CRO’s role to evolve to the next level, a few things need to happen. First, senior leaders must acknowledge that CROs do not assume risk. Risk lives with the business units, and the CRO’s relationship to them (and senior leadership) is as a catalyst and steward. In other words, CROs work with them to define and execute strategic objectives in line with risk appetite, and provide appropriate oversight and governance of risk-taking activities.
Practically speaking, it is also critically important for CROs to have frequent, direct and transparent contact with the board, members of which might not have a strategic view of the company’s risk or do not embrace it as an opportunity. Recurring contact with the CRO can help board members get up to speed so they can make more-informed decisions.
Board composition is potentially another important improvement area. Often homogenous membership can create a tendency toward groupthink. At minimum, boards should include more tech-savvy perspectives that help them address the profound risks and opportunities associated with digital disruption.
Lastly, CROs themselves need to sharpen their focus on strategy. On this point, survey respondents agree, with 58% saying CROs should spend significantly more time helping to set the strategic direction of the company and align risk management strategies accordingly. Since strategy—especially as it pertains to value creation—begins at the top of the company, that is where the CRO needs to be as well. Ideally, CROs should report to the board.
Transforming the Organization
Suppose risk management did have the appropriate focus and authority within the organization. Most of the CRO’s attention would be directed to matters of business strategy, and contact with the board would be frequent, direct and transparent.
In this scenario, what else could CROs and their risk management functions do to preserve, protect and enhance value? Three steps come to mind:
- Strike a balance between threats and opportunities. Be diligent about core strategic areas of risk and reward, but do not lose sight of security at the perimeter.
- Embrace advanced cognitive analytics. Today’s business intelligence platforms offer powerful data mining, analytics and visualization tools, making it easier to uncover hidden relationships and communicate them clearly to senior leadership.
- Develop a resilient, risk-aware culture. Help the organization understand that risk acceptance or avoidance is a conscious choice, not a de facto outcome.
Companies today express confidence in their risk management capabilities. But many still approach risk defensively, as a threat to the status quo. To close the gap between perception and reality, risk instead must be recognized as a strategic function led by an executive explicitly tasked to create as well as protect value. This way, the entire organization can gain the ability to identify risks and opportunities, define alternate futures, and develop plans to respond