Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Study looks at risk management’s evolution to strategy

Joe Mont | June 22, 2017

Risk. Everybody has it, but what are smart companies doing about it?

A recent Deloitte Global report, “Taking Aim at Value: Avoid Overconfidence and Look Again at Risk,” surveyed board members and the C-suite to better understand how they view their organizations’ capabilities in balancing risk and reward.

The report notes that, despite operating in an increasingly complex environment, boards and C-suite leaders are extremely optimistic about their risk awareness and capabilities. Should they be? Are senior stakeholders overstating their organization’s risk prowess?

In a world of unprecedented change and rapidly evolving technology, companies are increasingly vulnerable to new and existing threats. Their risks, according to the report, can also create opportunities for value creation and competitive advantage.

“Embedding risk management into the business” is effective because “they are much more closely tied to strategy and its execution,” the report says. Nevertheless, there can be a disconnect between philosophy and action when it comes to leveraging risk management for value creation.

Nearly nine-in-10 of the survey’s respondents believe value creation should be a key focus of risk management, yet only one-in-five are taking the steps needed to implement improvements. Three-out-of-five respondents say their organizations are susceptible to the profound forces of innovation and disruption.

“We have seen a sea change in terms of how clients are viewing this paradigm shift,” says Sam Balaji, Deloitte Global Risk Advisory leader. “Historically, if you look at risk management it has always been focused on value protection and compliance. That’s the mindset. But everything is getting disrupted. Consumer expectations are changing. Regulation is changing. Technology is fueling lots of new business models as well as expectations across ecosystems.”

“We ought not just think about the business of today, but also the business of tomorrow,” he cautions.

Among the recommendations found in the report: elevating the chief risk officer to a business partner in order for organizations to build a closer alignment between value creation and risk.

A majority of business leaders surveyed (63 percent) said the firms they represent have a full-time CRO. An additional 24 percent said they believe the role is performed by another executive.

There is evidence, however, that organizations may not be defining this critical role accurately and, as a consequence, not benefiting from it fully.

Eighty-two percent of senior stakeholders say their companies are taking the right amount of risks, yet only 61 percent say their approach to risk management “is either highly sophisticated or sophisticated.”

“They are focusing on the here and now,” Balaji says. “They are focusing on what has traditionally been the role of risk management in organizations, which is reactive, not proactive, and more focused on compliance and value protection.”

“Risk and opportunity are two sides of the same coin,” he adds. “You need to take risk to capture market opportunity, but if you take too much risk it, obviously, isn’t going to end well. While people are generally aware of risk, the lens you look at it through must be proactive versus reactive, protect versus create, and the business of today versus the business of tomorrow.”

Only 63 percent of the survey’s respondents said having a formal CRO, a number many would say should be closer to 100 percent. More than half (58 percent) said their CROs should spend significantly more time setting the strategic direction of the company and aligning risk management approaches.

There is optimism, but the data indicates that only 20 percent are actually harnessing risk to create and drive value.

“Once again, it goes back to what is the role of the CRO,” Balaji says. “There is a fair degree of inconsistency in how the role is defined across organizations.”

A factor to consider is that there are more expectations on CROs because boards are more engaged in risk management. “You can’t pick up a newspaper without seeing reputation risk or a brand issue someone is seeing in the marketplace,” Balaji says. “If you look at the causes, some may have been mitigated faster, or even prevented, with the appropriate lens of risk management and being proactive about what could happen.”

Companies should better align value creation and risk, the report advises. Organizations whose risk management philosophies and programs focus on value creation cite a range of areas where their actions are delivering significant benefits. These areas include customer loyalty, increasing operational resilience, improving cost effectiveness, and identifying and exploiting new business opportunities.

“There is an element of getting away from just value protection to balancing value protection and value creation,” Balaji says. “With disruption, there is a huge opportunity to inject fresh thinking and new energy into how you can use risk management as a strategic enabler. Risk can actually power the performance of organizations.”

“Historically, going back to the compliance mindset, risk management has been reactive, but then there is an opportunity to be proactive and shift strategy, and being a catalyst for change within the organization,” he adds. “The CRO needs to work directly with a senior executive, chief human resource officer, and other senior business leaders to make sure there is a culture that permeates throughout the organization that is sensitive to the risks, but also able to be risk intelligent. That’s going to be a hard journey, but it is an important one.”

Technology is an area where companies may be trying to catch their breath. It is an area where risk and reward need not necessarily be viewed as polar opposites. “We live in a very agile environment right now, where people are implementing things way too fast,” Balaji says. “Every business is getting digitized. While they want to take advantage of the opportunities, they are also injecting new types of risks and going to frontiers they have not gone to before. Risk management becomes key.”

“Historically, people used to be dependent on information that is resident within their enterprise, but now they can apply social media and third-party sources to get closer to customers,” he adds. “They can look at reforming supply chains or creating ecosystems that are much more competitive.”

Risk management can be included in debates over short-term performance and long-term goals. “One of the things that boards of directors are expected to do, in addition to providing their normal governance, is to look at long-term strategy and risk mitigation,” Balaji says. “Those are the two most important things that they do, and management is usually focused on the here and now.”

“With technology and disruptive forces, the velocity of change is increasing,” he adds. “I don’t think there are many years left on the clock for actually absorbing change and driving change through organization to reinvent the businesses. Even though we say ‘long-term,’ the time horizon is probably limited to just a few years.”

A central theme of the report is that companies cannot afford overconfidence when it comes to strategizing risk management.

“Business leaders should recalibrate and fortify their risk management programs to ensure strong alignment with business strategy, linking them to value creation and differentiation,” Balaji says. “Given the pace of change and these findings, it is clear that a healthy dose of self-reflection accompanied by concrete action is imperative to harness the power of risk management to achieve market leadership.”

The study, conducted for Forbes Insights, surveyed more than 300 C-level or board representatives excluding CROs across the Americas, EMEA and Asia/Pacific.