CEOs and boards should always have their eyes on potential risks, but how do they view these risks and what is their role in effective risk oversight? To gain a deeper insight into this question, Deloitte surveyed over 300 senior stakeholders, all from the C-level or BoD (excluding CROs), throughout the Americas, European Middle East and Africa, and Asia-Pacific regions.
Some of the key observations from the survey include:
- Companies need to build closer alignment between value creation and risk
- Companies need to do more to establish and optimize the role of the CRO
- Companies must forge responses to their most strategic risks and opportunities
Building Closer Alignment Between Value Creation and Risk
Nearly nine out of ten organizations recognize that risk management should focus on value creation, not just avoidance of risk. However, fewer than one in five are taking sufficient action in this regard. Those whose risk management philosophies focus on value creation cite a range of areas where actions are delivering significant benefits. Customer loyalty is just one example that Deloitte has repeatedly heard in their surveys over the years as an effective way to create value through risk management activities. Other areas where risk management can drive value include increasing operational resilience, improving cost effectiveness, and identifying and exploiting new business opportunities. “Business is all about risk and reward, and strategy and risk are two sides of the same coin” IAG CEO Peter Hamer states. “Often strategy discussions at IAG very quickly turn into conversations about risk,” he continues.
One major risk area is the overconfidence regarding their core risk-focused decision making and integration strategy. Key support for this view includes:
- 82% believe they are taking the right amount of risks
- In terms of balancing risk and reward, one in five companies believe they are well above average and two in five above average
- 73 percent say their risk management programs support their ability to develop and execute business strategy to a high or very high degree
- 82 percent are either extremely confident or confident that their risk management activities are optimizing outcomes across the enterprise.
- In terms of confidence in understanding risks in the context of opportunities, 51 percent describe themselves as extremely confident or confident
- Three in five respondents say their approach to risk management is either sophisticated or expert/highly sophisticated
Findings like these are particularly surprising given that so many companies have already communicated they need to do more to engage and align risk management with strategy and value creation. As Brexit and upcoming elections in the European Union pose changes to its structure, a dramatic shift in direction in the US points to new policies in taxation, regulation and trade. All of these circumstances suggest an era of unprecedented uncertainty. Finally, only half of surveyed companies use sophisticated risk analytics when making strategic decisions. Key reasons for failing to do more risk analytics include data teams who already work at full capacity, and also the lack of skills needed to understand and analyze the data at the organization.
One key area companies need to look closely at is their process for determining whether they are taking the right amount of risk. Companies must be critical in assessing their risk assumptions and ongoing risk management operations. As an insurance company, IAG looks at risk from two perspectives, says IAG’s Harmer. First, “there’s the volatility of other businesses or individuals that we assume, insurance liability, which requires very careful management”. The other area is financial risk, which the firm breaks down into operational, regulatory, and technology risk. Risks in these core baskets “translate down to an operational level: How much risk will we assume within the pursuit of our business objectives”? He goes on to say that the firm focuses specifically on continuous improvement, in terms of insurance risk, counterparty risk within reinsurance programs, and investment and financial risk. Where IAG has the most work yet to be done is in technology risk, where Harmer says the firm needs to be more agile in identifying emerging technologies presenting disruptive risks and opportunities.
Establishing and optimizing the Role of the CRO
Nearly two-thirds of senior stakeholders say the firms they represent have a full-time CRO, a number that has risen significantly among highly regulated industries, while falling to less than half among less regulated entities. In addition one-fourth of respondents say they do not have a CRO role, and that 88% of those cases say it is delegated to the CFO. At Groupe Renault, Payen points to the fact that the majority of public companies on the Paris Stock Exchange have a CRO.
One area where interviewees and the survey panelists agree is that CROs need to devote more time to business strategy. Deloitte breaks down the “four faces of the CRO” described through the research below:
- Strategist: Participating in setting the strategic direction of the company and aligning risk management strategies accordingly.
- Catalyst: Engaging leadership across the organization in defining and executing strategic objectives in line with risk appetite.
- Steward: Protecting and challenging the organization through effective risk management; ensuring appropriate oversight and governance of risk-taking activities.
- Operator: Balancing structure, capabilities, talent, and technology within the risk management organization.
Survey responses indicated CROs divide their time relatively equally among the four roles described above, but 58% say their CROs need to spend more time performing in a strategist role. Respondents felt the CROs should focus more on:
- Leveraging risk management to inform stakeholder decision making
- Evaluating/implementing new risk management methodologies
- Providing input for periodically reassessing risks within business strategy and planning
Another notable statistic from the respondents was that over two-thirds of companies say their CRO reports to the CEO, while only 10% say the executive CRO reports to the board. For effective risk oversight, the CRO absolutely should hold the C-suite accountable to the CEO, so this number should be 100%. The next number is even more disturbing, as interaction between the CROs and board provide a strengthening relationship that is needed in effective risk oversight.
Addressing Strategic Risk and Opportunities
Companies say they focus on a wide range of new and longstanding strategic and tactical risks, but how do they know they’re focusing on the right risks for their organization? As of 2013, sustainability and corporate responsibility (CSR) was barely visible, but is now the most frequently cited risk to business strategies, followed by risks of innovation and disruption.
A growing number of consumers make choices based on a company’s practices across a wide range of issues. Thinking about the next three years, strategic alliances and counterparty relationships surge into first place as the most frequently cited risk to business strategy. Regarding the third area of focus, a related question shows that three out of five companies say their production and services models are prone to innovation disruption.
Instead of expressing serious concern, most respondents instead show confidence in the ability to harness innovation for a positive benefit. As indicated from their responses, companies feel they are in great hands to effectively delegate the three key steps to managing strategic risk:
- Discovery: Developing and deploying “risk sensing” mechanisms enabling the company to identify key indicators that can provide early warnings of shifts in the environment.
- Preparation: Developing scenarios presenting potential alternate futures and their implications for markets, business models, supply chains and so on.
- Response: Developing response plans corresponding to the alternate futures—ready for implementation the moment early warning indicators begin flashing.
Despite confidence in these key areas, many respondents believe improvement may be needed to help evaluate and facilitate innovation and monitoring the business environment for potential disruptors. Yoost has extreme views on how companies can respond to disruption in the near future, but says “companies tend to ignore disruption until it’s too late”. Going forward, Yoost believe the role of the CRO is to develop clear insight into the forces of disruption, as well as taking the lead on these strategic risks for the organization.
As companies continue to focus on disruption and innovation, other risks may be seen as equally critical. Few respondents rank risks such as cyber technology, geopolitical, and brand reputation as critical to business strategies. It is vital to recognize that respondents were asked to name the top three risks having an impact on business strategy. Any given risk could certainly be important to an organization not quite own the top three status. Or it could mean these are important but the company feels their process and strategy for mitigation are proven effective.
Read ERM articles as soon as we post them
Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.