It is critical for risk managers to consider not only the risks of negative occurrences but also risks linked to success that can allow for capitalizing on opportunities.  These two aspects of risk are respectively called “unrewarded risk” and “rewarded risk”.  Unrewarded risk is commonplace in business and includes activities such as compliance with regulations and timely payment of bills.  While these activities are essential to meeting stakeholder expectations, the primary benefit of performing these activities in a competent manner is value protection, not value creation.  Rewarded risks, on the other hand, are taken primarily to drive value creation and include activities such as developing new products, entering new markets, and acquiring new companies.  A business must address both types of risks to be successful: rewarded risks in order to thrive, and unrewarded risks to avoid noncompliance, litigation, and reputational risk issues.

This idea is described in the following business maxim, coined by this report, authored by Steve Wagner and Mark Layton: “Organizations that are most effective and efficient in managing risks to both existing assents and to future growth will, in the long run, outperform those that are less so.  Simply put, companies make money by taking intelligent risks and lose money by failing to manage risk intelligently.”

Increasing Importance of Risk Management

Risk management programs have been growing in importance due to several factors.  Regulatory pressures have increased, with the New York Stock Exchange requiring audit committees of listed companies to evaluate the risk management practices of a company.  Institutional investors are including risk management considerations in their investment decisions, which impacts ability to acquire capital.  Debt rating agencies are including enterprise risk management capabilities in their evaluation criteria, impacting the cost of capital.  Companies are less able to deal with threats to their reputation discreetly with the Internet’s ability to spread information quickly.  Finally, shareholder lawsuits can threaten directors and executives with out-of-pocket settlements, personalizing corporate risk.

Characteristics of a Risk-Intelligent Enterprise

A risk intelligent enterprise has developed risk management capabilities with several common characteristics.  The enterprise has full-spectrum vision, adopting management strategies that address the entire range of the company’s risks.  The enterprise has a portfolio view of risk with risk silos bridged so that communication and information is shared across the enterprise.  This often entails having a risk management charter calling for frequent, formal, structured, documented meetings about risk with reports made regularly to management and the board.  Common risk terminology and metrics are established so comparisons can be made and understood across the company.  The focus is on addressing possible impacts that could occur, because in this way one plan to address a certain impact can work for multiple threats.  The enterprise is risk conscious, with risk management practices embedded in the corporate culture so that strategy and decision-making occurs through a risk-informed process.  The enterprise takes risks to create value as well as for protecting value, focusing on both avoiding negative outcomes and attaining positive outcomes

Moving Towards Risk Intelligence

In order for many organizations to become more risk intelligent, failure needs to be addressed in advance and built into the strategic planning process.  Companies should understand the answers to questions about what could cause their failure in areas such as attaining and sustaining revenue growth, increasing operating margins and improving the efficiency of assets, and meeting expectations of key stakeholders.  Asking these questions allows an entity to better decide how to prevent these failures, recognize early warning signs, and implement course corrections.  Businesses need to be intelligent about their rewarded and unrewarded risks.

For an entity to say they are using enterprise risk management, their practices should encompass the entire entity, there should be a focus on both rewarded and unrewarded risks, and the entity’s activities should be efficient and effective.  When an entity is beginning a program to increase their risk intelligence, it does not have to be a large, expensive process but instead small steps can be taken to bring about meaningful change.  These steps include: thinking through risk, getting risk into the conversation, having a meeting to address risk, creating crisis response and escalation procedures, imagining failure and how to overcome it, differentiating between rewarded and unrewarded risks, improving risk knowledge, stress-testing resilience of the entity under different scenarios, focusing on finite effects instead of myriad causes, prioritizing the entity’s critical few risks, and ensuring the entity speaks the same language.