In late June, I spoke at a conference in Italy focused on risk management and organizational change. Those in attendance included both business professionals and academics interested in understanding more about enterprise-wide risk oversight practices in hopes that we might identify useful techniques to advance those efforts. Most attendees were from across Europe, with a handful traveling from Asia, Australia, and the United States.
From both the formal plenary presentations and my informal conversations during breaks and over meals, I was struck by the consistency of risk management challenges in the organizations represented at the conference with those challenges I often hear and observe from work I do with U.S.-based organizations. The issues are mostly the same, regardless of where the organization may be based, reminding me that certain realities are true wherever we are in the world and that the world in some ways is “small after all.”
Here are five key themes I heard over the two days of the conference that seem to ring true for organizations around the globe:
The Speed of Information Exchange is Elevating the Need for More Robust Risk Oversight. The rapid pace of how information is exchanged and disseminated means news about a particular event can affect an organization’s reputation and brand at frightening speed. One of the speakers, Gillian Lees from the Chartered Institute of Management Accountants (CIMA) based in London, noted that organizations no longer have the luxury of time to engage in decision-making to craft their strategic response once news about a risk event is released. Increasingly, once news of an entity’s missteps enters the public domain the media often begins a search to uncover and disclose other unrelated events affecting that organization. In many cases a single risk event is attached to other unrelated risk events that when combined rapidly begin to erode the organization’s reputation and brand.
To address this reality, some organizations are working proactively to more robustly consider their organization’s responses to its top risks allowing them to think through strategies of managing these risks well in advance of an actual event. Having “playbooks” of different response strategies identified in advance helps them to more quickly respond to risk issues and diffuse some of the adverse effects on a timely basis. Developing an inventory of responses to top risks and vetting the effectiveness of those responses may pay significant dividends when immediate action is required.
- Risk Management Leaders Need to Speak the Language of the Business. Like many professions, those who lead an organization’s risk management efforts often develop their own language that they use to communicate with others. Conversations about likelihood, impact, inherent and residual risks, risk appetite and risk tolerances become commonplace among risk management leaders, but they may not be well understood by others in the business. Some risk management leaders forget the importance of speaking the language used by those in their audience. Business leaders are focused on boosting margins, achieving objectives and goals, and advancing the business and that usually affects how they think and the language they use. As a result, the language risk management professionals tend to use may not be well understood or appreciated by key business leaders.
To address this, some risk management leaders are rethinking the language and jargon they employ to ensure that they are being heard and understood by business unit leaders. Learning and then employing the business language used within an organization may go a long way in engaging business leaders in important risk management tasks that should strengthen the understanding of key risks to the business.
- The Complexity of Business May Outweigh an Individual’s Capacity to Assess Risks. Geopolitical events, cyber threats, disruptive innovation, regulatory shifts, and changing social demographics represent just a sampling of issues that may trigger significant risks for an organization. Any one of these risk drivers is complex in and of itself, but the emerging reality is that any of these risk drivers may be related to or trigger other risks, only adding to the complexity of the risk management challenge. In many situations, the number of factors that need to be evaluated to accurately assess a risk’s likelihood or impact may outweigh any one individual’s capacity. Despite this reality, a number of C-suite teams fail to recognize the value of embracing a more holistic and team-based enterprise-wide approach to risk identification and assessment. This is often based on the belief that an organization’s historical approach to risk management, where risks are “always on the minds of executives,” still works best in today’s environment.
Some organizations are rethinking how they approach risk identification and assessment to find ways to bring together the collective minds of a number of individuals to explicitly and proactively think through potential risk drivers. They are doing so based on the perceived benefits of putting several minds to work when identifying and assessing risks to the organization. A collection of varied perspectives on complex risk issues may be needed to face the realities of today’s business environment.
- Risk Oversight and Strategy Need to be Better Integrated. Several of the conference speakers commented on the apparent disconnect between an organization’s risk management and strategic planning activities. Unfortunately, in many organizations, risk management is viewed as a compliance or regulatory activity that needs to be done to satisfy some external demand for risk management. Often that means risk management is relegated to a lower-level, non-strategic position that addresses important, but not strategy-defeating issues. For some reason, business leaders continue to struggle to remember the important connection between “risk and return.” As a result, the organization’s risk management efforts are inadequately integrated with strategic planning. This may partially be driven by how risk managers have been leading their risk identification and assessment efforts.
Rather than beginning the conversation with a discussion about what drives value for the organization in order to pinpoint key risks, the conversation begins with what risks are on the horizon (e.g., what keeps you up at night?). By starting the conversation with what is strategically important to the organization and then asking what might prevent that from being successful, we might better assist business leaders in seeing how risk management can be positioned to provide strategic value.
- Overlooking Ethical Culture May Lead to an Organization’s Biggest Risk. Business culture varies across organizations and it is important to understand how an organization’s culture might affect its risk management efforts. Understanding what values are important among the leaders of the organization may shed insights as to the willingness organizational leaders may have to take certain risks. One of the speakers, Anette Mikes from the University of Lausanne, noted that while most organizations have a set of defined business values, sometimes management’s behaviors and decisions may not reflect those stated values.
Recognizing when those differences potentially exist and calling attention to those disconnects may be risk management’s most important contribution. Challenging decisions from an ethical lens may be something that risk managers might want to consider. Of course, doing so, may represent a significant personal risk for risk management leaders, if there is little support and endorsement from those in key governance roles, such as the board of directors.
When we travel, we are frequently reminded that we are more similar than different when considering ourselves relative to others around the world. That reality is true as we observe some of the challenges business leaders face as they help lead their organization’s risk management efforts. The issues are largely the same whether we are based in Manhattan or Milan. Working together to address these challenges is in our collective best interests.
If you are interested in understanding the current state of risk oversight practices around the world, be sure to check out our most recent survey report, 2017 Global State of Risk Oversight. That report reflects perspectives about current risk oversight activities from 586 chief financial officers and other senior executives of organizations in four geographic regions of the world: Europe and the United Kingdom; Asia and Australasia; Africa and the Middle East; and the U.S. Download the report. Other risk management resources are provided on our ERM Initiative web site.
Mark S. Beasley, CPA, Ph.D., is the Deloitte Professor of Enterprise Risk Management and Director of the ERM Initiative at NC State University. He completed over seven years of service as a board member of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and has served on other national-level task forces related to risk management issues. He advises boards and senior executive teams on risk governance issues, is a frequent speaker at national and international levels, and has published over 90 articles, research monographs, books, and other thought-related publications.