Skip to main content
Poole College of Management
Enterprise Risk Management Initiative
ERM Leadership and Governance

CEO and Board Risk Management

July 30, 2019 6-min. read

Overview

This article, “CEO and Board Risk Management Survey”, by Deloitte argues that one of the most critical roles of CEOs and board members is managing risk. One of the most critical roles of CEOs and board members is managing risk. The environment of today consists of ongoing disruption, innovation, and technological change. Increasing disruption leads to greater risks, which may become greater still because they are often interconnected. And because these risks don’t occur in isolation, addressing them in silos can be an exercise in both frustration and futility. Deloitte surveyed 200 CEOs and 200 board members in organizations of more than $1 billion to find out how leaders can become more confident in their risk management capabilities. The survey explores strategic risks in four areas that are most critical to understand in today’s marketplace which are brand and reputation, culture, cyber and technology, and lastly, extended enterprise.

Gap Analysis

Virtually all senior leaders, 95 percent of CEOs and 97 percent of board members, believe that their organizations will face serious threats to their growth prospects in the next two to three years. They are concerned about the breakneck pace at which their organizations must develop, deploy, and manage new technologies. Cyber incidents are a major concern. The extended enterprise also poses significant risks, particularly in the view of board members, who rank it second among the four strategic risks. Reputation and culture risks are of the least concern to CEOs and board members, yet these may be the risks which they have the most control over. The interconnectedness of strategic risks needs to be acknowledged and understood. More board members than CEOs cite new technologies as a priority and CEOs are slightly more likely to prioritize investing in culture and talent

Reputation Risk

Reputation is among an organization’s most valuable assets. Reputation risks are interconnected threats related to a variety of factors, including ethics and integrity, security risks, product and service risks, culture risk, and extended enterprise risk. This risk is created when the performance of an organization does not meet the expectations of the consumers based on strategy, history, and behavior throughout the entity. Nearly half of the respondents acknowledge that their organizations lack the ability to identify reputation-impacting events, analyze risks, and forecast impacts on brand and reputation. Fewer than half of CEOs and boards have discussed the state of the organization’s reputation. Leaders often do not realize that reputation risks stem from a much broader range of events in today’s environment than in the past, due to digitalization and a 24-hour news cycle focused heavily on business. CEOs and board members are closely aligned on the top risks to the organization’s reputation, cyber breaches and physical breaches, continuing the cyber-focused theme of their thinking. Lack of consensus exists on some reputation risks, such as product safety and quality, ethics and integrity, and employee misconduct.

Culture Risk

Culture is a system of values, beliefs, and behaviors that shapes how things get done within an organization. Culture risk is created when there’s misalignment between an organization’s values and leadership actions, employee behaviors, or organizational systems. Culture risks are of the least concern to CEOs and boards, with only one in five citing it as a top threat to their growth prospects. Leaders may be overestimating the health of their cultures, or they may be underestimating the forces that can undermine even a sound culture. Fewer than half of the surveyed leaders plan to invest in culture risk management processes. Only one in three organizations regularly report to the CEO and the board on culture and conduct risk. Only 32 percent of CEOs and 18 percent of board members report that their organizations have reviewed their culture risk management practices in the past year. How organizations invest in culture-related processes will likely determine their capabilities in this critical area. They should consider technologies, tools, and platforms that monitor external as well as internal culture risks.

Cyber Risk

Cyber risk occurs when technological silos within organizations are not connected through a broader strategy to defend what matters most to their mission, build awareness to know when a compromise has occurred or may be imminent, and reduce the impact when an incident does occur. CEOs and board members rank cybersecurity as their greatest concern, but only 30 percent on average describe themselves as highly engaged in the area. CEOs cite mobile platforms/cloud-based applications more often than boards do. Boards rate artificial intelligence technologies second. Lack of CEO-board alignment on the most pressing cyber risks may signal the need for a more robust cyber risk strategy, governance, and management frameworks. To engage senior leaders, technical reports should be supplemented or replaced by cyber risk assessments from internal audit and external reviewers that focus on business impacts and risks. CEOs and board members agree that the top two areas needing improvement, and in which they’ll invest, are security optimization services and digital transformation programs. In general, the more closely leaders align investments with needs, the more likely they’ll be able to allocate resources where they may be the most effective. War-gaming and scenario planning are among the leading methods of assessing vulnerabilities and improving resilience. Threat intelligence can help organizations proactively identify and monitor risks.

Extended Enterprise Risk

An extended enterprise is the collection of vendors, contractors, distributors, suppliers, and other third parties outside the main organization. Extended enterprise risk isn’t a risk unto itself. Rather, it is a combination of diverse risks, and their various degrees of severity are based on the nature of the relationships an organization has with its third parties. Roughly two-thirds of CEOs and one-third of board members acknowledge that risk management in their extended enterprises is weaker than in their own organizations. The disparity between the two groups should cause some concern with CEOs having the dimmer view. This may reflect inconsistent reporting to the two sets of leaders and potentially a lack of alignment over risk strategy. Five initiatives for managing extended enterprise risk were evenly selected by survey respondents, with no single method standing out. In order to adopt, enhance, and strengthen their partner ecosystem, organizations should have a defined risk management program that clearly outlines what is acceptable from third-party vendors. Organizational leaders see IT providers as the third parties that pose the greatest threat, with two-thirds of CEOs and almost as many board members ranking them in the top three. It’s critical that IT vendor risk is effectively managed. But leaders should avoid a cybercentric-only view of extended enterprise risk.

Summary

Deloitte conducted a survey of 200 CEOs and 200 board members in organizations of more than $1 billion to find out how leaders can become more confident in their risk management capabilities. Almost all of the responding leaders believe their organizations will face serious threats or disruptions in the next two to three years. Survey responses reveal that many organizations are falling short in one or multiple areas: investment in technology that aligns with strategy, engagement from senior management and board members, alignment of risk and risk officers within an organization, and more. Reputation risk may be flying under the radar. Only half of organizations appear to recognize the importance of proactively managing reputation risk. Culture risk may be given short shrift. Leaders may be overestimating the health of their organizational cultures or underestimating the forces that can undermine a sound culture. Cyber risk may be their greatest concern. But only 38 percent of CEOs and 23 percent of board members are “highly engaged” in this area. Extended enterprise risk may be underrated. Most organizations don’t hold third parties to the same risk standards they set for themselves.

 

Original Article Source: “CEO and Board Risk Management Survey”, Deloitte, 2018

More From Enterprise Risk Management Initiative

Assessing How Org Culture Impacts Risk Mgt

ERM Tool: Assessing How Organizational Culture Impacts Risk Management
SEC Building

Whited, Burd Examine SEC Climate Disclosure Amendment
Kristy Hubard and Mark Beasley

Positioning ERM for Strategic Value