Managing Risk is More Than Damage Control

Today’s CEOs and board members expect that their organizations will face disruption due to risk but aren’t necessarily prepared to handle the impact of reputational, culture and cyber risk, according to findings from an October Deloitte survey.

The Deloitte Risk and Financial Advisory survey of 400 CEOs and board members from U.S. organizations with US$1 billion or more in annual revenue found that:

●Only 42 percent of CEOs and 50 percent of board members have discussed risks to the organization’s reputation in the past year.

●53 percent of CEOs and 46 percent of board members lack the ability to identify events that can damage the organization’s reputation.

●Nearly two-thirds of CEOs and board members surveyed lack a process to identify market signals that indicate a potential culture risk, yet only 35 percent of CEOs plan to invest in these processes in the next 12 months.

●More than half of organizations lack the ability to analyze events and predict their impact on reputation.

●More than 50 percent of organizations lack a plan to develop or acquire new tools to manage reputational risks, including crisis-response capabilities.

“The survey findings echoed what I routinely hear in my conversations with members of the C-suite and board: Not only do these leaders not have the answers to strategic risk, but many don’t know what questions to ask given the complexity and ever-evolving nature of risk,” says Chuck Saia, CEO, Deloitte Risk and Financial Advisory in New York.

Risk and Reputation

Strategic risks can undermine an organization’s ability to drive strategy and reach performance goals, Saia says. Such risks are interconnected and often feed off each other, and they can create a reputation-impacting event, causing major damage to an organization in a matter of seconds, he says. He cites the example of a supplier that is found guilty of fraud. The incident isn’t just an extended enterprise issue, he says: “It’s a reputation risk, too, because stakeholders don’t distinguish between an organization and its extended enterprise.”

Saia says that for him, the most significant survey finding is how underappreciated culture risk and reputation risk are. Yet, they are so prevalent. “Nearly every day, we hear about organizations going through a reputation-impacting event,” Saia says. “And many of these events stem from employees not acting in line with organizational beliefs and values.

“But as our survey shows, CEOs and boards are either unaware of the tools to manage risk or are not leveraging them. This tells me that strategic risk management is not a high priority. But it should be. Reputation is one of an organization’s most valuable assets, so it makes sense for leaders to do all they can to protect and enhance it.”

Managing Strategic Risk

To do so, companies must spend more time investing in how they would respond to potential reputational, culture and cyber risk, Saia says. Survey findings, for example, reveal that organizations are underinvesting in two key cyber-risk areas — war-gaming and scenario-planning, Saia says: “These exercises are invaluable in getting organizations more prepared to identify, monitor and manage cyber risk. They enable leaders to determine who’s responsible for communications — both internally and externally — as well as the cadence of communications, whether the board and C-suite are aligned in managing the crisis, and the roles and responsibilities for the leadership team. The last thing you want to do when a crisis hits is to try to come up with a plan for managing it as it’s happening. The plan should already be in place.”

In developing a plan, organizations need to go beyond the traditional siloed approach — and do more than damage prevention, Saia says: “Organizations need to take an enterprise-wide strategic approach to managing risk. … That includes (1) the understanding of the danger these risks pose to the execution of strategy and achievement of goals, (2) an appropriate investment in technology to identify, monitor and manage risk, (3) timely reporting for better decision-making, (4) risk as a topic on the leadership agenda and (5) engagement from leaders in managing high-priority risk.”

Resiliency is key. “The measure of success in today’s business landscape is an organization’s ability to turn risk into an opportunity,” he says. “How CEOs and boards embrace and adapt their approach to strategic risk can be the difference between being a disruptor in their industry and being disrupted by a competitor. Stakeholders are watching to see which organizations prove to be more resilient in dealing with complex threats.”