CEOs today are faced with a pace of change that they've never been faced with before, says Chuck Saia, CEO, Deloitte Risk and Financial Advisory in New York.
“They're worried about disruptions — and they're trying to figure out ways in which they can disrupt,” he says. They are working to enhance the client experience as well as transform their workforce, Saia adds: “And they're really trying to grow their business while going through this transformation.”
With all that on their minds, many don’t have the discipline to also contemplate what could happen if a reputational or culture risk event or cyberattack were to occur, he says.
This is especially true if they don’t have the right governance model in place, Saia says. “When we talk to boards and clients, we seldom start with what the risks are,” he notes. “We ask questions about their governance models: Who owns risk within their organizations, and who they report to.”
The Deloitte Risk and Financial Advisory survey of 400 CEOs and board members from U.S. organizations with US$1 billion or more in annual revenue found that only 42 percent of CEOs and 50 percent of board members have discussed risks to their organization’s reputation in the past year. Additionally, 53 percent of CEOs and 46 percent of board members lack the ability to identify events that can damage the organization’s reputation, according to the survey, which was released in October.
“For me, the most significant finding in the survey is how underappreciated culture risk and reputation risk are,” Saia says. “Nearly every day, we hear about organizations going through a reputation-impacting event. And many of these events stem from employees not acting in line with organizational beliefs and values. However, (the survey findings) tell me that strategic risk management is not a high priority. But it should be. Reputation is one of an organization’s most valuable assets, so it makes sense for leaders to do all they can to protect and enhance this asset.”
Having a governance model in which a risk officer reports to the CEO can make a difference, Saia says: “That person will be worried about reputational and cyber risk, will understand what cutting-edge solutions are available to help the company deal with these sorts of risk issues, and will keep risk top-of-mind with the CEO.
“However, too often, what we find is they are buried in their organizations. As a result, when there is a reputational-impacting event, cyberattack or cultural risk, the company is caught off guard. That’s because the risk officer hasn’t had the backing of the top levels of leadership in making sure they are prepared.”
The survey found that less than one-third of organizations provide regular reports for the CEO and board levels on culture and conduct risks.