Reimagine risk: Thrive in your evolving ecosystem
Deloitte’s 2019 survey of risk management
Executive summary
IN environments of change, professionals in a range of endeavours often fail to understand risks and their roles in managing them. Consider these examples:
During the first tests of nuclear weapons in the Mojave Desert, observers of the bomb blasts, unaware of the dangers of radiation, wore sunglasses and lab coats as protective gear.
When scientists first discovered that diseases were transmitted through microscopic organisms and that these “germs” could be controlled through handwashing, many physicians refused to believe it—as healers, they could barely accept the idea that they were infecting their patients.
After automobiles attained lethal speeds, decades passed before widespread adoption of seat belts and children’s car seats, because it took that long to compile, analyse and disseminate the data on causes of driver and passenger fatalities.
In organisations, a lack of awareness of risks, of people’s roles in controlling them, and of ways to use risk data and new technologies and tools increases the challenges of risk management and undermines the achievement of strategic goals. Most organisations understand this: More than 90 per cent of the risk managers we surveyed expect risk management to become more important to achieving strategic goals in the next five years.
Since the financial crisis, many organisations have—to varying degrees—upgraded and restructured their risk management functions. Yet much work remains undone. To understand the progress made—and still to be made—Deloitte surveyed 100 executives with the title of chief risk officer (CRO) or equivalent, 100 C-suite executives not primarily responsible for risk and 300 executives in risk-related functions such as IT and operational risk. This sample was drawn from US companies with at least US$500 million in annual sales in a cross-section of industries. Survey questions aimed to illuminate executives’ views of risk management, current practices, organisation of risk functions, key activities and capabilities, applications of technology and opportunities to add greater value.
Risk management is growing in importance, but challenges persist
Our survey results pointed to four central findings:
Organisations that invest in risk management and specifically link risk management to the attainment of the most important strategic and financial goals, typically achieve higher relative growth. Organisations with highly integrated risk programmes, integrated across the enterprise, are realising value from risk management. Such organisations typically exceed profitability targets more often and achieve higher growth than those with less integrated programmes, which may struggle to realise value and achieve desired outcomes.
Risk management has become elevated —and more strategic—in most organisations. Most executive teams grasp the importance of risk management in the attainment of corporate goals and the value of more strategic approaches—and CROs are pursuing more strategic roles in the organisation.
The case for appointing a CRO or equivalent who reports to the C-suite or board is strong. Those that give risk management a seat at the table at C-suite and board meetings are more likely to have high-performing programmes.
Organisations have clear opportunities to cost-effectively enhance risk management through technology. Although technology can enable risk modelling, tracking and sensing, many risk management functions are underutilising these technologies. In particular, surveyed CROs rate risk identification and risk assessment—activities that technology can readily support—as among the most time-consuming risk management activities.
Below, we explore each of these findings in more detail.
Organisations that invest more in risk management typically achieve higher growth
Organisations that invest in risk management are seeing the impact
In our sample, about a quarter of organisations spend US$10 million to US$25 million and about 40 per cent spend US$25 million to US$50 million, on risk management annually. Those spending more than US$10 million are more likely to rate their programmes as excellent or good (figure 1).
While every organisation must set its own budget priorities, risk management requires substantial resources and ongoing capability updates. Leading programmes take a risk-based approach to resource allocation and dedicate investments in people, processes and technology to areas of their business that pose the greatest risk or opportunity. They also monitor their risk profile and appetite to dynamically calibrate these investments. In this way, they respond to changing conditions and adjust risk management and mitigation tactics to address the evolving risk landscape.
Organisations with a strategic view of risk management realise greater value ...
Companies that view risk management as among the most important factors for achieving strategic goals tend to achieve higher growth. Among our surveyed organisations, companies with a compound annual growth rate (CAGR) of 5 per cent or more were twice as likely to view risk management as key to achieving strategic goals than those with a CAGR under 5 per cent (40 per cent versus 20 per cent) (figure 2).
Organisations that achieve the greatest gains from risk management show a strong tendency to view the function from a more strategic perspective rather than treating it as a compliance and loss prevention function. These organisations employ risk management to “play offence” in their business, competitive, investment and innovation strategies, as well as to “play defence” in the more traditional applications of risk management.
... however, many organisations struggle to align on the key objectives of their risk management programme
The mix of responses we received regarding key objectives of risk management programmes indicates a lack of uniformity in how key stakeholders across an organisation prioritise the expected benefits of risk management (figure 3). This suggests that there is room for improvement and that risk management performance could be enhanced through better alignment among CROs, risk professionals and the C-suite on the risk management programme’s primary objectives.
Each respondent segment agrees that preventing, mitigating, or avoiding risk events is the most or second most common objective of risk management. After that, the results vary by respondent segment with, for example, C-suite nonrisk owner respondents wanting risk management to improve decision confidence and C-suite risk executives wanting risk management to increase the probability of reaching strategic and financial goals. These distinctions are subtle, but could result in misaligned objectives by different stakeholders within a common risk programme and suboptimise performance. Our findings support the complaint we commonly hear from C-suite executives and board directors that risk management is not always integrated across the enterprise. Something as straightforward as explicitly aligning stakeholders across the organisation on the organisation’s primary risk management objectives may be a way to improve performance.
It’s interesting to note that non-CRO C-suite executives less often see risk as enabling the organisation to reach its strategic goals (which they ranked fourth). This may indicate that they still view risk management mainly through their own “confidence” lens rather than an “enterprise value” lens. In other words, they want useful support for their decisions from risk management, but are less clear about the role risk management can play in moving the organisation towards its strategic goals.
Organisations with integrated risk management programmes achieve higher growth more often ...
An integrated approach to risk eschews siloed solutions and aims to develop both an enterprise-wide view of risk tied to the attainment of key corporate objectives and enterprisewide methods of identifying, assessing, monitoring and mitigating risks. Among organisations that achieve a CAGR of over 5 per cent, about one-third characterise their risk programmes as highly integrated while only about one-fifth of those with a CAGR under 5 per cent characterise their programmes as such (figure 4).
Why might this be? More integrated risk management tends to be more efficient and more effective. It can be more efficient in that scarce resources can be focussed on the highest-priority risks to manage in pursuit of growth. And it can be more effective in that risk management shifts from siloed, site-specific risk approaches to enterprisewide, interdependent approaches that help the business stay focussed on what is most important in achieving its goals. While more directional than conclusive, these findings point to the positive results organisations tend to see as they integrate their risk management programmes into a cohesive, systematic approach that can be operationalised across the enterprise.
... yet most risk management programmes are not highly integrated across the enterprise
Only about one-third of CROs and a quarter of risk managers and C-suite risk nonowners view their risk management programmes as highly integrated. Meanwhile, although less than 10 per cent of non-CROs see their programmes as separated and isolated, a surprising 18 per cent of CROs view their programmes as such (figure 5).
It is somewhat unsettling that about one in five CROs views their own programmes as separated and isolated. Higher levels of integration might be expected in organisations with a CRO leading the programme. When CROs characterise their programmes as separated and isolated—or, conversely, as highly integrated—their assessment may reflect either a more informed view of risk management or a stricter definition of “integrated” than those of the other two respondent segments. Alternatively, companies with the greatest need to integrate risk management programmes may be the likeliest to appoint a CRO to remedy the situation.
My take: Steve Richard
Chief audit executive, senior vice president, Internal Audit and Enterprise Risk Management, Becton Dickinson
HOW IS RISK EXPECTED TO DELIVER VALUE IN YOUR ORGANISATION?
For us, risk management isn’t this separate activity, but rather an integral part of the business. I have a relatively small ERM team that works very closely with leaders across the business, who need support to achieve their objectives. We focus on avoiding bad things, but also on enabling the businesses to operate without disruption. We partner with our executives to make sure what we ask of them is less intrusive and as efficient as possible. We want the benefits of a sound ERM programme with as little burden as possible.
ARE THERE EXAMPLES YOU COULD SHARE ON HOW YOU CREATE THAT ENVIRONMENT?
Some things are macro risks and affect everyone. Cyber is one of those and the businesses assume we have that covered. Since we are a manufacturer, we address supplier disruption and think strategically about single-source suppliers and how they can impact our strategy. People in the business do this as part of their job. This is a really important point. We are not adding something new. We’re just helping to provide some common framework and structures for work already being done.
HOW DO YOU FOSTER THAT OWNERSHIP?
It doesn’t have to be encouraged or forced, because it is wholly consistent with the businesses meeting their objectives. So they are already focussed on potential disruptors and they welcome our help towards minimising risk. You need to have only one issue with a key supplier to not meet your objectives. So, it’s easy to get people’s attention. I try to create the how—how we go about it.
HOW IMPORTANT IS C-SUITE SPONSORSHIP IN ESTABLISHING THIS OWNERSHIP?
I don’t think we could do it without C-suite support. Our management committee has fully bought-in to the value of an effective ERM programme. So I have to do very little selling. I’ve had conversations with my counterparts at other companies who don’t necessarily have that environment, which is unfortunate given the potential value to the organisation. Our leadership team sees the value, and I can focus on what we do and I have the latitude to make those things happen.
WHAT ARE YOUR REPORTING RELATIONSHIPS IN THE ORGANISATION AND HOW DO THEY IMPACT YOUR WORK?
I report directly to the CFO and to the chairman of the audit committee, which oversees risk management. Although it isn’t in the org chart, I have easy access to all of our key executives. I am respectful of that access, which exists for decisions I can’t make without their feedback. That C-suite support extends down through the organisation and up to the board. In terms of impact, the reporting relationships create accountability. They expect to understand our programme and any necessary changes as well as how we are managing any risks identified. These relationships help drive attention and responsiveness in the organisation.
CAN YOU GIVE US AN EXAMPLE OF THAT HIGH-LEVEL ENGAGEMENT?
We have been able to conduct leading-edge risk management activities with both our seniormost leaders as well as the board. Their willing participation makes it clear that they value the time taken on these activities. I’m very fortunate and very appreciative of their support.
WHAT HAVE YOU DONE TO ENCOURAGE RISK AWARENESS DOWN THE ORGANISATION?
To an extent, it depends on the risk. From a macro perspective, we survey a broad spectrum of people, including the front line. We provide an avenue for reporting their thoughts on risk. We also involve our internal audit team around the world, because they touch all parts of the company. Those risk-based conversations and our risk assessment process are very robust and broad-based.
WHAT IS YOUR SURVEY PROCESS?
We use a third-party service to conduct an online survey and we analyse the results. We also conduct a broad set of interviews every six months. We leverage prior conversations so we’re not asking repetitive questions and rehashing what we already know. We’re also planning to change the mix of interviews to include associates closer to the front line.
HOW ARE YOU HARNESSING TECHNOLOGY?
We’re in an early stage of using digital information strategically. We’ve created a risk analytics role on my leadership team that will be staffed by an executive from our big data group. We needed a data scientist, someone with expertise in using data strategically. That person will help bring a digital perspective to both our risk management and internal audit programmes.
HOW DO YOU SEE THIS DEVELOPING, GOING FORWARD?
We want to enable risk sensing and risk intelligence. It will be on a screen and, like today’s cybersecurity professionals, we’ll see data on activities in real time and be able to respond. We’ll also be able to do predictive analytics. I see a future with an ERM operations centre, real-time monitoring, predictive analytics and an app and a dashboard.
WHAT IS ONE SPOT WHERE YOU THINK TECHNOLOGY COULD ADD THE MOST VALUE?
I see a lot of opportunity in getting ahead of developments in operations, so we want to make these tools available to operations. They would be in our function but to the benefit of the business people.
WHAT DO YOU SEE AS THE VALUE OF AN INTEGRATED VIEW OF RISK?
I believe an enterprisewide approach to risk management is far preferable to siloed approaches. We focus on connecting with other parts of the organisation that focus on risk. For example, we have an ethics and compliance function and an aligned assurance framework that we’re revisiting. The risk assessment interviews I mentioned are held jointly with our ethics and compliance team to ensure we have the right measures in place. In the three lines of defence world, they would be second line, but we bring them in to avoid having two sets of conversations and to develop a more integrated view of risk. I really don’t think you can be effective if you are siloed.
Risk management has become elevated—and more strategic—in most organisations
Risk management is becoming more important to achieving strategic goals
More than 90 per cent of respondents believe that risk management is becoming more important to achieving their organisation’s strategic goals (figure 6). Note the importance that CROs (C-suite risk owners) place on this trend.
In leading organisations, risk management now plays an offensive as well as a defensive role. The function identifies, analyses, monitors and mitigates risk to drive performance, growth and value—a shift from its traditional sole focus on compliance and value preservation. In today’s disruptive environment, risk management should proactively assist the organisation in achieving superior strategy, innovation and resilience, and not focus solely on avoiding losses and protecting assets.
Risk managers want to—and should—spend more time on strategy
Both CROs and risk managers would like to spend more time bringing risk management to bear on organisational strategy (figure 7). CROs also want to spend less time on large external issues or megatrends, perhaps because they feel that those risks are too amorphous or remote compared with those that may more clearly and directly impact near-term strategy or operations. This contradicts the view of C-suite risk nonowners who presumably recognise the disruptive potential of large trends or megatrends and want more risk management time focussed here.
To free up more time and resources to devote to strategy, CROs might consider using risk sensing (which includes but differs from social media monitoring) to identify and track risks associated with external trends, and using more automated controls and advanced analytics to address compliance and operational risks.
Risk management’s presence at senior-level meetings increases impact
Given the risks surrounding any strategic decision, it makes sense to have risk management present in key C-suite and board meetings. Yet many companies do not follow this practice. Only 28 per cent of surveyed CROs and 22 per cent of surveyed risk managers say that they are always present at C-suite or board meetings and a mere 11 per cent of C-suite risk nonowners believe risk has such presence (figure 8).
When risk management is present at board meetings always or most of the time, the likelihood that the function will have an impact increases dramatically—to 38 per cent from 11 per cent. To an extent, there’s a chicken-and-egg situation where risk must gain a seat at the table in order to have input, but must have valuable input in order to gain a seat at the table.
That said, appointing a true CRO recognises that risk is a senior-level concern and function (on par with operations, finance, HR and IT) and elevates the risk manager to the C-suite. Having a CRO or equivalent should virtually guarantee risk management a seat at the table when strategic decisions are discussed and made.
High-level presence of risk management clearly drives leaders’ confidence in risk data
When risk management is present always or most of the time at board meetings, 88 per cent of senior leaders have strong or total confidence in risk data. When risk management is present only half the time or less, that confidence level drops to 60 per cent (figure 9).
Again, these results make a clear case for including risk at board meetings. And again, as the next section indicates, a leading solution would be to appoint a CRO—a C-level executive responsible for enterprisewide risk management, reporting to the CEO and/or the board.
My take: Paymon Aliabadi
Chief risk officer, Exelon
HOW IS RISK MANAGEMENT ORGANISED AT EXELON?
I report directly to the CEO. Five years ago, we had a risk management organisation/programme dedicated to supporting our trading business, focussed primarily on financial risks (market and credit). During the last five years, we have established a broader enterprise risk management (ERM) programme to supplement our best-in-class commercial risk.
The ERM programme is composed of two elements. We have an ERM Operations group—senior risk professionals embedded in our operating companies (including Generation & Utilities)—which had not been a focus. In addition, we have established the ERM Analytics team to address strategic risk management. ERM Analytics is responsible for a broader review of our business risks, strategic risks, emerging risks and disruptive trends. They look at the whole portfolio and develop the CRO report for the board at every meeting. ERM also provides risk management support in our business services group, which houses finance, HR, supply, IT and strategy.
Five years ago, I could only give you our exposure in our trading business, but not across our enterprise. We now have an expanded scope and we evaluate and aggregate risks across the broader enterprise in one snapshot. This is also a much leaner team, yet with an enterprise perspective.
AS CRO, WHAT IS YOUR VIEW OF REPORTING DIRECTLY TO THE CEO?
I believe, it is critical. If I wasn’t a direct report to the CEO, I would lack visibility to my colleagues managing various parts of the business. I have a seat at the table as a peer and can participate in decision-making as a full team member. This reporting structure elevates the standing of risk across the organisation in terms of how you influence and drive priorities or initiatives.
ANY OTHER BENEFITS OF BEING A DIRECT REPORT TO THE CEO?
Well, without that there’s the potential of limiting the potential impact of risk management to a narrower role. There is another key factor: We have board members with deep banking and private equity backgrounds and they “get” risk management. They insisted on a standing risk committee of the board, with active participation across the board. It is where transactions come up for review and approval and risk topics are discussed. As part of that, I am expected to participate, present and help manage the board agenda with respect to risk priorities. It’s just a different dynamic when reporting to the CEO.
HOW DO YOU GO ABOUT CREATING A POSITIVE RISK CULTURE AT MORE JUNIOR LEVELS?
Our goal is to always come to the table with a range of solutions to potential issues. We challenge ourselves not to say “No,” but to highlight the risks and uncertainties and to have mitigations and contingencies we can deploy if needed. Part of our strategic vision and mission is no negative surprises while keeping costs down.
We also work to ensure that we don’t provide an expensive, unclear value proposition. Finance, HR and other functions have a clear product, but risk can become fuzzy. So, we say, don’t block; instead, be a proponent of growth, an enabler of effective/practical solutions, by making risk transparent and understood. We try to make the risk product a clear set of deliverables, so people see what we bring to the table on a consistent basis. No more lunches where we ask what keeps you up at night. We have a defined process, structure, templates and deliverables. Everyone should know the role of risk and what purpose we were invited to play and the product we deliver.
HAS THE MIX OF TALENT IN YOUR RISK FUNCTION CHANGED?
We’re trying to diversify the pool of talent in various ways. We are reaching out internally and externally and encouraging top talent with deeper knowledge and experience in the business to join risk and transform the business. To afford that talent, we are deploying technology, redesigning our processes, rewriting policies and changing our approaches to be a more efficient organisation. We’re taking repetitive mechanical work out of our domain and using those savings to upgrade the talent.
CAN YOU GIVE US AN EXAMPLE OF WHERE THAT’S WORKED?
We’ve streamlined and automated much of credit review and approval to address the more repetitive elements associated with internet searches, balance sheet reviews and credit metrics. Furthermore, instead of elevating counterparty credit approvals, they are delegated down based on a set of established criteria and that has helped to create a culture of ownership and accountability.
GOING FORWARD, WHERE DO YOU SEE THE MOST PROMISE IN TECHNOLOGY?
Our CEO has been championing innovation and automation for some time now and it’s a core area of focus for the organisation. We are working to apply AI and RPA and have dedicated personnel in risk to drive automation innovation and to train our team in deploying technology. We are training everyone to develop expertise in these tools and intend to boost these initiatives in the next two to three years. Also, three to four years ago we took our key risk reports and created our own real-time, dynamic risk dashboard. All our risk reports, market information, prices and so on are on my iPad on a real-time basis.
The results are real. For example, we’ve optimised the confirmations group and we’re working on an AI application to further streamline processes. In predictive analytics, we’ve done work with system dynamics around technological risks and want to apply AI to automate data uploads to our system to support long-term planning. Some of these initiatives are resource-focussed, some are risk-focussed and some are business-focussed.
WHAT’S IMPORTANT IN MAKING THIS HAPPEN?
Change management is key. We’re working to do a much better job of motivating and getting everybody excited enough to embrace the opportunities/initiatives. The key part of success is not only the approach to capturing and monetising the potential savings, but also always addressing change management to ensure it’s sustainable.
ANY OTHER OBSERVATIONS THAT YOU WOULD LIKE TO SHARE?
Just that risk has to be aligned with the organisation strategy and not viewed as a tactical compliance function. It’s got to be integrated into the business and strategy to create tangible value.
The case for appointing a CRO or equivalent who reports to the C-suite or board is strong
Organisations with a CRO are more likely to view risk management strategically
CROs are more likely than executives working in risk areas to highly rate the importance of risk management to achieving strategic goals and far more likely than C-suite risk nonowners to do so (figure 10).
This finding may simply reflect the importance that a CRO places on the role of risk in achieving strategic goals. However, it also surely reflects the strategic importance that the organisation places on risk and having an executive who drives a consistent risk culture across the enterprise. After all, the organisation would not have a CRO if it did not perceive risk to be on par with finance, operations, IT and other C-suite responsibilities.
That C-suite risk nonowners are far less likely to think of risk as extremely important to achieving strategic goals may relate to the earlier finding (figure 3) in which they cited the main benefit of risk management to be increased confidence in leadership decisions. They may be undervaluing the role of risk in the strategic decisions that drive performance and that is a gap that CROs, risk managers and organisations should work to close.
Organisations where risk management has a seat at the table are more likely to have high-performing programmes
Ninety-one per cent of risk programmes self-rated as excellent have risk management represented in C-level meetings always or most of the time, while 80 per cent of programmes rated as fair or poor do so half the time or less (figure 11). Leading programmes clearly give risk management senior-level visibility.
For most organisations, elevating risk entails not only appointing a CRO, but also giving that CRO a seat at the table and the standing to influence major decisions and initiatives. Our findings indicate that doing so can produce positive results.
Organisations without a CRO diverge widely on how to structure reporting lines of risk functions ...
At organisations with no CRO, risk management reports to the CEO (32 per cent) or to a business unit head or another senior leader not primarily responsible for risk (figure 12).
In the absence of a CRO, second-line risk management functions, such as compliance, cybersecurity, health and safety, and operational risk, report to the CEO, to another senior officer, or to multiple officers. Such non-CRO reporting lines can impede integration of risk management processes as well as senior executives’ ability to gain an enterprisewide view of risk. Additionally, non-CRO reporting lines may imply that an organisation still sees risk management primarily as a compliance and loss prevention function rather than an offensive weapon. This view is usually reactive rather than proactive and fails to exploit risk management for strategic advantage.
... yet half of surveyed companies do not have a true CRO
While almost 50 per cent of our surveyed companies have elevated responsibility for risk management to the C-level, about 50 per cent have not—despite the fact that more than 90 per cent of all respondent segments expect risk management to become more important to achieving strategic goals in the next five years.
Organisations with a CRO are more likely to focus risk management on realising the strategic plan (figure 13a). While not necessarily indicating causation, the two are correlated. In addition, organisations that exceed a CAGR of 5 per cent are far more likely to have a CRO (figure 13b).
Our research suggests that, as a powerful driver of strategic success, risk should be recognised as a C-level responsibility. Responsibility for day-to-day risk management then resides in the business (the first line of defence) and the compliance, cybersecurity and similar (second-line) functions provide support. Internal audit (the third line) provides assurance. The second-line functions should then report to the CRO, thus aligning risk management at the senior level.
My take: Angela Hoon
Executive director, Strategic Risk Management, General Motors
COULD YOU TELL US ABOUT YOUR CURRENT ROLE AND SCOPE OF RESPONSIBILITIES AT GM?
Our CEO, Mary Barra, also considers herself the chief risk officer. I lead GM’s global strategic risk management programme and am responsible for supporting senior leaders in cultivating a risk mindset and driving a “risk” thought process into strategic and cross-functional decision-making. I also facilitate reporting of key enterprise risks to the board risk committee, work with the leadership to understand their risks and facilitate risk discussions to help in complex business challenges.
DO YOU REPORT DIRECTLY TO THE CEO?
I report to the general auditor who reports to the CFO who reports to the CEO and I have access to the chairman of the risk committee of the board.
TELL US ABOUT THAT RISK GOVERNANCE STRUCTURE
In 2014, Mary designated a full risk committee of the board, which meets four times a year. GM senior leaders facilitate discussions around selected key enterprise risks they own, current responses and mitigation plans. We also have a management-level risk advisory council with an executive lead from every business function or unit, which meets monthly to discuss enterprise and cross-functional risks. Much of our risk management effort focusses on integrating risk into the business, risk mitigation and decision support. Ten times a year, one of the business functions or units meets with Mary to have a discussion on how they integrate risk into their business, key risks to their business goals and what risks are emerging. Over a two-year period, we’ll have cycled through all of our business units.
THIS SOUNDS LIKE A LEADING PRACTICE. HOW DID YOU GET HERE?
Mary determined that risk had to be more part of governance at the board level and a driver of the business and her taking the role of CRO was instrumental. Without that tone at the top, it wouldn’t have happened. We realised as an organisation that we needed to look at risk across functions and on a more enterprise-wide basis to avoid a check-the-box routine. In order to test this and gain management buy-in, we facilitated pilot workshops to develop techniques to engage teams and to help them to use a risk lens to analyse risks and solve complex business challenges.
WHAT ELSE WORKED FOR YOU ON THIS JOURNEY?
We avoided risk terminology like risk appetite, tolerance, culture and residual risk. We use the language of the businesses and talk about threats, consequences and responses. We’ll ask about alternatives, contingencies and how to be agile. We brought in all the risk concepts but without the jargon and ultimately got better results, as business leaders could relate and understand the implications of risk to their objectives. Another key was the use of cross-functional workshops and techniques like wargaming, game theory and pre-mortems. As part of the context of the risk discussion, we incorporate emerging risks, consider current industry trends and look at external players.
CAN YOU TALK MORE ABOUT THAT?
As we piloted our workshops, we realised that risk is a key lens to help make decisions in the development of business strategy. Through risk workshops and decision support capabilities, the strategic risk management team has provided a risk thought process that has helped business leaders make risk-informed decisions in support of GM’s business strategy, looking at both upside opportunities and downside risk. In 2018, 300 leaders participated in these risk workshops and about 185 were director-level and above. These on-the-job risk discussions are helping transform our culture because they generate diverse, cross-functional thoughts and ideas, as well as encouraging outside-in and emerging-trends thinking.
HOW HAVE YOU USED TECHNOLOGY?
As a risk team, we have a love-hate relationship with technology and believe technology solutions should be an enabler rather than a driver of risk management processes. As we started the programme, we knew we needed to first get the business engaged to understand risks before adding technology. In 2018, we launched a GRC solution and it will serve as our risk and mitigation repository. Our visual dashboards are refreshed weekly to provide a better user interface for the business. We first had to get the data into one place and now we can focus on improving risk analytics, risk reporting and ultimately, quantification and getting more predictive.
WHAT IS AT THE TOP OF YOUR RISK MANAGEMENT WISH LIST?
Continuing to work with management in the front end of business strategy development to bring the cross-functional risk lens in as early as possible.
WHAT IS YOUR FAVOURITE PART OF THE JOB?
Connecting the dots and working with our business leaders to incorporate a risk lens as we analyse business challenges. We are making a difference in using risk as a consideration in GM’s decisions and it is exciting to see where we’ve been part of that—especially as we see management naturally discussing risk as part of business discussions.
Organisations have clear opportunities to enhance risk management through technology
About half of surveyed organisations are underutilising technology in risk management
Although technology can enable risk modelling, tracking and sensing, many risk management functions are underutilising these technologies. For example, while about half of organisations are using technology to assist with risk modelling and risk tracking, generally less than half are using it to assist in risk sensing and internal approval processes (figure 14).
This finding points to a general underutilisation of technology for risk management and a consequent inflation of the time and effort needed to carry it out. For example, among the more than 50 per cent of respondents that do not use tech-enabled risk sensing, this lack may be affecting the time they need to spend on risk identification and assessment. Also, analytical technologies are essential to risk modelling and sensing, and data visualisation technologies facilitate risk tracking and monitoring.
Risk identification is rated among the most time-consuming tasks in risk management
When asked to rank the most time-consuming risk management activities, each respondent segment cited risk identification, with CROs and C-suite risk nonowners also citing risk assessment (figure 15).
It’s interesting that risk identification—a basic activity that can be readily enhanced with technology—is cited among the most time-consuming activities. That all three respondent segments cite it bears out Deloitte’s field experience, as well as the aforementioned survey finding that points to underutilisation of technology in many risk functions. However, some respondents may be referring to unknown risks and those beyond regulatory, cyber, operational and other more familiar risks.
More broadly, this finding may indicate that executives—including CROs—have difficulty identifying risks because they lack an enterprisewide view of risk; indeed, executives working in risk areas may rate risk identification as less time-consuming because they have a clearer line of sight into risk, given that they focus only on risks within their area.
Finally, recall that CROs and risk managers want to allocate more time to strategy. To the (significant) extent that advanced analytics, risk sensing and automated controls can boost the efficiency and effectiveness of risk identification and assessment, CROs and risk managers have an opportunity to use these technologies to free up more time and resources to devote to strategy.
Organisations see analytics as a key opportunity to improve the risk management programme
Each respondent segment ranked risk analytics and risk management processes among their three highest-priority opportunities for improvement (figure 16). It is interesting that CROs viewed tools as the top priority. Although a variety of tools are commercially available, this is a rapidly evolving area, especially in the arena of digital tools. We expect more powerful tools that provide greater insight into risk to inform decision-making, allow an enterprisewide view of interdependent risks, simulate impacts, and provide real-time and predictive intelligence and analysis. One challenge to more widespread implementation of digital tools will be an organisation’s readiness to adopt tools that may require a higher level of “tech-savviness.”
These results clearly show that respondents recognise the potential for technology-based, data-driven risk analytics to enhance their risk programmes. Indeed, analytics are essential to achieving efficiencies in second-line functions, developing a clearer view of risks and improving risk assessment, monitoring and response.
Although external risk advisers provide benefits, most companies tap them infrequently
About 30 per cent of organisations bring in external risk advisers always or most of the time and those that do tend to realise benefits (figure 17).
Three-quarters of the programmes that rate their effectiveness as fair or poor seek external risk advice only occasionally or less. This suggests that they may be taking insular approaches to risk, which can be suboptimal. Risks are now too dynamic and unpredictable for outdated approaches. In addition, many of the skills needed to implement new technology-enabled capabilities, such as risk analytics, automated assurance and risk sensing (as opposed to social media monitoring), are too specialised and costly for many organisations to justify in-house.
What have we learnt? Specific action steps that can be considered
Overall, our survey results suggest that stakeholder demands for risk management that focus on enterprisewide strategic and financial goals, rather than a “tick-the-box” compliance approach to risk, can create superior performance. The business case for risk management is supported by its potential to increase the probability of success and to drive exceptional performance and value creation. To further enhance risk management’s value to the enterprise, organisations can consider the following:
Take a performance-based approach to allocating risk resources. Like all resources, those allocated to risk management are scarce and precious. Prioritise the use of risk resources in a way that increases the probability of realising strategic and financial goals. Consider what skills and capabilities are necessary and whether it is more effective to build those capabilities in-house or procure them through specialised vendors that can provide superior capabilities at a lower cost.
Define, align and communicate performance goals for risk management. Explicitly agree upon and communicate the performance expectations for risk management and how risk management will serve and add value to the enterprise.
Elevate risk to a senior executive responsibility. Appoint a CRO endowed with the authority to influence strategy and drive risk culture. Let the CRO be one of the chief architects to operationalise risk management and align risk reporting responsibilities. Provide for appropriate governance and board oversight, and give the CRO a “seat at the table” with senior executives and the board.
Be C-suite and board ready. A “seat at the table” with the C-suite and board comes with responsibility. Understand the C-suite’s key responsibilities for defining and executing strategy and the board’s responsibilities for providing oversight and come prepared to provide analysis, insight, foresight and recommendations that are fit for purpose.
Use technology to sense changing risk trends and develop associated action plans. The pace of change continues to accelerate. Leverage risk sensing, data analytics, dynamic planning and visualisation tools to get a jump start on changing risk profiles and to develop associated action plans.
Be curious about emerging digital solutions. Technology is evolving rapidly. Stay on the lookout for technologies that can 1) drive cost efficiency by automating workflow, 2) guide resource allocation to the highest-priority and best use of scarce risk resources, 3) provide insight through advanced analytics, dynamic planning and data visualisation, 4) enhance risk culture, communication and operational effectiveness with project management tools and dashboards, and 5) provide real-time, predictive risk intelligence with risk sensing capabilities.
Risk management has too much potential as a value-creating function to be viewed as primarily a compliance activity with no direct linkage to the attainment of enterprise objectives. Most executives today recognise risk management’s importance in achieving strategic goals. To capture the value of risk management, stakeholders need to be aligned on expectations and CROs and risk teams need to rise to the occasion by equipping themselves to provide business-focussed insight.
Risk Intelligence Services
Complexity and change are inherent in the world we live in and can increase risk in all areas of your business. But, your company shouldn’t be held back by uncertainty and the evolving landscape of risk. Instead, reimagine risk to uncover new strategic opportunities and lasting value that can disrupt your market and elevate your business.
