Skip to main content

Rebooting risk management

Making risk relevant in a world remade by COVID-19

Today’s environment is one not only of heightened risk, but of prolonged uncertainty. Blurring the lines between business-as-usual risk management, crisis management, and resilience can enable agility in the face of an uncertain future.

BLANKET statements about the impact of the coronavirus pandemic and its economic fallout may be viewed skeptically. But this much we can say: Risk management failures abounded. Indeed, regardless of how your organization has been affected, there is much to be learned about risk management from this still-unfolding crisis.

Even after the past 20 years of continual disruption, risk management is too often either misunderstood or mistakenly thought of as a compliance function. But while compliance regimes may work well for known risks with clear implications and proven mitigations in a fairly static environment, COVID-19 has demonstrated that the environment is anything but static. Risk is not a well-behaved house guest, and the impact of COVID-19 was impossible to predict. And every senior executive, board member, or risk leader whose organization has prospered in spite of, or even because of, the COVID-19 crisis should clearly understand: Next time will be different. The volatile, uncertain, complex, and ambiguous (VUCA)1 environment virtually guarantees that the next crisis will not be any more predictable than any others have been during the past 20 years.

The chance to upgrade and reposition risk management—to perform a risk reboot—is one of the true opportunities this crisis presents to risk leaders, executive teams, and organizations. Not a reboot in the reset-your-device or restart-the-system sense from the tech world, but in the reboot-the-franchise sense from the moviemaking world. We mean reimagining, refreshing, and re-energizing risk management and all of its elements to help address a highly uncertain future. The concrete outcome of this reboot is a risk leader’s agenda and mandate—and a risk management function—geared to the critical risks the organization faces as it pursues its purpose, mission, strategy, and goals.

The following three guiding principles can help ignite a risk reboot and guide it in productive directions.

Take the risk to trust: Building trust among stakeholders

Cultivating stakeholders’ trust requires risk leaders to think more broadly and deeply about the organization’s ecosystem of stakeholders. Relevant risk programs are designed around the needs and expectations of all stakeholders—customers, employees, the board, vendors, partners, investors, the media, the community, and society at large.

When an organization and its stakeholders truly trust one another, they become partners in risk management, alerting one another to emerging risks, collaborating on mitigation, and creating greater value for each party. This has been demonstrated through mechanisms such as customer councils and preferred supplier programs, and among extended enterprise partners, in which key stakeholders are “brought into the organization” to enhance relationships and build trust.

Viewing stakeholders more broadly and deeply, and cultivating trust with the stakeholder ecosystem, positions a risk leader to:

  • Identify all groups in the organization’s ecosystem of stakeholders and their relationships; not only with the organization, but among one another
  • Articulate what each stakeholder group specifically needs and expects from the organization
  • Understand the full range of risks that could undermine the organization’s ability to fulfill each group’s needs and meet their expectations
  • Grasp the interrelatedness of stakeholder expectations and the ways that stakeholder groups affect one another, and understand the interrelatedness of the associated risks
  • Challenge management on potential flaws in a strategy, errors in execution, and areas where the organization might break, while pointing out potential opportunities, solutions, and fixes—with that second part key to avoid being viewed as a naysayer
  • Make sure the risk program proactively monitors, mitigates, and manages risks that could affect the organization’s ability to deliver on stakeholder expectations as well as trust and confidence among key stakeholder groups.

The best of all possible worlds: Elevating the role of risk management

A reboot elevates the role of risk by identifying new opportunities to deliver value as well as by addressing actual and potential threats. This increases C-suite confidence in the risk function by delivering more relevant information, including predictive information, and solving the compliance conundrum created by the need to continually create controls, processes, and reports in response to new mandates.

A successful reboot also calls for risk leaders who understand not only risk but also business strategies and how they are implemented. These leaders, equipped with eclectic backgrounds and broad business experience, can translate the often abstract concept of risk into concrete impacts on strategies, initiatives, and decisions. They can assist the executive team and the business in risk identification, monitoring, mitigation, management, and response.

Here are some actions that can help elevate risk management’s role:

  • Take a fresh look at the organization’s approach to risk, then rationalize and rightsize risk activities—particularly compliance activities, which can often be automated—and reinvest in higher-value/higher-return activities
  • Integrate risk management by cutting across organizational silos and activities
  • Streamline risk management by focusing people, processes, technologies, and investments on the risks that matter most—the risks that could undermine the ability to fulfill stakeholder expectations
  • Quantify the cost and value of risk management outputs
  • Gear risk management to an environment of ongoing uncertainty by providing enhanced risk data and risk-based decision support

Make risk intelligence smarter: Giving risk management the tools to do their job

When a crisis strikes and amid ongoing uncertainty, management needs a clear picture of current and potential developments. Yet the risk leader and the risk function often lack the access to data, the analytical firepower, and the ability to communicate with management and the organization in real time or near-real time. A successful risk reboot empowers the risk leader with ready access to risk and performance data, analytical tools, and reporting mechanisms such as data visualization. Equally important, the risk leader and his or her team should be prepared to provide early warnings of emerging risks to further support decision-making—perhaps with an assist from risk-sensing technologies, predictive analytics, and scenario planning—along with actionable insights and recommendations.

Scenario planning in particular can enable risk leaders to clearly portray the impact of potential risk events on specific stakeholders. It enables management to more clearly understand the full range of available options as well as the if-then ramifications of each decision. Scenario planning also enables leaders to define potential signals that, if they were to emerge, might indicate the nature and impact of potential risks as well as the direction of future events.

Some useful questions to ask in the effort to deliver risk intelligence include:

  • What risk data does management need, and how can we access and analyze that data and effectively distribute and communicate the results?
  • How can we apply predictive analytics, risk sensing, and other smart technologies to improve our risk management and decision support capabilities?
  • How can we use scenarios to better understand developments in this and future crises?
  • How can we better assist management in crafting potential responses to risk events? What signals and triggers might enable us to determine which responses should be implemented and when?
  • How can we communicate better about risk across our organization? How can we more clearly portray the potential business impact of risk events on our organization and stakeholders?
  • What actions do we recommend to mitigate risks and leverage opportunities that have been identified? How can we frame our recommendations in ways that compel management to act on them?

The future is a moving target

The COVID-19 pandemic has shown organizations that they can make decisions rapidly under conditions of extreme uncertainty. The challenge is to make even better decisions under the conditions that lie ahead. This calls for combating the inertia that may cause the organization to lose that ability and return to business as usual, and drive risk management to return to former modes of operating. Risk functions have a rare but real opportunity at present. Rather than slowing down decisions, raising only objections, or entering the process too late, risk must be an enabler, not a barrier. That means supporting fast decisions, presenting solutions, and being engaged at the outset.

Read the full report here Rebooting risk management: Making risk relevant in a world remade by COVID-19.

Deloitte Risk & Financial Advisory

We don’t believe that risk is simply managed—it is confronted. In Advisory, we do not take a defensive crouch. We move forward, defining the unknowns and framing the issues before you encounter them. Whether your challenge is cyber, transactional, regulatory, or internal controls, we can help prepare you to preempt the threat, define what’s vital, and aggressively secure it. So that you can keep pace, get back to the business at hand—and move on what matters.

Learn more

Cover image by: Tatiana Plakhova

  1. Foo See Liang, Lex Lee, and Cheng Nam Sang, Risk management in a VUCA environment,” Journal of the Institute of Singapore Chartered Accountants, April 22, 2016. 

    View in Article

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey