Skip to main content

Reimagine risk: Thrive in your evolving ecosystem

Deloitte’s 2019 survey of risk management

​An overwhelming majority of executives now acknowledge risk management’s strategic importance. The task now before risk management functions—and CROs—is to rise to the challenge by equipping themselves to provide business-focused insight.
Chris Ruggeri
Keri Calagna
Chris Vanuga
Cynthia Vitters

Executive summary

IN environments of change, professionals in a range of endeavors often fail to understand risks and their roles in managing them. Consider these examples:

  • During the first tests of nuclear weapons in the Mojave Desert, observers of the bomb blasts, unaware of the dangers of radiation, wore sunglasses and lab coats as protective gear.

  • When scientists first discovered that diseases were transmitted through microscopic organisms and that these “germs” could be controlled through handwashing, many physicians refused to believe it—as healers, they could barely accept the idea that they were infecting their patients.

  • After automobiles attained lethal speeds, decades passed before widespread adoption of seat belts and children’s car seats, because it took that long to compile, analyze, and disseminate the data on causes of driver and passenger fatalities.

In organizations, a lack of awareness of risks, of people’s roles in controlling them, and of ways to use risk data and new technologies and tools increases the challenges of risk management and undermines the achievement of strategic goals. Most organizations understand this: More than 90 percent of the risk managers we surveyed expect risk management to become more important to achieving strategic goals in the next five years.

Since the financial crisis, many organizations have—to varying degrees—upgraded and restructured their risk management functions. Yet much work remains undone. To understand the progress made—and still to be made—Deloitte surveyed 100 executives with the title of chief risk officer (CRO) or equivalent, 100 C-suite executives not primarily responsible for risk, and 300 executives in risk-related functions such as IT and operational risk. This sample was drawn from US companies with at least US$500 million in annual sales in a cross-section of industries. Survey questions aimed to illuminate executives’ views of risk management, current practices, organization of risk functions, key activities and capabilities, applications of technology, and opportunities to add greater value.

Risk management is growing in importance, but challenges persist

Our survey results pointed to four central findings:

  1. Organizations that invest in risk management, and specifically link risk management to the attainment of the most important strategic and financial goals, typically achieve higher relative growth. Organizations with highly integrated risk programs, integrated across the enterprise, are realizing value from risk management. Such organizations typically exceed profitability targets more often and achieve higher growth than those with less integrated programs, which may struggle to realize value and achieve desired outcomes.

  2. Risk management has become elevated —and more strategic—in most organizations. Most executive teams grasp the importance of risk management in the attainment of corporate goals and the value of more strategic approaches—and CROs are pursuing more strategic roles in the organization.

  3. The case for appointing a CRO or equivalent who reports to the C-suite or board is strong. Those that give risk management a seat at the table at C-suite and board meetings are more likely to have high-performing programs.

  4. Organizations have clear opportunities to cost-effectively enhance risk management through technology. Although technology can enable risk modeling, tracking, and sensing, many risk management functions are underutilizing these technologies. In particular, surveyed CROs rate risk identification and risk assessment—activities that technology can readily support—as among the most time-consuming risk management activities.

Below, we explore each of these findings in more detail.

Organizations that invest more in risk management typically achieve higher growth

Organizations that invest in risk management are seeing the impact

In our sample, about a quarter of organizations spend US$10 million to US$25 million, and about 40 percent spend US$25 million to US$50 million, on risk management annually. Those spending more than US$10 million are more likely to rate their programs as excellent or good (figure 1).

While every organization must set its own budget priorities, risk management requires substantial resources and ongoing capability updates. Leading programs take a risk-based approach to resource allocation and dedicate investments in people, processes, and technology to areas of their business that pose the greatest risk or opportunity. They also monitor their risk profile and appetite to dynamically calibrate these investments. In this way, they respond to changing conditions and adjust risk management and mitigation tactics to address the evolving risk landscape.

Organizations with a strategic view of risk management realize greater value ...

Companies that view risk management as among the most important factors for achieving strategic goals tend to achieve higher growth. Among our surveyed organizations, companies with a compound annual growth rate (CAGR) of 5 percent or more were twice as likely to view risk management as key to achieving strategic goals than those with a CAGR under 5 percent (40 percent versus 20 percent) (figure 2).

Organizations that achieve the greatest gains from risk management show a strong tendency to view the function from a more strategic perspective rather than treating it as a compliance and loss prevention function. These organizations employ risk management to “play offense” in their business, competitive, investment, and innovation strategies, as well as to “play defense” in the more traditional applications of risk management.

... however, many organizations struggle to align on the key objectives of their risk management program

The mix of responses we received regarding key objectives of risk management programs indicates a lack of uniformity in how key stakeholders across an organization prioritize the expected benefits of risk management (figure 3). This suggests that there is room for improvement and that risk management performance could be enhanced through better alignment among CROs, risk professionals, and the C-suite on the risk management program’s primary objectives.

Each respondent segment agrees that preventing, mitigating, or avoiding risk events is the most or second most common objective of risk management. After that, the results vary by respondent segment with, for example, C-suite nonrisk owner respondents wanting risk management to improve decision confidence, and C-suite risk executives wanting risk management to increase the probability of reaching strategic and financial goals. These distinctions are subtle, but could result in misaligned objectives by different stakeholders within a common risk program and suboptimize performance. Our findings support the complaint we commonly hear from C-suite executives and board directors that risk management is not always integrated across the enterprise. Something as straightforward as explicitly aligning stakeholders across the organization on the organization’s primary risk management objectives may be a way to improve performance.

It’s interesting to note that non-CRO C-suite executives less often see risk as enabling the organization to reach its strategic goals (which they ranked fourth). This may indicate that they still view risk management mainly through their own “confidence” lens rather than an “enterprise value” lens. In other words, they want useful support for their decisions from risk management, but are less clear about the role risk management can play in moving the organization toward its strategic goals.

Organizations with integrated risk management programs achieve higher growth more often ...

An integrated approach to risk eschews siloed solutions and aims to develop both an enterprise-wide view of risk tied to the attainment of key corporate objectives, and enterprisewide methods of identifying, assessing, monitoring, and mitigating risks. Among organizations that achieve a CAGR of over 5 percent, about one-third characterize their risk programs as highly integrated while only about one-fifth of those with a CAGR under 5 percent characterize their programs as such (figure 4).

Why might this be? More integrated risk management tends to be more efficient and more effective. It can be more efficient in that scarce resources can be focused on the highest-priority risks to manage in pursuit of growth. And it can be more effective in that risk management shifts from siloed, site-specific risk approaches to enterprisewide, interdependent approaches that help the business stay focused on what is most important in achieving its goals. While more directional than conclusive, these findings point to the positive results organizations tend to see as they integrate their risk management programs into a cohesive, systematic approach that can be operationalized across the enterprise.

... yet most risk management programs are not highly integrated across the enterprise

Only about one-third of CROs and a quarter of risk managers and C-suite risk nonowners view their risk management programs as highly integrated. Meanwhile, although less than 10 percent of non-CROs see their programs as separated and isolated, a surprising 18 percent of CROs view their programs as such (figure 5).

It is somewhat unsettling that about one in five CROs views their own programs as separated and isolated. Higher levels of integration might be expected in organizations with a CRO leading the program. When CROs characterize their programs as separated and isolated—or, conversely, as highly integrated—their assessment may reflect either a more informed view of risk management or a stricter definition of “integrated” than those of the other two respondent segments. Alternatively, companies with the greatest need to integrate risk management programs may be the likeliest to appoint a CRO to remedy the situation.

My take: Steve Richard 
Chief audit executive, senior vice president, Internal Audit and Enterprise Risk Management, Becton Dickinson

HOW IS RISK EXPECTED TO DELIVER VALUE IN YOUR ORGANIZATION?

For us, risk management isn’t this separate activity, but rather an integral part of the business. I have a relatively small ERM team that works very closely with leaders across the business, who need support to achieve their objectives. We focus on avoiding bad things, but also on enabling the businesses to operate without disruption. We partner with our executives to make sure what we ask of them is less intrusive and as efficient as possible. We want the benefits of a sound ERM program with as little burden as possible.

ARE THERE EXAMPLES YOU COULD SHARE ON HOW YOU CREATE THAT ENVIRONMENT?

Some things are macro risks and affect everyone. Cyber is one of those and the businesses assume we have that covered. Since we are a manufacturer, we address supplier disruption and think strategically about single-source suppliers and how they can impact our strategy. People in the business do this as part of their job. This is a really important point. We are not adding something new. We’re just helping to provide some common framework and structures for work already being done.

HOW DO YOU FOSTER THAT OWNERSHIP?

It doesn’t have to be encouraged or forced, because it is wholly consistent with the businesses meeting their objectives. So they are already focused on potential disruptors and they welcome our help toward minimizing risk. You need to have only one issue with a key supplier to not meet your objectives. So, it’s easy to get people’s attention. I try to create the how—how we go about it.

HOW IMPORTANT IS C-SUITE SPONSORSHIP IN ESTABLISHING THIS OWNERSHIP?

I don’t think we could do it without C-suite support. Our management committee has fully bought-in to the value of an effective ERM program. So I have to do very little selling. I’ve had conversations with my counterparts at other companies who don’t necessarily have that environment, which is unfortunate given the potential value to the organization. Our leadership team sees the value, and I can focus on what we do and I have the latitude to make those things happen.

WHAT ARE YOUR REPORTING RELATIONSHIPS IN THE ORGANIZATION AND HOW DO THEY IMPACT YOUR WORK?

I report directly to the CFO and to the chairman of the audit committee, which oversees risk management. Although it isn’t in the org chart, I have easy access to all of our key executives. I am respectful of that access, which exists for decisions I can’t make without their feedback. That C-suite support extends down through the organization and up to the board. In terms of impact, the reporting relationships create accountability. They expect to understand our program and any necessary changes as well as how we are managing any risks identified. These relationships help drive attention and responsiveness in the organization.

CAN YOU GIVE US AN EXAMPLE OF THAT HIGH-LEVEL ENGAGEMENT?

We have been able to conduct leading-edge risk management activities with both our seniormost leaders as well as the board. Their willing participation makes it clear that they value the time taken on these activities. I’m very fortunate and very appreciative of their support.

WHAT HAVE YOU DONE TO ENCOURAGE RISK AWARENESS DOWN THE ORGANIZATION?

To an extent, it depends on the risk. From a macro perspective, we survey a broad spectrum of people, including the front line. We provide an avenue for reporting their thoughts on risk. We also involve our internal audit team around the world, because they touch all parts of the company. Those risk-based conversations and our risk assessment process are very robust and broad-based.

WHAT IS YOUR SURVEY PROCESS?

We use a third-party service to conduct an online survey, and we analyze the results. We also conduct a broad set of interviews every six months. We leverage prior conversations so we’re not asking repetitive questions and rehashing what we already know. We’re also planning to change the mix of interviews to include associates closer to the front line.

HOW ARE YOU HARNESSING TECHNOLOGY?

We’re in an early stage of using digital information strategically. We’ve created a risk analytics role on my leadership team that will be staffed by an executive from our big data group. We needed a data scientist, someone with expertise in using data strategically. That person will help bring a digital perspective to both our risk management and internal audit programs.

HOW DO YOU SEE THIS DEVELOPING, GOING FORWARD?

We want to enable risk sensing and risk intelligence. It will be on a screen and, like today’s cybersecurity professionals, we’ll see data on activities in real time and be able to respond. We’ll also be able to do predictive analytics. I see a future with an ERM operations center, real-time monitoring, predictive analytics, and an app and a dashboard.

WHAT IS ONE SPOT WHERE YOU THINK TECHNOLOGY COULD ADD THE MOST VALUE?

I see a lot of opportunity in getting ahead of developments in operations, so we want to make these tools available to operations. They would be in our function but to the benefit of the business people.

WHAT DO YOU SEE AS THE VALUE OF AN INTEGRATED VIEW OF RISK?

I believe an enterprisewide approach to risk management is far preferable to siloed approaches. We focus on connecting with other parts of the organization that focus on risk. For example, we have an ethics and compliance function and an aligned assurance framework that we’re revisiting. The risk assessment interviews I mentioned are held jointly with our ethics and compliance team to ensure we have the right measures in place. In the three lines of defense world, they would be second line, but we bring them in to avoid having two sets of conversations and to develop a more integrated view of risk. I really don’t think you can be effective if you are siloed.

Show more

Risk management has become elevated—and more strategic—in most organizations

Risk management is becoming more important to achieving strategic goals

More than 90 percent of respondents believe that risk management is becoming more important to achieving their organization’s strategic goals (figure 6). Note the importance that CROs (C-suite risk owners) place on this trend.

In leading organizations, risk management now plays an offensive as well as a defensive role. The function identifies, analyzes, monitors, and mitigates risk to drive performance, growth, and value—a shift from its traditional sole focus on compliance and value preservation. In today’s disruptive environment, risk management should proactively assist the organization in achieving superior strategy, innovation, and resilience, and not focus solely on avoiding losses and protecting assets.

Risk managers want to—and should—spend more time on strategy

Both CROs and risk managers would like to spend more time bringing risk management to bear on organizational strategy (figure 7). CROs also want to spend less time on large external issues or megatrends, perhaps because they feel that those risks are too amorphous or remote compared with those that may more clearly and directly impact near-term strategy or operations. This contradicts the view of C-suite risk nonowners who presumably recognize the disruptive potential of large trends or megatrends and want more risk management time focused here.

To free up more time and resources to devote to strategy, CROs might consider using risk sensing (which includes but differs from social media monitoring) to identify and track risks associated with external trends, and using more automated controls and advanced analytics to address compliance and operational risks.

Risk management’s presence at senior-level meetings increases impact

Given the risks surrounding any strategic decision, it makes sense to have risk management present in key C-suite and board meetings. Yet many companies do not follow this practice. Only 28 percent of surveyed CROs and 22 percent of surveyed risk managers say that they are always present at C-suite or board meetings, and a mere 11 percent of C-suite risk nonowners believe risk has such presence (figure 8).

When risk management is present at board meetings always or most of the time, the likelihood that the function will have an impact increases dramatically—to 38 percent from 11 percent. To an extent, there’s a chicken-and-egg situation where risk must gain a seat at the table in order to have input, but must have valuable input in order to gain a seat at the table.

That said, appointing a true CRO recognizes that risk is a senior-level concern and function (on par with operations, finance, HR, and IT), and elevates the risk manager to the C-suite. Having a CRO or equivalent should virtually guarantee risk management a seat at the table when strategic decisions are discussed and made.

High-level presence of risk management clearly drives leaders’ confidence in risk data

When risk management is present always or most of the time at board meetings, 88 percent of senior leaders have strong or total confidence in risk data. When risk management is present only half the time or less, that confidence level drops to 60 percent (figure 9).

Again, these results make a clear case for including risk at board meetings. And again, as the next section indicates, a leading solution would be to appoint a CRO—a C-level executive responsible for enterprisewide risk management, reporting to the CEO and/or the board.

My take: Paymon Aliabadi 
Chief risk officer, Exelon

HOW IS RISK MANAGEMENT ORGANIZED AT EXELON?

I report directly to the CEO. Five years ago, we had a risk management organization/program dedicated to supporting our trading business, focused primarily on financial risks (market and credit). During the last five years, we have established a broader enterprise risk management (ERM) program to supplement our best-in-class commercial risk.

The ERM program is composed of two elements. We have an ERM Operations group—senior risk professionals embedded in our operating companies (including Generation & Utilities)—which had not been a focus. In addition, we have established the ERM Analytics team to address strategic risk management. ERM Analytics is responsible for a broader review of our business risks, strategic risks, emerging risks, and disruptive trends. They look at the whole portfolio and develop the CRO report for the board at every meeting. ERM also provides risk management support in our business services group, which houses finance, HR, supply, IT, and strategy.

Five years ago, I could only give you our exposure in our trading business, but not across our enterprise. We now have an expanded scope and we evaluate and aggregate risks across the broader enterprise in one snapshot. This is also a much leaner team, yet with an enterprise perspective.

AS CRO, WHAT IS YOUR VIEW OF REPORTING DIRECTLY TO THE CEO?

I believe, it is critical. If I wasn’t a direct report to the CEO, I would lack visibility to my colleagues managing various parts of the business. I have a seat at the table as a peer and can participate in decision-making as a full team member. This reporting structure elevates the standing of risk across the organization in terms of how you influence and drive priorities or initiatives.

ANY OTHER BENEFITS OF BEING A DIRECT REPORT TO THE CEO?

Well, without that there’s the potential of limiting the potential impact of risk management to a narrower role. There is another key factor: We have board members with deep banking and private equity backgrounds and they “get” risk management. They insisted on a standing risk committee of the board, with active participation across the board. It is where transactions come up for review and approval and risk topics are discussed. As part of that, I am expected to participate, present, and help manage the board agenda with respect to risk priorities. It’s just a different dynamic when reporting to the CEO.

HOW DO YOU GO ABOUT CREATING A POSITIVE RISK CULTURE AT MORE JUNIOR LEVELS?

Our goal is to always come to the table with a range of solutions to potential issues. We challenge ourselves not to say “No,” but to highlight the risks and uncertainties and to have mitigations and contingencies we can deploy if needed. Part of our strategic vision and mission is no negative surprises while keeping costs down.

We also work to ensure that we don’t provide an expensive, unclear value proposition. Finance, HR, and other functions have a clear product, but risk can become fuzzy. So, we say, don’t block; instead, be a proponent of growth, an enabler of effective/practical solutions, by making risk transparent and understood. We try to make the risk product a clear set of deliverables, so people see what we bring to the table on a consistent basis. No more lunches where we ask what keeps you up at night. We have a defined process, structure, templates, and deliverables. Everyone should know the role of risk and what purpose we were invited to play and the product we deliver.

HAS THE MIX OF TALENT IN YOUR RISK FUNCTION CHANGED?

We’re trying to diversify the pool of talent in various ways. We are reaching out internally and externally and encouraging top talent with deeper knowledge and experience in the business to join risk and transform the business. To afford that talent, we are deploying technology, redesigning our processes, rewriting policies, and changing our approaches to be a more efficient organization. We’re taking repetitive mechanical work out of our domain and using those savings to upgrade the talent.

CAN YOU GIVE US AN EXAMPLE OF WHERE THAT’S WORKED?

We’ve streamlined and automated much of credit review and approval to address the more repetitive elements associated with internet searches, balance sheet reviews, and credit metrics. Furthermore, instead of elevating counterparty credit approvals, they are delegated down based on a set of established criteria and that has helped to create a culture of ownership and accountability.

GOING FORWARD, WHERE DO YOU SEE THE MOST PROMISE IN TECHNOLOGY?

Our CEO has been championing innovation and automation for some time now, and it’s a core area of focus for the organization. We are working to apply AI and RPA and have dedicated personnel in risk to drive automation innovation and to train our team in deploying technology. We are training everyone to develop expertise in these tools and intend to boost these initiatives in the next two to three years. Also, three to four years ago we took our key risk reports and created our own real-time, dynamic risk dashboard. All our risk reports, market information, prices, and so on are on my iPad on a real-time basis.

The results are real. For example, we’ve optimized the confirmations group and we’re working on an AI application to further streamline processes. In predictive analytics, we’ve done work with system dynamics around technological risks and want to apply AI to automate data uploads to our system to support long-term planning. Some of these initiatives are resource-focused, some are risk-focused, and some are business-focused.

WHAT’S IMPORTANT IN MAKING THIS HAPPEN?

Change management is key. We’re working to do a much better job of motivating and getting everybody excited enough to embrace the opportunities/initiatives. The key part of success is not only the approach to capturing and monetizing the potential savings, but also always addressing change management to ensure it’s sustainable.

ANY OTHER OBSERVATIONS THAT YOU WOULD LIKE TO SHARE?

Just that risk has to be aligned with the organization strategy, and not viewed as a tactical compliance function. It’s got to be integrated into the business and strategy to create tangible value.

Show more

The case for appointing a CRO or equivalent who reports to the C-suite or board is strong

Organizations with a CRO are more likely to view risk management strategically

CROs are more likely than executives working in risk areas to highly rate the importance of risk management to achieving strategic goals, and far more likely than C-suite risk nonowners to do so (figure 10).

This finding may simply reflect the importance that a CRO places on the role of risk in achieving strategic goals. However, it also surely reflects the strategic importance that the organization places on risk and having an executive who drives a consistent risk culture across the enterprise. After all, the organization would not have a CRO if it did not perceive risk to be on par with finance, operations, IT, and other C-suite responsibilities.

That C-suite risk nonowners are far less likely to think of risk as extremely important to achieving strategic goals may relate to the earlier finding (figure 3) in which they cited the main benefit of risk management to be increased confidence in leadership decisions. They may be undervaluing the role of risk in the strategic decisions that drive performance, and that is a gap that CROs, risk managers, and organizations should work to close.

Organizations where risk management has a seat at the table are more likely to have high-performing programs

Ninety-one percent of risk programs self-rated as excellent have risk management represented in C-level meetings always or most of the time, while 80 percent of programs rated as fair or poor do so half the time or less (figure 11). Leading programs clearly give risk management senior-level visibility.

For most organizations, elevating risk entails not only appointing a CRO, but also giving that CRO a seat at the table and the standing to influence major decisions and initiatives. Our findings indicate that doing so can produce positive results.

Organizations without a CRO diverge widely on how to structure reporting lines of risk functions ...

At organizations with no CRO, risk management reports to the CEO (32 percent) or to a business unit head or another senior leader not primarily responsible for risk (figure 12).

In the absence of a CRO, second-line risk management functions, such as compliance, cybersecurity, health and safety, and operational risk, report to the CEO, to another senior officer, or to multiple officers. Such non-CRO reporting lines can impede integration of risk management processes as well as senior executives’ ability to gain an enterprisewide view of risk. Additionally, non-CRO reporting lines may imply that an organization still sees risk management primarily as a compliance and loss prevention function rather than an offensive weapon. This view is usually reactive rather than proactive and fails to exploit risk management for strategic advantage.

... yet half of surveyed companies do not have a true CRO

While almost 50 percent of our surveyed companies have elevated responsibility for risk management to the C-level, about 50 percent have not—despite the fact that more than 90 percent of all respondent segments expect risk management to become more important to achieving strategic goals in the next five years.

Organizations with a CRO are more likely to focus risk management on realizing the strategic plan (figure 13a). While not necessarily indicating causation, the two are correlated. In addition, organizations that exceed a CAGR of 5 percent are far more likely to have a CRO (figure 13b).

Our research suggests that, as a powerful driver of strategic success, risk should be recognized as a C-level responsibility. Responsibility for day-to-day risk management then resides in the business (the first line of defense), and the compliance, cybersecurity, and similar (second-line) functions provide support. Internal audit (the third line) provides assurance. The second-line functions should then report to the CRO, thus aligning risk management at the senior level.

My take: Angela Hoon 
Executive director, Strategic Risk Management, General Motors

COULD YOU TELL US ABOUT YOUR CURRENT ROLE AND SCOPE OF RESPONSIBILITIES AT GM?

Our CEO, Mary Barra, also considers herself the chief risk officer. I lead GM’s global strategic risk management program and am responsible for supporting senior leaders in cultivating a risk mindset and driving a “risk” thought process into strategic and cross-functional decision-making. I also facilitate reporting of key enterprise risks to the board risk committee, work with the leadership to understand their risks, and facilitate risk discussions to help in complex business challenges.

DO YOU REPORT DIRECTLY TO THE CEO?

I report to the general auditor who reports to the CFO who reports to the CEO, and I have access to the chairman of the risk committee of the board.

TELL US ABOUT THAT RISK GOVERNANCE STRUCTURE

In 2014, Mary designated a full risk committee of the board, which meets four times a year. GM senior leaders facilitate discussions around selected key enterprise risks they own, current responses, and mitigation plans. We also have a management-level risk advisory council with an executive lead from every business function or unit, which meets monthly to discuss enterprise and cross-functional risks. Much of our risk management effort focuses on integrating risk into the business, risk mitigation, and decision support. Ten times a year, one of the business functions or units meets with Mary to have a discussion on how they integrate risk into their business, key risks to their business goals, and what risks are emerging. Over a two-year period, we’ll have cycled through all of our business units.

THIS SOUNDS LIKE A LEADING PRACTICE. HOW DID YOU GET HERE?

Mary determined that risk had to be more part of governance at the board level and a driver of the business, and her taking the role of CRO was instrumental. Without that tone at the top, it wouldn’t have happened. We realized as an organization that we needed to look at risk across functions and on a more enterprise-wide basis to avoid a check-the-box routine. In order to test this and gain management buy-in, we facilitated pilot workshops to develop techniques to engage teams and to help them to use a risk lens to analyze risks and solve complex business challenges.

WHAT ELSE WORKED FOR YOU ON THIS JOURNEY?

We avoided risk terminology like risk appetite, tolerance, culture, and residual risk. We use the language of the businesses and talk about threats, consequences, and responses. We’ll ask about alternatives, contingencies, and how to be agile. We brought in all the risk concepts but without the jargon, and ultimately got better results, as business leaders could relate and understand the implications of risk to their objectives. Another key was the use of cross-functional workshops and techniques like wargaming, game theory, and pre-mortems. As part of the context of the risk discussion, we incorporate emerging risks, consider current industry trends, and look at external players.

CAN YOU TALK MORE ABOUT THAT?

As we piloted our workshops, we realized that risk is a key lens to help make decisions in the development of business strategy. Through risk workshops and decision support capabilities, the strategic risk management team has provided a risk thought process that has helped business leaders make risk-informed decisions in support of GM’s business strategy, looking at both upside opportunities and downside risk. In 2018, 300 leaders participated in these risk workshops, and about 185 were director-level and above. These on-the-job risk discussions are helping transform our culture because they generate diverse, cross-functional thoughts and ideas, as well as encouraging outside-in and emerging-trends thinking.

HOW HAVE YOU USED TECHNOLOGY?

As a risk team, we have a love-hate relationship with technology, and believe technology solutions should be an enabler rather than a driver of risk management processes. As we started the program, we knew we needed to first get the business engaged to understand risks before adding technology. In 2018, we launched a GRC solution, and it will serve as our risk and mitigation repository. Our visual dashboards are refreshed weekly to provide a better user interface for the business. We first had to get the data into one place, and now we can focus on improving risk analytics, risk reporting, and ultimately, quantification and getting more predictive.

WHAT IS AT THE TOP OF YOUR RISK MANAGEMENT WISH LIST?

Continuing to work with management in the front end of business strategy development to bring the cross-functional risk lens in as early as possible.

WHAT IS YOUR FAVORITE PART OF THE JOB?

Connecting the dots and working with our business leaders to incorporate a risk lens as we analyze business challenges. We are making a difference in using risk as a consideration in GM’s decisions, and it is exciting to see where we’ve been part of that—especially as we see management naturally discussing risk as part of business discussions.

Show more

Organizations have clear opportunities to enhance risk management through technology

About half of surveyed organizations are underutilizing technology in risk management

Although technology can enable risk modeling, tracking, and sensing, many risk management functions are underutilizing these technologies. For example, while about half of organizations are using technology to assist with risk modeling and risk tracking, generally less than half are using it to assist in risk sensing and internal approval processes (figure 14).

This finding points to a general underutilization of technology for risk management, and a consequent inflation of the time and effort needed to carry it out. For example, among the more than 50 percent of respondents that do not use tech-enabled risk sensing, this lack may be affecting the time they need to spend on risk identification and assessment. Also, analytical technologies are essential to risk modeling and sensing, and data visualization technologies facilitate risk tracking and monitoring.

Risk identification is rated among the most time-consuming tasks in risk management

When asked to rank the most time-consuming risk management activities, each respondent segment cited risk identification, with CROs and C-suite risk nonowners also citing risk assessment (figure 15).

It’s interesting that risk identification—a basic activity that can be readily enhanced with technology—is cited among the most time-consuming activities. That all three respondent segments cite it bears out Deloitte’s field experience, as well as the aforementioned survey finding that points to underutilization of technology in many risk functions. However, some respondents may be referring to unknown risks and those beyond regulatory, cyber, operational, and other more familiar risks.

More broadly, this finding may indicate that executives—including CROs—have difficulty identifying risks because they lack an enterprisewide view of risk; indeed, executives working in risk areas may rate risk identification as less time-consuming because they have a clearer line of sight into risk, given that they focus only on risks within their area.

Finally, recall that CROs and risk managers want to allocate more time to strategy. To the (significant) extent that advanced analytics, risk sensing, and automated controls can boost the efficiency and effectiveness of risk identification and assessment, CROs and risk managers have an opportunity to use these technologies to free up more time and resources to devote to strategy.

Organizations see analytics as a key opportunity to improve the risk management program

Each respondent segment ranked risk analytics and risk management processes among their three highest-priority opportunities for improvement (figure 16). It is interesting that CROs viewed tools as the top priority. Although a variety of tools are commercially available, this is a rapidly evolving area, especially in the arena of digital tools. We expect more powerful tools that provide greater insight into risk to inform decision-making, allow an enterprisewide view of interdependent risks, simulate impacts, and provide real-time and predictive intelligence and analysis. One challenge to more widespread implementation of digital tools will be an organization’s readiness to adopt tools that may require a higher level of “tech-savviness.”

These results clearly show that respondents recognize the potential for technology-based, data-driven risk analytics to enhance their risk programs. Indeed, analytics are essential to achieving efficiencies in second-line functions, developing a clearer view of risks and improving risk assessment, monitoring, and response.

Although external risk advisers provide benefits, most companies tap them infrequently

About 30 percent of organizations bring in external risk advisers always or most of the time, and those that do tend to realize benefits (figure 17).

Three-quarters of the programs that rate their effectiveness as fair or poor seek external risk advice only occasionally or less. This suggests that they may be taking insular approaches to risk, which can be suboptimal. Risks are now too dynamic and unpredictable for outdated approaches. In addition, many of the skills needed to implement new technology-enabled capabilities, such as risk analytics, automated assurance, and risk sensing (as opposed to social media monitoring), are too specialized and costly for many organizations to justify in-house.

What have we learned? Specific action steps that can be considered

Overall, our survey results suggest that stakeholder demands for risk management that focus on enterprisewide strategic and financial goals, rather than a “tick-the-box” compliance approach to risk, can create superior performance. The business case for risk management is supported by its potential to increase the probability of success and to drive exceptional performance and value creation. To further enhance risk management’s value to the enterprise, organizations can consider the following:

  • Take a performance-based approach to allocating risk resources. Like all resources, those allocated to risk management are scarce and precious. Prioritize the use of risk resources in a way that increases the probability of realizing strategic and financial goals. Consider what skills and capabilities are necessary and whether it is more effective to build those capabilities in-house or procure them through specialized vendors that can provide superior capabilities at a lower cost.

  • Define, align, and communicate performance goals for risk management. Explicitly agree upon and communicate the performance expectations for risk management and how risk management will serve and add value to the enterprise.

  • Elevate risk to a senior executive responsibility. Appoint a CRO endowed with the authority to influence strategy and drive risk culture. Let the CRO be one of the chief architects to operationalize risk management and align risk reporting responsibilities. Provide for appropriate governance and board oversight, and give the CRO a “seat at the table” with senior executives and the board.

  • Be C-suite and board ready. A “seat at the table” with the C-suite and board comes with responsibility. Understand the C-suite’s key responsibilities for defining and executing strategy and the board’s responsibilities for providing oversight, and come prepared to provide analysis, insight, foresight, and recommendations that are fit for purpose.

  • Use technology to sense changing risk trends and develop associated action plans. The pace of change continues to accelerate. Leverage risk sensing, data analytics, dynamic planning, and visualization tools to get a jump start on changing risk profiles and to develop associated action plans.

  • Be curious about emerging digital solutions. Technology is evolving rapidly. Stay on the lookout for technologies that can 1) drive cost efficiency by automating workflow, 2) guide resource allocation to the highest-priority and best use of scarce risk resources, 3) provide insight through advanced analytics, dynamic planning, and data visualization, 4) enhance risk culture, communication, and operational effectiveness with project management tools and dashboards, and 5) provide real-time, predictive risk intelligence with risk sensing capabilities.

Risk management has too much potential as a value-creating function to be viewed as primarily a compliance activity with no direct linkage to the attainment of enterprise objectives. Most executives today recognize risk management’s importance in achieving strategic goals. To capture the value of risk management, stakeholders need to be aligned on expectations, and CROs and risk teams need to rise to the occasion by equipping themselves to provide business-focused insight.

Risk Intelligence Services

Complexity and change are inherent in the world we live in and can increase risk in all areas of your business. But, your company shouldn’t be held back by uncertainty and the evolving landscape of risk. Instead, reimagine risk to uncover new strategic opportunities and lasting value that can disrupt your market and elevate your business.

Learn more

The authors would like to thank Paymon Aliabadi of Excelon, Angela Hoon of GM, Steve Richards of Becton Dickinson, Darrin Kelley of Deloitte, Alexander Zmoira of Deloitte, Dmitriy Borovik of Deloitte, Jordy Scholhamer of Deloitte, Lea Dulin-Grandbois of Deloitte, Bre McCarthy of Deloitte, Stacy Jackson of Deloitte, Heidi Boyer of Deloitte, Junko Kaji of Deloitte and Tom Gorman for their contributions to this article.

Cover image by: Tatiana Plakhova

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey