Creating Value from Risk
Risk topics that are top of mind with Boards and C-Level executives today revolve around two main issues - reputational risk and cyber risk. Reputation risks vary significantly and often are related to lapses in ethics and integrity, such as fraud, bribery and corruption. Product and service risks are another driver of reputation risk, and can be related to health and safety and environmental issues. Third-party relationships are a rapidly emerging risk area, with companies increasingly being held accountable for the actions of their suppliers and vendors. Security risks, including physical and cyber breaches, are particularly top-of-mind for board members given recent incidents. While cyber risk is clearly related to reputational issues, it is in some ways an even bigger concern. Companies recognize that they are vulnerable, and it is no longer a question of if they will be attacked but rather when. It’s a complicated issue in which there are various adversaries at work with very different motives. Some groups are looking to steal financial information or cash, while others are looking for personally identifiable information. Other groups are seeking competitive intelligence, and then there are the “state” actors, focusing their efforts on espionage and warfare. When it comes to cyber risk, boards are asking themselves: “Who in our organization should have responsibility for our cyber risk programs?” “Are we vulnerable and why, and what will people want from us?” “What are our most strategic assets and what could threaten those, and what could threaten our competitive position?” The effects from incidents that undermine a company’s reputation can be far reaching, especially given today’s digital world and the widespread adoption of social media. Such incidents can bleed over into other aspects of a company’s operations, causing significant financial ramifications and brand value loss, but can also impact an entire industry, with investigations and increased regulations. The impact of social media— both the risks and the opportunities it presents—is another area of concern for boards.
Not all of these risks will rise to the level of a crisis, but it’s important to have a crisis management plan in place, and to put it to the test on a regular basis. Many companies might create a plan, and then never test it in any way. It is common to see simulations where companies think they have a great plan and believe they are prepared to manage a crisis. Yet, under real pressure or when a major crisis hits, the plan falls apart. As a result, a number of companies are looking to do much more scenario planning and wargaming. They’re interested in running through a range of scenarios and related factors, including how their company might respond, who gets what information, who makes the decisions and when, and who informs the regulators, politicians, employees, the board and other key stakeholders. There’s a host of other issues for the organization to consider, such as when systems should be placed back on line. For an organization to fully understand its vulnerabilities and preparedness, the response plan has to be put to the test. And even the most secure companies should bear in mind they can be vulnerable if their vendors are not secure. And, when it comes to cyber breaches, it’s important to accept that some measure of risk will always be present, but a lot can still be done. The first step is to secure the environment with up-to-date security controls that focus on the most important assets. The second phase involves being vigilant to instill and update threat awareness and visibility to detect aberrant activity as quickly as possible. Last, it’s critical to develop resilient capabilities to recover from incidents as quickly and with as little damage to the business or its reputation as possible.
Strategic risk management
The core idea behind strategic risk is protecting the unique value of the organization—with a focus on the drivers of economic value of the enterprise–and at the same time, looking for new opportunities to create value. In a nutshell: strategic risks threaten the assumptions at the core of a company’s strategy…potentially making its products or services obsolete. Consider the potential disruptive influence of collaborative consumption on the automotive industry. Companies used to have strategic plans that would last five or 10 years; that’s no longer the case. What is critical today is the ability to understand the marketplace and gather intelligence on important trends so that an organization can anticipate changes and evolve with the market. So strategic risk management starts with understanding the core strategy, and then working with the board and management to create protocols that can help the company advance—or adapt—its strategy while minimizing the risks. That might entail using data analytics and sensing technology, as well as scenario planning and wargaming. Where ERM was more about protection and defensive monitoring, strategic risk is about being open to opportunities to create value from risk. ERM in practice became driven by dashboards, with a series of measures and metrics that just didn’t have the impact that is needed for board members or C-suite executives. The other challenge to avoid is the highly siloed nature of traditional risk management, where CEOs, risk officers and other leaders on the front lines are disconnected. That’s an area where today’s CROs and CCOs can work to break down barriers that lead to inefficient risk management practices.