Traditional Risk Management Inadequate To Deal with Today's Threats
March 2007
The perception that the world is an increasingly
risky place is not a case of imagination run amok. A recent study in Fortune magazine of S&P 500 companies
showed that overall risk levels more than doubled between 1985 and 2006.
by Mark
Layton and Steve Wagner
Deloitte & Touche
In the contemporary business environment, yesterday's risk management practices
are no longer adequate to deal with today's threats. Seemingly unrelated items,
including intense competition, natural disasters, fossil fuel dependency, terrorism,
and regulatory requirements such as Sarbanes-Oxley and Health Insurance Portability
and Accountability Act (HIPAA), all conspire to pose a new level of risks.
At the same time, the emergence of the Internet and the 24/7 news cycle creates
a new risk factor for business—"speed of onset." When text and data and even
cell phone video clips can circumnavigate the globe in the blink of an eye,
the ability for companies to discreetly deal with a risk issue has essentially
disappeared. Brand and reputation can plummet with frightening rapidity.
The inability to deal with risks of all types has resulted in a dramatic
increase in CEO and CFO turnover. More worrisome, the failure to successfully
manage risk can result in personal liability, as evidenced by recent out-of-pocket
settlements paid by board directors. Given the stakes involved, what's needed
is a better approach to risk management than typically practiced today.
Silo Factor
Among the most significant issues inhibiting effective and efficient risk
management is what we call the "silo factor." Typically, risk is assigned to
risk managers within departments: The finance department monitors credit risk,
public relations oversees reputation risk, facilities management supervises
physical risk, IT focuses on data security risk, and so on.
While this level of specialization is essential, compartmentalizing risk
managers in these silos results in a narrow, parochial view of risk and prevents
top management from understanding risks facing the entire enterprise. Of course,
risks don't respect silos; instead, they often cross-pollinate and propagate.
For example, an IT security breach quickly becomes a reputational risk in the
form of "bad press" that in the wake of litigation turns into a legal risk and
then through settlements with those wronged concludes as a financial risk. Risks
that combine and cascade in this manner are seldom successfully dealt with by
isolated risk managers.
Another impediment to intelligent risk management may be traced to a company's
understanding of the term. Many organizations use only a "half a loaf" definition
of risk. That is, they consider only the "downside" aspects of risk—those factors
that could threaten their existing assets, such as IT security breaches, physical
plant safety, financial fraud, and the like. In our experience, far fewer organizations
apply the principles of good risk management to "upside" opportunities, such
as product development, entering new markets, and merger and acquisition activities.
Failure to adequately address the risks inherent in these activities may
result in severe and unanticipated losses. Several well-known public companies
reported losses in the billions, not by failing to anticipate terrorism or natural
disasters, but as a result of ill-advised mergers, poor quality products, and
decreased market share.
The Risk Intelligence Concept
Rather than focusing solely on avoiding risks and thus losing opportunities
to risk-taking competitors, companies can better manage risk by adopting the
principles of "Risk Intelligence," in which the goal of extraordinary growth
is achieved through proactive risk taking, not managed risk avoidance. We have
found that organizations that are most effective in managing risks to both existing
assets and to future growth will, in the
long run, outperform those that are less so. Simply put, companies make money
by taking intelligent risks and lose money by failing to manage risk intelligently.
The competitive benefits of Risk Intelligence include:
- Improved ability to identify, assess, and act on risks by facilitating
enterprise-wide collaborative risk management
- Use of risk assessments to better inform strategic decision making
- Reduced cost of risk management and burden on business operations
- Renewed confidence and reassurance for stakeholders through more robust
procedures for risk identification, analysis, and management
Coming Up
In our next several columns, we will review the distinguishing characteristics
of The Risk Intelligent Enterprise.™ Next up: See Bridging the "Silos" for some practical tips for establishing interactive
connections among compartmentalized risk managers. By encouraging internal communication
among specialists who may have little awareness of one another's activities,
assets can be protected while pursuing risks that will create new value for
the organization.
Steve Wagner is the managing partner for Deloitte & Touche LLP's U.S. Center for Corporate
Governance and innovation leader for its Audit and Enterprise Risk Services
practice. He can be reached at (617) 437-2200 or at swagner@deloitte.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.