Addressing the Full Spectrum of Risks
May 2007
Not long ago, executives believed that a hallmark
of the well-run enterprise was its ability to actively avoid risk while pursuing
objectives devoid of danger. Today, most prudent leaders understand that risk
cannot be avoided. However, significantly fewer realize that to achieve success,
companies should not simply accept the inevitability of risk, but should actually
embrace it.
by Mark
Layton and Michael Corcoran
Deloitte & Touche
We define risk as:
- the potential for loss or the diminished opportunity for gain caused
by factors that can adversely affect the achievement of a company’s objectives.
Note the dual nature of this definition. Risk Intelligence involves not just
the avoidance of the negative (e.g., prevent employee fraud) but also the attainment
of the positive (e.g., create a blockbuster product). Aside from blind luck,
only through intelligent risk taking—that is, knowledgeable and deliberate pursuit
of a business strategy in the face of understood risks—can a company create
a successful product.
Risks emerge from a potent mix of factors, including regulatory compliance,
competitive pressure, environmental impacts, security and privacy concerns,
business continuity, strategic planning, reporting protocols, operational processes,
sustainability, and more. Companies of differing sizes, industries, and geographies
will face a varied and unique arrangement of risk factors.
A perusal of history suggests negative events of all sorts will regularly
occur, and businesses caught off guard will pay a price. However, the impact
of bad things happening is less for those companies prepared to deal with a
range of risks and opportunities simultaneously. The ability to handle multiple
threats (such as a hurricane creating both a supply chain and human resource
disruption) while also capitalizing on immediate opportunities (such as being
able to serve competitors’ customers during an outage) constitutes an optimal
risk management program.
Risk management, as currently practiced, is often a one-time, internally
disruptive event. Despite fancy analytical capability and dedicated professionals,
many companies deploy a risk management system that is more theoretical than
practical, based on anecdotal rather than empirical evidence, and one that is
fragmented across jurisdictions, industries, and frameworks. The result is less
risk management and more risk recognition. It’s a good start but only a start.
Developing a Risk Strategy
Risk intelligence, on the other hand, requires a real-time, ongoing process
capable of engaging external risks and opportunities to fulfill stated company
objectives within accepted risk-taking parameters. To attain this state requires,
first, executives who actually understand the nature of risk and, second, a
well-defined strategy to guide an organization’s risk management program.
Strategic risk management is not merely identifying risks, nor is it listing
objectives to be achieved in dealing with identified risk. Both the identification
and the elucidation are necessary—but not sufficient—to complete the optimum
risk management program. Strategy is key. An effective strategy will include
the following procedures to deal with the full spectrum of risk defined above:
-
Risk assessment should begin by identifying a company’s most basic strategic
assumptions followed by questioning their veracity. In our experience, more
risk losses can be attributed to the failure to challenge basic assumptions
than anything else.
-
Understand the difference between unrewarded and rewarded risk and allocate
resources accordingly. For example, compliance with regulatory requirements
is necessary but won’t result in a reward. Acquiring a competitor might.
-
Focus on finite effects instead of infinite causes. Understand critical
assets and dependencies and plan for their independent functioning when
necessary.
-
Test organizational resilience under different scenarios. Improve flexibility
to deal with uncertainties.
-
Use scenario planning, business impact analysis, vulnerability assessments,
and statistical modeling, but remember, these are only tools, some of which
may or may not be appropriate. Never forget strategic risk management is
as much an art as it is a science.
-
Harmonize (ensure risk managers all speak the same language), synchronize
(coordinate across institutional boundaries), and rationalize (eliminate
duplication of effort) existing risk management functions to drive down
the cost of good risk management.
Effective strategic risk management should enable companies to state unequivocally
and document clearly the organization's risk exposure. Most importantly, with
an appropriate risk strategy in place, the decision to accept risk exposure
will be informed, deliberate, and justified.
Note: Also see our next installment, Balancing Risk Probability and Vulnerability,
which addresses understanding the relationship of vulnerability to probability
in the risk assessment process.
Michael
Corcoran is a partner in the Enterprise Risk Services practice at
Deloitte & Touche LLP. He can be reached at (404) 220–1729 or at micorcoran@deloitte.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.