Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Expand Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Collapse Enterprise Risk ManagementEnterprise Risk Management
Add Spreadsheets to Your Risk Inventory (July 2009)
The Role of the CIO in the Risk Intelligent Enterprise (February 2009)
Where Was Enterprise Risk Management? (November 2008)
Critical Role for the Chief Audit Executive: Aligning Risk Assessment (October 2008)
Chief Audit Executives and Risk Management Silos (March 2008)
Risk Management's Chief Audit Executive (December 2007)
Prescribing Risk Intelligence for the Life Sciences Sector (December 2007)
Enterprise Risk Management in Uncertain Times (October 2007)
Taking Risks To Create Value—It's What Capitalism's All About! (September 2007)
Risk Management Practices Cannot Be "Bolted On" (July 2007)
When Risks Marry and Multiply (June 2007)
Balancing Risk Probability and Vulnerability (May 2007)
Addressing the Full Spectrum of Risks (May 2007)
Bridging the "Silos" (April 2007)
Traditional Risk Management Inadequate To Deal with Today's Threats (March 2007)
The Alchemy of Enterprise Risk Management: Examples from the Investment World (December 2003)
Practical ERM Applications: Risk Integration (September 2003)
Implementing Enterprise Risk Management: Getting the Fundamentals Right (June 2003)
ERM Lessons Across Industries (March 2003)
Practical ERM Applications: Capital Allocation (November 2002)
Practical ERM Applications: Assessing Capital Adequacy (September 2002)
The Language of Enterprise Risk Management: A Practical Glossary and Discussion of Relevant Terms, Concepts, Models, and Measures (May 2002)
Implementing Enterprise Risk Management: The Emerging Role of the Chief Risk Officer (January 2002)
ERM and September 11 (November 2001)
Modeling the Reality of Risk: The Cornerstone of Enterprise Risk Management (July 2001)
Enterprise Risk Management in the Financial Services Industry: From Concept to Management Process (November 2000)
Enterprise Risk Management in the Financial Services Industry: Still a Long Way To Go (August 2000)
Enterprise Risk Management: What's Beyond the Talk? (May 2000)
Expand Internal ControlsInternal Controls
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

Addressing the Full Spectrum of Risks

May 2007

Not long ago, executives believed that a hallmark of the well-run enterprise was its ability to actively avoid risk while pursuing objectives devoid of danger. Today, most prudent leaders understand that risk cannot be avoided. However, significantly fewer realize that to achieve success, companies should not simply accept the inevitability of risk, but should actually embrace it.

by Mark Layton and Michael Corcoran
Deloitte & Touche

We define risk as:

  • the potential for loss or the diminished opportunity for gain caused by factors that can adversely affect the achievement of a company’s objectives.

Note the dual nature of this definition. Risk Intelligence involves not just the avoidance of the negative (e.g., prevent employee fraud) but also the attainment of the positive (e.g., create a blockbuster product). Aside from blind luck, only through intelligent risk taking—that is, knowledgeable and deliberate pursuit of a business strategy in the face of understood risks—can a company create a successful product.

Risks emerge from a potent mix of factors, including regulatory compliance, competitive pressure, environmental impacts, security and privacy concerns, business continuity, strategic planning, reporting protocols, operational processes, sustainability, and more. Companies of differing sizes, industries, and geographies will face a varied and unique arrangement of risk factors.

A perusal of history suggests negative events of all sorts will regularly occur, and businesses caught off guard will pay a price. However, the impact of bad things happening is less for those companies prepared to deal with a range of risks and opportunities simultaneously. The ability to handle multiple threats (such as a hurricane creating both a supply chain and human resource disruption) while also capitalizing on immediate opportunities (such as being able to serve competitors’ customers during an outage) constitutes an optimal risk management program.

Risk management, as currently practiced, is often a one-time, internally disruptive event. Despite fancy analytical capability and dedicated professionals, many companies deploy a risk management system that is more theoretical than practical, based on anecdotal rather than empirical evidence, and one that is fragmented across jurisdictions, industries, and frameworks. The result is less risk management and more risk recognition. It’s a good start but only a start.

Developing a Risk Strategy

Risk intelligence, on the other hand, requires a real-time, ongoing process capable of engaging external risks and opportunities to fulfill stated company objectives within accepted risk-taking parameters. To attain this state requires, first, executives who actually understand the nature of risk and, second, a well-defined strategy to guide an organization’s risk management program.

Strategic risk management is not merely identifying risks, nor is it listing objectives to be achieved in dealing with identified risk. Both the identification and the elucidation are necessary—but not sufficient—to complete the optimum risk management program. Strategy is key. An effective strategy will include the following procedures to deal with the full spectrum of risk defined above:

  • Risk assessment should begin by identifying a company’s most basic strategic assumptions followed by questioning their veracity. In our experience, more risk losses can be attributed to the failure to challenge basic assumptions than anything else.

  • Understand the difference between unrewarded and rewarded risk and allocate resources accordingly. For example, compliance with regulatory requirements is necessary but won’t result in a reward. Acquiring a competitor might.

  • Focus on finite effects instead of infinite causes. Understand critical assets and dependencies and plan for their independent functioning when necessary.

  • Test organizational resilience under different scenarios. Improve flexibility to deal with uncertainties.

  • Use scenario planning, business impact analysis, vulnerability assessments, and statistical modeling, but remember, these are only tools, some of which may or may not be appropriate. Never forget strategic risk management is as much an art as it is a science.

  • Harmonize (ensure risk managers all speak the same language), synchronize (coordinate across institutional boundaries), and rationalize (eliminate duplication of effort) existing risk management functions to drive down the cost of good risk management.

Effective strategic risk management should enable companies to state unequivocally and document clearly the organization's risk exposure. Most importantly, with an appropriate risk strategy in place, the decision to accept risk exposure will be informed, deliberate, and justified.

Note: Also see our next installment, Balancing Risk Probability and Vulnerability, which addresses understanding the relationship of vulnerability to probability in the risk assessment process.

Michael Corcoran is a partner in the Enterprise Risk Services practice at Deloitte & Touche LLP. He can be reached at (404) 220-1729 or at .

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Advertisements
    
 
© 2000-2012 International Risk Management Institute, Inc. (IRMI). All rights reserved.