How many senior executives and directors can name a chief risk officer who has advised them that the organization is too risk averse? In the digital age, not enough. Protiviti’s Jim DeLoach discusses.
The ground rules for risk and reward are well known. These rules hold that one must take risks to grow, and typically, the more risk one takes, the higher the potential return. They also suggest that a risk-averse mindset often leads to a lower return. These canonical laws have been embedded in business and finance since before any of us were born.
But in the digital age, these time-honored tenets must reflect more prominently the risks of inaction and organizational resistance to change. Given the pace of change in the digital economy, the realities are such that it’s not just a matter of taking risk to grow or generate greater returns, it’s also a matter of survival. Bottom line: Organizations must undertake more risk than they may be accustomed to taking if they are going to survive. Refusal to take risk means accepting the risk of growing stale and becoming irrelevant. This is no time to be comfortable with the status quo.
Taking risk means more than introducing new products and entering new markets. It entails becoming more innovative in reimagining processes, disrupting business models and even reinventing the organization itself. In the digital age, executive management and the board have an important role to play in strengthening and nurturing the risk culture that facilitates the initiative, creativity and digital thinking so vital to success.
Over three decades, thinking around best-of-class risk management has evolved from a fragmented, siloed model focused narrowly on myriad risks to an enterprisewide approach focused on the most critical enterprise risks and integrated with strategy setting and performance management. Cultural attributes illustrating this transition are illustrated in the following table:
|Risk Culture Attribute||Traditional View||Fit for the Digital Age|
|Attitude||Avoid, Mitigate Risk
|Take Risk Within Limits
Maximize Upside, Manage Downside
Be Proactive, Agile
|Focus||Present, Looking Backward||Anticipatory, Looking Forward|
|Types of Risk||Operational, Financial and Compliance||Strategic, Disruptive Change and Digital Risk|
|View of Risk Profile||List of Risks||Variability of Outcomes|
|Risk Appetite||Not Articulated||Agreed by CEO/Board|
|Objective||List Risks, Treat Risk||Optimize Risk Profile
Facilitate Successful Outcomes
|Measurement||Heat Maps||Monte Carlo, “What If” Analysis, Stress Testing|
In the digital age, risk management must be strategic. Traditional risk management applies an analytical framework to assess risks and opportunities with different characteristics and time horizon considerations in the same way, without considering multiple views of the future. This approach ignores the reality of uncertainties organizations face in the digital age and is often influenced by past experience and subjective assessments, fostering groupthink, pre-empting out-of-the-box thinking and offering little insight as to what to do about exposures to disruptive events. It also does not account for the increased velocity of change in the digital economy.
Many of the risks and opportunities unique to the digital age are “compensated,” meaning they are two-sided and present enormous potential for upside that compensates for the downside exposure. If all foreseeable future outcomes were listed as a result of undertaking a given risk or group of interrelated risks along with the expected net cash flows relating to each possible outcome and their respective probability of occurrence, a distribution of possible outcomes results with both net positive and negative cash flow results, giving rise to performance variability. Therefore, compensated risks are inseparable from setting and executing the organization’s strategy.
This is why traditional risk management often does not influence strategy, as it often focuses on mitigating and avoiding uncompensated risks. Such risks are often one-sided, because they offer the potential for downside with little or no upside potential (i.e., every foreseeable outcome results in net cash outflows, creating a loss exposure). These risks include environmental, health and safety risks.
That said, when managing such loss-exposure risks, care must be taken not to ignore interrelationships with other risks that offer upside potential, because they are compensated risks. For example, there is no upside if a cyber or privacy incident were to occur. However, an overly cautious approach that eliminates too much risk might limit or delay innovation opportunities that offer significant upside. Therefore, managing cyber and privacy risk in isolation may not be in the best interests of the business. If a company is evaluating whether to apply digital technologies to enhance its processes, launch a new product or service or differentiate customer experiences, it also needs to consider how much exposure to cyber and privacy risk it is willing to accept. With today’s optics on managing the reputational fallout of security breaches, this question requires careful consideration.
In the digital age, risk management must help leaders make the best bets from a risk/reward standpoint that have the greatest potential for creating enterprise value. This means that the creation and protection of enterprise value in the digital age depend on the organization’s ability to pursue compensated risks and opportunities successfully and either avoid or transfer uncompensated risks or reduce them to an acceptable level. A risk-informed approach fit for the digital age is one that is strategic in considering the impact of risk on strategy and performance; balanced in evaluating both opportunity and risk; integrated with strategy setting, planning and business execution; and customized, reflecting organizational business needs, expectations and cultural attributes.
As the keystone that balances the inevitable tension between (a) creating enterprise value through strategy and driving performance on the one hand and (b) protecting enterprise value through risk appetite and managing risk on the other hand, risk culture balances the push between strategy and risk appetite – an essential goal in the digital age.
Digital Leaders proactively take risk, whereas Digital Skeptics do not (see my article on assessing an organization’s digital readiness). Additional aspects of the risk culture relevant to the digital age are illustrated in the following table:
|Risk Culture Attribute||Traditional View||Fit for the Digital Age|
|Digital Maturity||Skeptic or Beginner||Agile Follower or Leader|
|Customer Orientation||Passive Awareness||Passionate Focus|
|Decision Making||Get All the Facts First
Lack of Real-Time Intelligence
|Innovation||Failure Impedes Careers||Failure Celebrated, Fail Fast|
|Line of Sight||Make the Numbers
Pursue the Possible
|Industry Vision||Watch the Wallet||Watch the Disrupters|
|Leadership Style||Conformist, Catch Up||Contrarian, Set the Pace|
In the digital economy, risk management must contribute to reshaping strategy in advance of disruptive change. Integrating more sophisticated quantification and monitoring capabilities into the day-to-day activities of the business in executing the strategy and focusing on the risks and opportunities that matter can help management frame a composite risk profile fit for the digital age and provide more granular information on key aspects of the strategy as well as costs and benefits expected from alternative scenarios.
Market-changing organizations are built differently. It is our view that a Digital Leader has a very different approach to risk management than a Digital Skeptic or Digital Beginner. In the digital age, it is all about maximizing the upside while managing the downside, thus fitting the profile of companies best positioned to compete, thrive and win with an obsessive focus on growth and improving the customer experience. If the organization does not advance its digital maturity, another risk arises. We call it “digital risk,” or the risk of choosing not to get uncomfortable in the digital age. Accordingly, a traditional approach to risk management might be the biggest risk that an organization faces when it seeks to grow and defend share against new entrants.
In the digital age, becoming a leader entails revisiting risk mitigation strategies with an eye toward accepting more risk and exploiting the upside potential of market opportunities. For example, rather than merely mitigating risks to the execution of the strategy, companies should also use scenario analysis (Monte Carlo and/or “what if” analysis) to assess the impact on the achievement of strategic objectives and desired corporate risk profile of alternative scenarios. This analysis contributes to a more robust strategic decision-making process.
Our advice to executive management and boards: It is time to change the corporate risk culture, and digital-savvy executives and directors should lead the way.
Questions for Executive Management and Boards
Following are some suggested questions that executive management teams and boards of directors may consider, based on the risks inherent in the organization’s operations:
- Is the organization’s risk culture enabling its advancement in digital maturity? Or is it a barrier requiring executive management’s and the board’s attention from a change management standpoint?
- Does the board possess the digital savviness to provide leadership and support the CEO? Is there sufficient digital savviness on and available to the executive team?
- Is executive management and the board satisfied that the company understands the digital economy and is embracing the market differentiation possibilities in its strategic thinking? Do senior executives and the board receive risk-informed insights, competitive intelligence and opportunities to secure early-mover positioning in the marketplace, fostering more effective dialogue in decision-making processes and improved anticipation of future exposures and vulnerabilities?