Not long ago, executives believed that a hallmark of the well-run enterprise was its ability to actively avoid risk while pursuing objectives devoid of danger. Today, most prudent leaders understand that risk cannot be avoided. However, significantly fewer realize that to achieve success, companies should not simply accept the inevitability of risk, but should actually embrace it.
We define risk as:
the potential for loss or the diminished opportunity for gain caused by factors that can adversely affect the achievement of a company's objectives.
Note the dual nature of this definition. Risk Intelligence involves not just the avoidance of the negative (e.g., prevent employee fraud) but also the attainment of the positive (e.g., create a blockbuster product). Aside from blind luck, only through intelligent risk taking—that is, knowledgeable and deliberate pursuit of a business strategy in the face of understood risks—can a company create a successful product.
Risks emerge from a potent mix of factors, including regulatory compliance, competitive pressure, environmental impacts, security and privacy concerns, business continuity, strategic planning, reporting protocols, operational processes, sustainability, and more. Companies of differing sizes, industries, and geographies will face a varied and unique arrangement of risk factors.
A perusal of history suggests negative events of all sorts will regularly occur, and businesses caught off guard will pay a price. However, the impact of bad things happening is less for those companies prepared to deal with a range of risks and opportunities simultaneously. The ability to handle multiple threats (such as a hurricane creating both a supply chain and human resource disruption) while also capitalizing on immediate opportunities (such as being able to serve competitors' customers during an outage) constitutes an optimal risk management program.
Risk management, as currently practiced, is often a one-time, internally disruptive event. Despite fancy analytical capability and dedicated professionals, many companies deploy a risk management system that is more theoretical than practical, based on anecdotal rather than empirical evidence, and one that is fragmented across jurisdictions, industries, and frameworks. The result is less risk management and more risk recognition. It's a good start but only a start.
Developing a Risk Strategy
Risk intelligence, on the other hand, requires a real-time, ongoing process capable of engaging external risks and opportunities to fulfill stated company objectives within accepted risk-taking parameters. To attain this state requires, first, executives who actually understand the nature of risk and, second, a well-defined strategy to guide an organization's risk management program.
Strategic risk management is not merely identifying risks, nor is it listing objectives to be achieved in dealing with identified risk. Both the identification and the elucidation are necessary—but not sufficient—to complete the optimum risk management program. Strategy is key. An effective strategy will include the following procedures to deal with the full spectrum of risk defined above:
- Risk assessment should begin by identifying a company's most basic strategic assumptions followed by questioning their veracity. In our experience, more risk losses can be attributed to the failure to challenge basic assumptions than anything else.
- Understand the difference between unrewarded and rewarded risk and allocate resources accordingly. For example, compliance with regulatory requirements is necessary but won't result in a reward. Acquiring a competitor might.
- Focus on finite effects instead of infinite causes. Understand critical assets and dependencies and plan for their independent functioning when necessary.
- Test organizational resilience under different scenarios. Improve flexibility to deal with uncertainties.
- Use scenario planning, business impact analysis, vulnerability assessments, and statistical modeling, but remember, these are only tools, some of which may or may not be appropriate. Never forget strategic risk management is as much an art as it is a science.
- Harmonize (ensure risk managers all speak the same language), synchronize (coordinate across institutional boundaries), and rationalize (eliminate duplication of effort) existing risk management functions to drive down the cost of good risk management.
Effective strategic risk management should enable companies to state unequivocally and document clearly the organization's risk exposure. Most importantly, with an appropriate risk strategy in place, the decision to accept risk exposure will be informed, deliberate, and justified.
Also see our next installment, Balancing Risk Probability and Vulnerability, which addresses understanding the relationship of vulnerability to probability in the risk assessment process.
Michael Corcoran is a partner in the Enterprise Risk Services practice at Deloitte & Touche LLP. He can be reached at (404) 220–1729.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
