Mark Layton | March 1, 2007
The perception that the world is an increasingly risky place is not a case of imagination run amok. A recent study in Fortune magazine of S&P 500 companies showed that overall risk levels more than doubled between 1985 and 2006.
In the contemporary business environment, yesterday's risk management practices are no longer adequate to deal with today's threats. Seemingly unrelated items, including intense competition, natural disasters, fossil fuel dependency, terrorism, and regulatory requirements such as Sarbanes-Oxley and Health Insurance Portability and Accountability Act (HIPAA), all conspire to pose a new level of risks.
At the same time, the emergence of the Internet and the 24/7 news cycle creates a new risk factor for business—"speed of onset." When text and data and even cell phone video clips can circumnavigate the globe in the blink of an eye, the ability for companies to discreetly deal with a risk issue has essentially disappeared. Brand and reputation can plummet with frightening rapidity.
The inability to deal with risks of all types has resulted in a dramatic increase in CEO and CFO turnover. More worrisome, the failure to successfully manage risk can result in personal liability, as evidenced by recent out-of-pocket settlements paid by board directors. Given the stakes involved, what's needed is a better approach to risk management than typically practiced today.
Among the most significant issues inhibiting effective and efficient risk management is what we call the "silo factor." Typically, risk is assigned to risk managers within departments: The finance department monitors credit risk, public relations oversees reputation risk, facilities management supervises physical risk, IT focuses on data security risk, and so on.
While this level of specialization is essential, compartmentalizing risk managers in these silos results in a narrow, parochial view of risk and prevents top management from understanding risks facing the entire enterprise. Of course, risks don't respect silos; instead, they often cross-pollinate and propagate. For example, an IT security breach quickly becomes a reputational risk in the form of "bad press" that in the wake of litigation turns into a legal risk and then through settlements with those wronged concludes as a financial risk. Risks that combine and cascade in this manner are seldom successfully dealt with by isolated risk managers.
Another impediment to intelligent risk management may be traced to a company's understanding of the term. Many organizations use only a "half a loaf" definition of risk. That is, they consider only the "downside" aspects of risk—those factors that could threaten their existing assets, such as IT security breaches, physical plant safety, financial fraud, and the like. In our experience, far fewer organizations apply the principles of good risk management to "upside" opportunities, such as product development, entering new markets, and merger and acquisition activities.
Failure to adequately address the risks inherent in these activities may result in severe and unanticipated losses. Several well-known public companies reported losses in the billions, not by failing to anticipate terrorism or natural disasters, but as a result of ill-advised mergers, poor quality products, and decreased market share.
Rather than focusing solely on avoiding risks and thus losing opportunities to risk-taking competitors, companies can better manage risk by adopting the principles of "Risk Intelligence," in which the goal of extraordinary growth is achieved through proactive risk taking, not managed risk avoidance. We have found that organizations that are most effective in managing risks to both existing assets and to future growth will, in the long run, outperform those that are less so. Simply put, companies make money by taking intelligent risks and lose money by failing to manage risk intelligently.
The competitive benefits of Risk Intelligence include:
Steve Wagner is the managing partner for Deloitte & Touche LLP's U.S. Center for Corporate Governance and innovation leader for its Audit and Enterprise Risk Services practice. He can be reached at (617) 437-2200.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.