If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"SAP Business Objects and UHY Advisors invite you to view this important on-demand Webcast presentation that demonstrates how building a
risk intelligent organization can help you increase strategic performance by proactively identifying and mitigating risks across your enterprise. "
Source : SAP
The Two Faces of Risk: Cultivating Risk Intelligence for Competitive Advantage
Risk Intelligence is also known as :
Risk Intelligence,
Projects Risk Intelligence,
Increasing Risk Intelligence,
Focus Risk Intelligence,
Enterprise Risk Services,
Environment Risk Intelligence,
Enterprise Risk Management,
Definition of Risk Intelligence,
Risk Intelligence Discussion,
Risk Management Tool,
Risk Intelligence Free,
Risk Intelligence Learning,
Library Risk Intelligence,
Risk Intelligence Best Practices,
Forward Risk Intelligence,
Risk and Vulnerability Intelligence,
Intelligence Applications Risk,
Two Faces of Risk,
Risk Intelligence Company,
Future Risk Intelligence,
Risk Intelligence Metrics,
Workshop Risk Intelligence,
Skills Risk Intelligence,
Cultivating Risk Intelligence,
Enterprise Risk Intelligence,
Centre for Risk Intelligence,
Quality of Risk Intelligence,
Think Risk Management,
Risk Intelligence Global,
Strategic Risk Intelligence.
You needn’t be a seer or sage to
perceive risk. It’s as predictable
and as devastating as a Florida
hurricane and as far-reaching as a
corporate scandal. But you do need
to be a visionary to see the opposite
side of the risk coin, the one that
lands face down after you flip. The
underside represents opportunity,
competitiveness and growth.
What do these things have to do
with risk? Quite a bit, in fact.
Rewards, and Lack Thereof
Traditional approaches to risk management emphasize mitigation, focusing on
the readily apparent risks facing a company in the areas of security, privacy,
credit, regulatory, technology, fraud and more. These threats are, of course, important
and must be addressed.
But enlightened risk managers (and we are talking about the entire C-suite
here, not just the chief risk officer) don’t worry just about the bad things that could
happen, such as the theft of sensitive customer data. They also consider the good
things that might occur, like introducing a hit product to the marketplace. While
it’s important to evaluate potential crises, it’s equally critical to consider risks that
are linked to success so you can capitalize on opportunities. What if, for example,
your factory doesn’t have the production capacity to meet the demand for your new
blockbuster product? You’ve just squandered an opportunity.
We call these two faces of risk “rewarded risk” and “unrewarded risk.”
Unrewarded risk represents what poker players call “table stakes”: you’ve got to
ante up just to get into the game. The ante, of course, doesn’t guarantee success; it only
ensures that a hand of cards will be dealt to you. Numerous examples of unrewarded
risk appear in business. For instance, every public company in the United States
must comply with payroll tax withholding laws, observe OSHA health and safety
requirements, and pay bills when they come due. Yet companies that perform all of
these tasks in a timely and competent manner don’t see their share prices surge as a
result. These kinds of activities simply meet expectations of shareholders, regulators,
suppliers, analysts and other stakeholders. The attendant risks can’t be ignored, but
the primary incentive for addressing them is value protection, not value creation.
Conversely, rewarded risks represent the strategic bets that you place during your
poker game. You’ve assessed your hand, sussed out the competition and wagered a stack
of chips with the expectation of raking in many more than you’ve laid out. In business,
rewarded risks are those bets you make as you develop new products, enter new markets
or acquire new companies. The primary motivation for taking rewarded risks is to spur
value creation.
Fixate on just one side of the coin and you’ll get a one-sided result. Focus on value
creation (rewarded risk) to the exclusion of value protection (unrewarded risk) and you’ll
quickly find yourself on the slippery slope of noncompliance, litigation, reputational risk
and other nastiness. Similarly, address only unrewarded risk and ignore rewarded risk,
and your company may survive but will never thrive.
In acknowledgement of these two faces of risk, we have coined the following
business maxim:
“Organizations that are most effective and efficient in managing risks to both existing
assets and to future growth will, in the long run, outperform those that are less
so. Simply put, companies make money by taking intelligent risks and lose money
by failing to manage risk intelligently.”
Why You Should Care
If risk is not on your radar screen, it’s time to upgrade your detection equipment. A
convergence of factors has converted risk management programs from a “nice to have”
option to a “can’t live without” imperative. These factors include the following.
Regulatory pressures have increased:
The New York Stock Exchange now requires
the audit committees of all listed companies to evaluate the risk management
practices of the company.
Stakeholders are flexing their muscles:
Institutional investors now routinely include
risk management considerations in their investment decisions. Money will gravitate
toward those companies with sound practices in place.
The cost of capital is impacted:
Moody’s and Standard & Poor’s now include enterprise
risk management (ERM) capabilities in their evaluation criteria. Companies
deemed deficient can face an increase in the cost of capital.
The Internet has changed the game:
When news, data and even cell phone video
clips can traverse the globe in mere seconds, the ability of companies to discreetly deal
with threats to their reputation has eroded.
Corporate risk has become personal:
The out-of-pocket settlements in recent shareholder
lawsuits have directors and executives clutching their wallets all across the country.
The Failure Taboo
If your executive suite is like most, you’ll hear little talk of failure around the boardroom
table. Failure is simply taboo. Only “negative thinkers” and “naysayers” raise
the specter of something going wrong, usually at their own peril. Instead, discussion
usually centers on the positive aspects of the company’s strategy and the need to rally
around said strategy, with scant consideration of the downside possibilities.
But at some point, you’ve got to push the head-nodders and the yes-people aside
because it’s time to put failure on the agenda. Only by first acknowledging and then analyzing
risks and uncertainties that threaten the achievement of corporate objectives can
companies manage them effectively. Only by challenging the assumptions that underlie
strategic planning can the prospect for success be strengthened. Only by recognizing the
potential for failure can failure itself be avoided.
Organizations that don’t address failure in advance often find themselves feeling
the effects later. Consider, for example, the hypothetical case of a successful American
consumer products company about to make its first foray overseas. Perhaps blinded with
enthusiasm over its expansion, the company makes some critical erroneous assumptions.
For one, it presumes that its new consumers are essentially non-English speaking clones
of American customers, with the same needs and preferences. Based on this flawed assessment,
the company creates a marketing campaign around colorful packaging and
eye-catching floor displays, assuming these are major drivers of consumer behavior.
Unfortunately, in this new territory, consumers prefer minimal adornment and look
askance at garishly displayed goods. The company also presumes that it can severely
undercut the competition on price, but soon learns that that loss-leader pricing is illegal.
And finally, the company offers discount coupons in exchange for customer
names and email addresses, only to discover that its new customers jealously
guard their privacy and are reluctant to divulge personal data.
“Organizations that are most effective and
efficient in managing risks to both existing
assets and to future growth will, in the
long run, outperform those that are less so.
Simply put, companies make money by
taking intelligent risks and lose money
by failing to manage risk intelligently.”
This failure to anticipate and investigate the potential negative consequences of its
overseas expansion proves a painful lesson, as evidenced by weak sales figures, scant
market penetration and, ultimately, withdrawal from the country altogether. The cost
of this folly? In the tens of millions.
For many companies, the failure to imagine failure represents a gaping void. Fundament
questions that must be asked, not avoided, including the following.
What could cause us to fail in:
- attaining and sustaining revenue growth?
- increasing our operating margins and improve the efficiency of our assets?
- meeting the expectations of our key stakeholders?
By asking these questions, and by understanding how the enterprise can fail, planners
and decision-makers can then decide how to prevent it, how to more readily detect
early warning signs and how to implement course corrections.
This capacity to imagine and then prevent failure must be built into the strategic
planning process. Organizations need to be intelligent about the risks they take to gain
and sustain competitive advantage as well as the risks they avoid or mitigate to protect
their existing assets.
The Risk Intelligent Enterprise
We describe this type of organization as the Risk Intelligent Enterprise. These exceptional
organizations have attained a high state of risk management capabilities. A
Risk Intelligent Enterprise displays characteristics such as the following:
It develops full-spectrum vision:
An abundance of risks assault companies every
day, including compliance, competitive, environmental, security, privacy, strategic, reporting
and operational risk. Yet, in our experience, it’s the rare company that keeps
them all in view. For example, financial services companies may have a comprehensive
grasp of interest rate, currency and credit risk, but how many are prepared to deal with
a flu pandemic that incapacitates a large percentage of its workforce? While acknowledging
that there’s no such thing as perfect protection, a Risk Intelligent Enterprise adopts
management strategies that address the full spectrum of risks.
It bridges silos:
There’s nothing wrong with risk specialization. In fact, in today’s
high-risk environment, deep knowledge of specific risks and responses is essential. But
problems arise when risk specialists work in divisional or geographic isolation, unaware
of each other’s activities. Risk Intelligent Enterprises systematically build bridges between
these risk “silos” to open lines of communication and share information. This
entails more than a couple of risk managers meeting over an occasional cup of coffee. To
gain what we call a “portfolio view” of risk, a risk management “charter” should be established
that calls for the full roster of specialists to conduct meetings that are frequent,
formal, structured and documented. Management and the board should be regularly
apprised of these meetings and any outcomes.
It speaks a common language:
One byproduct of the tendency of risk specialists
to work in silos is that this insular world becomes its own ecosystem, with its own
language, customs and metrics. This results in a fragmented view of risk, confusion
for those outside the silo and a duplication of effort for risk assessment activities.
Risk Intelligent Enterprises develop common risk terminology so that everyone in the
organization speaks the same language. These companies also adopt similar metrics
so that the risks facing one division can be reliably compared to those facing other
segments of the company.
It assesses impact:
With companies facing a nearly infinite number of risks,
planning for every single one is a near-impossibility. Instead, we recommend that
business leaders focus on the finite impacts that could result from multiple threats.
For example, a terror attack, a hurricane, and a transit strike are three unrelated
risks that can all have a similar outcome, preventing people from getting to work.
Addressing the impact rather than the cause allows one contingency plan to accommodate
multiple threats.
It cultivates risk consciousness:
If risk management is thought of as something
that internal audit handles or that corporate counsel worries about or that the
chief risk officer has under control, chances are that significant exposure
remains. Rather, risk management should be considered an organizationwide
responsibility and competency. Only when risk management practices
are infused into the corporate culture, so that strategy and decision-making
evolve out of a risk-informed process, can a company truly be considered risk intelligent.
Those who traditionally focus on strategy while leaving risk considerations to others
— the CEO, the CFO, the board, and other key executives — need to develop a risk consciousness
of their own.
It pursues risk-taking for reward:
As noted earlier, Risk Intelligent Enterprises
practice not only risk mitigation but also risk-taking as a means to value creation.
These companies value the ability to capitalize on market opportunities as highly as
they do preparedness for potential disruptions. In other words, a risk intelligent approach
is not simply about bad outcomes to be avoided but also about good outcomes
to be attained.
“Only when risk management practices are
infused into the corporate culture, so that
strategy and decision-making evolve out
of a risk-informed process, can a company
truly be considered risk intelligent.”
Eavesdropping on the Risk Conversation
Our risk-related conversations with business executives generally take one of two
tracks:
“ERM? Yeah, we’re doing that.”
To which we usually answer: “No, you’re not.”
To explain, we break down the term “Enterprise Risk Management.” We start with
the first word, “Enterprise,” which, by definition, encompasses the entire organization.
Yet rarely do risk management activities transcend corporate boundaries. An
actuary or analyst, holed up in an office, may be practicing “RM,” but in the absence
of coordination with other risk managers, the “E” cannot appropriately be appended
to that description.
“Risk,” as we have defined it above, comes in two flavors, rewarded and unrewarded.
If a company only focuses on one aspect of risk, as do most, it is ignoring an area of significant
concern and thus not truly being risk-intelligent.
And, finally, “Management” implies a certain level of efficiency and effectiveness of
activity. But if companies have neither the entire organization in line nor the full spectrum
of risks covered, “management” seems like an overly generous description.
Thus, a company’s claim that it is “doing” ERM is summarily exposed.
Next we encounter response No. 2:
“ERM? I don’t have the time or the resources to take on another huge project.”
To which we reply: A program to bring risk intelligence to your organization doesn’t
have to be a massive and expensive undertaking. In fact, we recommend just the opposite:
small steps to bring about meaningful change.
Striding Toward Risk Intelligence
Here are the first few paces that put companies on the path to risk intelligence. Some
are simple and intuitive while others are more complex and challenging. But all
represent small steps leading to a big reward.
Try tackling one per week or one per month
- Think through risk. Read everything you can and determine how it applies to
your situation
- Get risk into the conversation. Engage peers, superiors, and subordinates. Talk
it up to the executives and the board. Don’t miss an opportunity to discuss risk and
risk intelligence.
- Have a one-day offsite meeting to address risk.
- Create crisis response and escalation procedures. Who is monitoring the early
warning signs? Who needs to know what when? Who’s in charge?
- Go for growth but imagine failure and how you can overcome it. Challenge
your most basic business assumptions. What could cause you to fail?
- Differentiate between rewarded versus unrewarded risk. What risks do you
need to take to be successful? What risks do you need to avoid?
- Improve risk knowledge. Share intelligence and understand the inter-dependencies.
- Stress-test your resilience under different scenarios. Improve flexibility to deal
with uncertainties.
- Focus on finite effects versus infinite causes. Understand critical assets and
dependencies and how long you can go without them.
- Prioritize. Focus on the vital few versus the trivial many. Don’t “boil the ocean.”
- Speak the same language. Harmonize (ensure risk managers all speak the same
language), synchronize (coordinate across institutional boundaries) and rationalize
(eliminate duplication of effort) existing risk management functions to drive down
the cost of good risk management.
And don’t forget the two faces of risk. You are in business to make money, to increase
shareholder value, to beat the competition. Consider the risks that could prevent you
from achieving these objectives. Risk-taking for reward is a fundamental premise of
capitalism. Use risk intelligence to make good things happen. DR
Steve Wagner
is the managing partner for Deloitte & Touche LLP’s U.S. Center for Corporate Governance
and the innovation leader for its Audit and Enterprise Risk Services practice.
Mark Layton
is a partner at Deloitte & Touche LLP and global leader for Enterprise Risk Services.