Source: The Wall Street Journal

Businesses have long recognized the importance of risk management to address competitive, economic, and geopolitical threats. But organizations can use risk management for more than threat mitigation. They can also use it to create value, according to Henry Ristuccia, a partner with Deloitte & Touche LLP. Ristuccia shares his views on risk management in the digital age; the measures leading companies are taking to stay ahead of reputational risks caused by social media; and the role big data can play in helping companies transform risk management.

You talk about moving risk management beyond its traditional defensive role into a position where it creates value for an organization. What do you mean by that?

Ristuccia: By creating value, I mean moving the topic of risk into the strategy dimension. At Deloitte, we generally talk about two types of risk involving strategy. First, there are risks to the strategy. These include factors required to execute it, such as whether a company has the right people and whether it operates in the right markets. Second, there are risks of the strategy—the business risks the strategy creates. Strategic risk is the art of striking a balance between risk-taking and preservation.

Based on your interactions with executives, how widespread is strategic risk management?

Companies recognize they need to move in this direction, and the C-suite (the CEO in particular) is driving the shift. Pressure from boards, legislators, regulators, institutional investors, ratings agencies, and even the public has led senior executives to begin modifying their approach to risk management beyond discussions of what risk framework they should use or whether to extend risk assessments to lower levels of their organizations. They’re increasingly trying to tie risk to business strategy, but the vast majority of organizations have not reached the value creation stage.

What can companies do to get there?

Progressive companies recognize the need for an effective balance of risk activities and responsibilities between the board and the CEO. That entails an ongoing dialogue about the potential effects on the short- and long-term strategy of such risk issues as cyber security, mobile, big data, cloud, and social media. Boards and CEOs should also address changing macroeconomic factors, industry-specific issues, and the geographic and socioeconomic issues that influence how their companies do business. We see about 15 to 20 percent of large companies being very engaged in that kind of a dialogue with their boards.

Which risks most concern senior executives and board members, and how are they addressing them?

Their greatest concern is reputational risk, and executives and board members know they need to think about this differently in the digital age. Organizations concerned about damage to their reputation, particularly from social media, can employ some leading practices, but to my knowledge, we don’t yet have a solid framework for addressing social media risk.

While many senior stakeholders understand the importance of managing reputational risk, some think only in terms of responding to an adverse event, or crisis management. Instead, they should prepare to get in front of potential adverse events by understanding their supply chain, the risks their operations might be taking, and where they are vulnerable in every aspect of their business.

They should also look for ways to mine big data effectively. Organizations recognize the volume of data available to help manage risk, but they have to separate the meaningful information from the noise. Then they can use the data to build a strategy or communications program that addresses what the public wants and needs from a risk standpoint.

Businesses can also use big data to help determine where to allocate assets, make investments, and run operations differently, all of which have a market and risk dimension. Big data and social media present significant opportunities for companies to change their business models and attendant risks, but not everyone thinks this way. Those that don’t miss a real opportunity to leverage the digital age to improve the way they run their businesses. That’s where risk and opportunity intersect.

What leading practices are boards using to promote and monitor the effectiveness of risk management programs?

Boards that excel at this are interested in understanding the link between risk and business strategy. They’re able to articulate the business strategy and related strategic and operational risks. They also understand management’s measures for ensuring risks are well managed and revisited regularly. These proactive boards want to talk about risks, their possible impact on the business strategy, and how they’re being addressed. They also want to talk about these issues at offsite sessions, twice a year at a minimum, in order to focus. Many board members say they get so bogged down in certain management issues that they want to step back and talk about the bigger picture as a board to improve execution.

What role does culture play in a company’s effort to improve its risk management programs?

Organizational culture probably garners the least attention, yet it is possibly the most important. In traditional enterprise risk management, culture wasn’t a factor, so it didn’t get the attention it may have deserved. Culture starts at the top, with the tone set by the board, the CEO, and the rest of the C-suite. Then it becomes part of the organization’s fabric at the business unit level. Each organization has to strike a balance between performance and prudent risk management, but we’d like to see more organizations focusing on the cultural aspect of risk.

That said, more forward-looking organizations recognize the value of culture to the risk management process. Risk management isn’t just a process performed by a few or by management; employees across the board understand the concept of risk, and they become risk managers in the business, implementing methods that can help the organization run better.