Source:Deloitte & Touche LLP

Risk management, so often considered merely as a way to stave off threats from the various risks organizations face, can also be used as a tool to create value, as discussed by Henry Ristuccia, partner, Deloitte & Touche LLP, and global leader, Governance, Risk and Compliance Services, Deloitte Touche Tohmatsu Limited. Here Mr. Ristuccia draws on his 24 years of experience assisting organizations worldwide to share his views on risk management in this digital age, how boards are becoming more involved in risk oversight and what leading companies are doing to stay ahead of reputational risk issues.

Q: You’ve talked about moving risk management beyond the traditional defensive role and taking it to the next level in terms of creating value within an organization. Based on your interactions with executives, how widespread is that capability, and for those that aren’t there yet, what can they do to get to the value creation stage?

Henry Ristuccia, Global Leader, Governance, Risk and Compliance Services, Deloitte Touche Tohmatsu Limited

Henry Ristuccia: Companies are moving in that direction, but the vast majority are not there yet. However, they recognize that they need to move in that direction, and the movement is being driven by the C-suite, particularly the CEO. A lot of organizations are recognizing that risk management has to take a different approach because there’s pressure coming from the boards, legislators, regulators, institutional investors, ratings agencies and the public at large. The discussion is not just about what risk framework to use or expanding risk assessment to low levels of the organization. Rather, it’s really about tying risk to business strategy.

At Deloitte, we generally talk about two types of risk involving strategy. There are risks to the strategy, which means answering questions such as: ‘What is it going to take to execute our strategy?’; ‘Do we have the right people?’ and ‘Are we in the right markets?’ The second part is looking at risks of the strategy, which is a discussion that senior stakeholders within organizations, the board and the C-suite are having in many organizations, and it’s a discussion that has to be driven by the CEO.

We see some progressive companies recognizing that there needs to be an effective interaction between the board and the CEO in terms of the balance of risk activities and responsibilities. That happens when the CEO has both a short- and long-term business strategy and the board engages in a dialogue about the strategy and brings into the discussion such risk issues as cybersecurity, mobile, big data, cloud and social media and how they could affect the organization. The discussion also should include the changing macroeconomic factors, industry-specific issues and the geographic and socioeconomic issues related to how companies do business. So that’s what we mean by creating value: moving the topic of risk into the strategy dimension of the dialogue. We’re seeing about 15% to 20% of large companies being very engaged in that kind of a dialogue with their boards.

Q: What are some of the risk concerns you’re seeing among senior executives and board members and how are companies approaching them?

Henry Ristuccia: Their greatest risk is reputational risk, and executives and board members know they need to think about things differently in this digital age. Blogs can be inaccurate, but they move at lightning speed. For organizations that are concerned about damage to their reputation, particularly from social media, there are some leading practices they can follow. To my knowledge, however, there isn’t a solid framework yet.

While many senior stakeholders understand that managing reputational risk is key, some often think only in terms of responding to an adverse event, or crisis management. Rather, they should be talking about getting in front of the possibility of adverse events by understanding their supply chain, the risks their operations might be taking and where they are vulnerable in every aspect of their business. And they should be looking for ways to mine big data effectively because how well an organization manages reputational risk can depend on whether it’s able to mine its big data.

We see organizations recognizing that there’s a lot of data that could be used to manage risk, but they have to separate the meaningful information from the noise. When that happens, organizations can use the data to build a strategy or communications program that addresses what the public wants and needs from a risk standpoint. Big data also can be used to help the business determine where it should be allocating assets, making investments and running the business differently, all of which have both a market and risk dimension. There’s significant opportunity in leveraging big data and social media to change the business model and attendant risks, but not everyone is thinking about it that way. Those that don’t are missing the real opportunity of leveraging the digital age to run their business differently. And that’s where risk and opportunity intersect.

Q: What are some leading practices that boards are using to promote effective risk management programs and monitor them?

Henry Ristuccia: Boards that excel at this are interested in understanding how risk and business strategy are tied together. When you think about risk management there are four generally accepted categories today: strategic, operational, financial and compliance risks. Strategic risks are risks both to, and of, the business strategy, the business model and the organization’s mission. Operational risks are the assets, the methods that you’re using to execute your strategy, including people, process and technology. Financial risk is the finance side of running a business, including liquidity and capital. The fourth category is compliance risk, which is critical to all industries, but can be more challenging, inefficient and costly in regulated industries than in those that are less regulated.

While all categories of risk are important, the more challenging ones for senior stakeholders at the board level are strategic and operational risks. That’s where the boards that do a better job excel above the rest. Strategic risk is an art of how do you find that balance between risk-taking and preservation. Operational risk can be a challenge for management just to engage with the board on operational issues that really matter because everything is an operational issue. The question becomes, ‘What is the list of critical risks around operational issues?’ Not only is that difficult to do, but it varies depending on the business.

Those boards that are highly effective at risk management oversight are able to articulate the business strategy and what the risks are. And they understand what management is doing to ensure that the risks are well managed and are revisited on a regular basis. These proactive boards want to talk about risks and their possible impact on the business strategy and how it’s being addressed. They also want to talk about these issues at offsite sessions, twice a year at a minimum, in order to focus. Many board members would say they get so bogged down in some of the management issues they want to step back and talk about the bigger picture so they can execute as a board. That’s a difficult balance for a lot of organizations.

Q: What else can boards do to engage with risk management at the operational level?

Henry Ristuccia: A few common practices that have shown to be effective include the use of high-level reporting, management information systems and risk dashboards that have summary reporting, stoplight reporting and trend analysis. Boards might track risk issues differently, but many have found risk dashboards helpful in monitoring risks on a more frequent basis. A dashboard usually has the four risk categories I mentioned earlier: strategic risk, operational risk, financial and compliance, sometimes broken down into detail.

Q: What role does culture play for a company trying to improve its risk management programs?

Henry Ristuccia: Culture is important on many fronts. People are brought together to create culture and from that comes innovation. Organizational culture is probably the area least focused on in the marketplace, yet possibly the most important. In traditional enterprise risk management (ERM), culture wasn’t a factor and so it didn’t get the attention it may have deserved. Culture starts at the top of the house, with the tone set by the board, the CEO and the rest of the C-suite, and then it becomes part of the organization’s fabric at the business unit level. Each organization has to strike a balance between performance and prudent risk management dimensions, but we don’t see the cultural aspect of risk focused on by as many organizations as we would like.

That said, more forward-looking organizations recognize the value of culture to the process of risk management. In such organizations risk management isn’t just a process done by a few or by management; rather employees across the board understand what risk is all about and they become risk managers in the business and help put methods in place that can help the organization run itself better and do the right thing.