In a recent survey, Deloitte and Forbes Research evaluated the strategic risk management practices of more than 300 large global businesses. The vast majority of survey respondents (81 percent) said their company explicitly manages strategic risks, which Deloitte defines as risks that affect, or are created by, an organization’s business strategy and strategic objectives. And almost all (94 percent) said they’ve changed the way they approach strategic risk management over the past three years.
Anecdotally, the report quotes Dr. Georg Klein, chief risk and internal control officer, corporate finance and controlling, for Siemens AG, as saying: “In former times, we were very much focused on quantifiable risks and had the tendency to quantify risks in order to report them as part of our enterprise risk management. However, we found that some of the most relevant risks might only have a financial implication after a couple of years, or it might even be quite hard to have a sensible estimate on the financial impact of these risks. So we decided to consciously expand from a pure quantification approach of risks to a more qualitative approach that allows integration of soft data for issues such as regulation, media, or reputation. This provides a more comprehensive picture of the challenges that are in front of the company.”
Who is defining risk management priorities in large companies around the world? The answer varies widely by region. In the Americas, 27 percent of organizations have their strategic risk goals set by the CEO, 20 percent by a company-level risk committee, and 20 percent by a board-level risk committee. In only 14 percent of organizations in the Americas does the board as a whole establish strategic risk priorities. In Europe, the Middle East, and Africa (EMEA), by contrast, more than 50 percent of companies have their board or a board-level committee set strategic risk priorities, and only 9 percent give this responsibility to the CEO. (See Figure 1.)
Companies are improving their strategic risk management in a few key ways. The majority (52 percent) are increasing the frequency with which they monitor and manage strategic risks, as well as increasing their budget for doing so. In fact, 43 percent have started monitoring and managing strategic risks continuously. And 38 percent have increased the number of executives assigned to this area.
The Deloitte report concludes by emphasizing that strategic risks are changing rapidly, as rising technologies such as social media and “big data” data mining and analytics techniques may present new threats to organizations’ traditional business model. Deloitte advises: “In an era when risk can become reality in the blink of an eye, companies should seek new capabilities and approaches for managing strategic risk. In particular, they should now consider a much broader set of risks and strategic assets—including people, intellectual property, customers, marketing efforts, and even ‘the crowd.’ These risks and assets are much more difficult to measure, capitalize on, and hedge against—and thus demand a much more systematic and sustained approach to monitoring and managing risk.”