In a recent survey, Deloitte and Forbes Research evaluated thestrategic risk management practices of more than 300 large globalbusinesses. The vast majority of survey respondents (81 percent)said their company explicitly manages strategic risks, whichDeloitte defines as risks that affect, or are created by, anorganization's business strategy and strategic objectives. Andalmost all (94 percent) said they've changed the way they approachstrategic risk management over the past three years.

Anecdotally, the report quotes Dr. Georg Klein, chief risk andinternal control officer, corporate finance and controlling, forSiemens AG, as saying: “In former times, we were very much focusedon quantifiable risks and had the tendency to quantify risks inorder to report them as part of our enterprise risk management.However, we found that some of the most relevant risks might onlyhave a financial implication after a couple of years, or it mighteven be quite hard to have a sensible estimate on the financialimpact of these risks. So we decided to consciously expand from apure quantification approach of risks to a more qualitativeapproach that allows integration of soft data for issues such asregulation, media, or reputation. This provides a morecomprehensive picture of the challenges that are in front of thecompany.”

Who is defining risk management priorities in large companiesaround the world? The answer varies widely by region. In theAmericas, 27 percent of organizations have their strategic riskgoals set by the CEO, 20 percent by a company-level risk committee,and 20 percent by a board-level risk committee. In only 14 percentof organizations in the Americas does the board as a wholeestablish strategic risk priorities. In Europe, the Middle East,and Africa (EMEA), by contrast, more than 50 percent of companieshave their board or a board-level committee set strategic riskpriorities, and only 9 percent give this responsibility to the CEO.(See Figure 1.)

Companies are improving their strategic risk management in a fewkey ways. The majority (52 percent) are increasing the frequencywith which they monitor and manage strategic risks, as well asincreasing their budget for doing so. In fact, 43 percent havestarted monitoring and managing strategic risks continuously. And38 percent have increased the number of executives assigned to thisarea.

The Deloitte report concludes by emphasizing that strategicrisks are changing rapidly, as rising technologies such as socialmedia and “big data” data mining and analytics techniques maypresent new threats to organizations' traditional business model.Deloitte advises: “In an era when risk can become reality in theblink of an eye, companies should seek new capabilities andapproaches for managing strategic risk. In particular, they shouldnow consider a much broader set of risks and strategicassets—including people, intellectual property, customers,marketing efforts, and even 'the crowd.' These risks and assets aremuch more difficult to measure, capitalize on, and hedgeagainst—and thus demand a much more systematic and sustainedapproach to monitoring and managing risk.”