New Deloitte survey has mixed news about risk management effectiveness
Deloitte continues to provide interesting information on risk management, the latest being Exploring Strategic Risk (the link is to a summary, which in turn includes links to an infographic with key results and the full report).
Before exploring their report, I find it interesting that people focus on so-called strategic risk – defined by Deloitte as “those that either affect or are created by business strategy decisions”. Both COSO and ISO refer to risk as the potential effect of uncertainty on objectives, so all risk – if it matters – is strategic!
My conclusion is that (a) people are not going through the necessary exercise of taking each of their strategies and objectives and identifying all risks that might affect their achievement, and (b) they are focusing instead on what might go wrong in their operations (including IT), or might create a loss in their financial portfolio.
This is supported by the principal Deloitte finding: “[only] 81% of surveyed companies now explicitly managing strategic risk – rather than limiting their focus to traditional risk areas such as operational, financial and compliance risk”.
I added “only” because while some may see this as encouraging, that 81% have upped their game, a large number, 19%, have not.
Another important finding is that only 67% say that “the CEO, board or board risk committee has oversight when it comes to managing strategic risk”. Either they are blind to risk that might derail the organization or have delegated it to somebody (such as a CRO) at a subordinate level.
This is a recipe for failure.
The third key finding is that only 13% believe their risk management processes support, at a high level, the ability to develop and execute business strategies. Another 48% believe their processes are adequate.
If this was my company, I would be very concerned!
I am encouraged that 43% are improving their ability to continuously monitor risks. I will close with this excerpt:
“It used to be that if certain risks were to happen, a company could have up to a news cycle to respond,” says Phil Maxwell, Director Enterprise Risk Management, The Coca-Cola Company. “The speed of risks is so much greater now, and as a result you have to be more prepared – faster to respond than you were in the past. That’s one of the biggest differences today versus even three or four years ago.”
I welcome your views and comments.