Strategic risk assessment is becoming a crucial practice for an increasing number of companies. Seeking some best practices, Deloitte consultants surveyed 200 CEOs and 200 board members on how leaders and managers can improve their risk management capabilities.
Almost all respondents in the Deloitte study—95 percent of CEOs and 97 percent of board members—said they believed their organizations would face serious threats or disruptions in the next two to three years.
Diving in deeper, the survey asked respondents which types of threats would pose the most risk to their organization’s growth. The two most serious threats were new disruptive technology (cited by 35 percent of respondents) and cyberattacks (27 percent). The other top threats cited were the organization’s key business partners (26 percent), brand or reputational damage (24 percent), and an unhealthy organizational culture.
In general, the study found that “leaders tend to focus on current, isolated, tactical risks rather than emerging strategic risks. And they generally take reactive rather than proactive measures,” according to the report. The survey responses revealed that many organizations are falling short in these areas: investment in technology that aligns with strategy, engagement from board members and senior management, and alignment of risk and risk officers within an organization.
The study also examined risk in four crucial areas of the operations: cyber and technology, extended enterprise (such as working with third-party vendors), culture, and brand/reputation.
For example, in the cyber sector, although most respondents believed cybersecurity was a major concern, only 30 percent of the CEOs and board members combined described themselves as highly engaged in the area. The study recommends that more CEOs and board members should be engaged in dealing with this risk.
“Increasing dependence on technology calls for more intensive leadership engagement through such practices as war-gaming participation, scenario planning, threat intelligence reviews, and a basic understanding of advanced analytics,” the report says.
Too often, the study found, companies manage cyber risk by doubling down on technology. “They believe a tech-centric threat calls for tech-centric investments,” the report says. Instead, business leaders should take a broader and more integrated view, and consider strategic risk through the lens of governance, talent, and reputation, and how it might affect these areas of operations.
In general, the study recommended the following practices to leaders to stay ahead of the curve: Proactively position the organization so that it can address significant risks; apply the right technology to risk data, insights, and predictive analytics; adopt integrated risk reporting and governance; and establish CEO and board member alignment to drive informed decisions.
“Leaders who manage strategic risks effectively are better able to navigate disruption, accelerate performance, and gain competitive advantage,” the study says