Strategic Risks: How Prepared are CEOs To Respond?
A recent analysis by Deloitte of 400 CEOs and board members from US organizations with $1 billion or more in annual revenues examines executives views on four critical strategic risks, including the extended enterprise involving third-party partners. While almost two-thirds of CEOs think the risk-management policies of their extended enterprise are weaker than that of their own organizations, more than 50% don’t have a program to establish formal risk-monitoring standards. How else do companies measure up in risk-management practices?
Evaluating strategic risks
The report, Illuminating a Path Forward on Strategic Risk showed that 96% of CEOs and board members say they expect their organizations will face serious threats or disruptions to their growth prospects in the next two to three years. The report, however, says that many are not adequately prioritizing the strategic planning and investment needed to identify, respond to, and mitigate critical risks. The report examines executives’ views in four critical risk areas: brand and reputation, culture, cyber, and extended enterprise.
“This survey validates what we’re seeing in the marketplace — that many CEOs and board members are risk-aware but not adequately risk-prepared,” said Chuck Saia, CEO, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP, in commenting on the study. “Leaders know there are threats on the horizon, but many are not viewing or managing them strategically or understanding how threats are interconnected. Many are still using traditional approaches, tools, and technologies to detect and manage threats. Today’s risk environment requires leaders to challenge the status quo, prioritize investments and identify and analyze threats before they emerge. Simply put, accelerating performance and growth requires a different way of thinking about risk.”
Brand, reputation, and culture risk
The survey results show that while organizations are focused on digital transformation and disruptive technologies, many leaders fail to also recognize the critical importance of protecting brand and reputation. Fewer than half the leaders (42% of CEOs and 50% of board members) have discussed risks to the organization’s reputation in the past year and approximately the same percentage of respondents (53% of CEOs and 46% of board members) lack the ability to identify events that can damage the organization’s reputation.
Rather than viewing reputational risk as a critical strategic threat, roughly 40% of survey respondents view it merely as a byproduct of breaches and other security threats, according to the study. Culture risk is of the least concern to CEOs and board members, with only one in five citing it as a top risk. “This is concerning since market value largely stems from intangible assets such as brand equity, intellectual capital, and goodwill,” concludes the Deloitte report.
In addition, about 70% of CEOs acknowledged that their organizations do not regularly report to executive management on culture and conduct risks. Three in four do not intend to improve upon or adopt such a report. “These results are concerning, considering they are the areas over which leadership has significant control and responsibility,” says the report.
Specifically, nearly two in three CEOs and board members surveyed lack a process to identify market signals that indicate a potential culture risk, and only 35% of CEOs plan to invest in these processes in the next 12 months. Fewer than one in three organizations provide regular reports at the CEO and board level on culture and conduct risks. More than half of organizations lack the ability to analyze events and predict their impact on reputation. More than 50% of organizations lack a plan to develop or acquire new tools to manage reputational risks, including crisis-response capabilities.
Cybersecurity a concern
The study showed that while most survey respondents ranked cybersecurity as their greatest area of concern, only 30% indicated they are “highly engaged” in developing the cyber response strategy and governance. Only about 25% (30% of CEOs and 21% of board members) of surveyed organizations are “actively war-gaming and scenario planning for cyber incidents, even though these are demonstrated methods to assess vulnerabilities and create a crisis response strategy,” says the study.
The study showed that CEOs and board members agree that the Internet of Things (i.e., the network of physical devices and other items embedded with electronics, software, sensors, actuators, and connectivity that enables connectivity and the collection and exchange of data) and artificial intelligence pose “significant” risks to their cybersecurity program, they have different views on where to invest to protect against cyber incidents.
To combat cyber threats, executives are mostly aligned on the need for improvement and the areas of investment, according to the study. In particular, they are more likely to invest in security operations and digital transformation, and less likely to invest in enhancing threat intelligence and analytics capabilities. Only 25% of organizations plan to invest in cyber war-gaming and scenario planning to combat cyber threats in the next 12 months, notes the study, even though they are regarded leading practices to assess vulnerabilities and respond.
”How well a board executes cyber governance is indicative of how it oversees its business strategy,” explains the study. It points to recent increased guidance for public companies on cybersecurity by the US Securities and Exchange Commission. The guidance included the responsibilities of senior management and boards in cyber risk oversight.
Third-party risk underestimated
The report also notes that most organizations underestimate the risks posed by the “extended enterprise.” Deloitte defines “extended enterprise” as the collection of vendors, contractors, distributors, suppliers, and other third parties outside the main organization. “Many organizations underrate the importance of extended enterprise risk even though third parties can create exposures as dangerous as those within the organization itself,” noted the study. “Most don’t hold third parties to the same risk standards they set for themselves and this can impact brand, reputation, culture and cyber risks.” The study showed that while almost two-thirds of CEOs think the risk-management policies of their extended enterprise are weaker than that of their own organization, more than 50% don’t have a program to establish formal risk-monitoring standards.
Deloitte defines “extended enterprise risk management (EERM)” as the practice of anticipating and managing exposures associated with third parties across the organization’s full range of operations as well as optimizing the value delivered by the third-party ecosystem. “Extended enterprise risk isn’t a risk unto itself. Rather, it’s a combination of diverse risks, and its various degrees of severity are based on the nature of the relationships an organization has with its third parties,” says the study.
Five initiatives for managing extended enterprise risks were fairly evenly selected by survey respondents, with no single method standing out. These were: (1) develop and improve an extended enterprise risk-assessment model; (2) professional development or new talent to manage extended enterprise risk; (3) new technologies to automate extended enterprise risk assessment and monitoring; (4) resilience programs and preventive mechanisms; and (5) leverage a managed services model to oversee monitoring of an extended enterprise risk.
The study points out that the managed services approach extends beyond traditional “outsourcing” to encompass highly specialized services, solutions, technology and talent to address specific needs. Potential benefits include lower required investment and lower risk than in-house initiatives as well as industry and domain experience and knowledge transfer. “The approach can be particularly useful during a major change, such as a move to a new business or operating model, or in a rapidly evolving area, such as advanced analytics.” says the report.
Overall take-aways
The Deloitte report points out “that strategic risks can elude traditional approaches to risk and, when managed ineffectively, they can impair performance and destroy value. Traditional approaches tend to be risk-specific and siloed. They rarely account for the interrelatedness of risks and knock-on effects of risk events. And they can undermine decisions related not only to strategy, but also to the business model, value proposition, mergers and acquisitions, funding, expansion, and R&D decisions,” concludes the study.
“The survey results clearly show that CEOs and board members need to elevate strategic risk as a top priority and understand that there are solutions available to identify, monitor and manage these complex threats,” said Deloitte’s Saia. “An organization’s strategic approach to risks related to reputation, culture, cyber, and extended enterprise can mean the difference between being a disruptor and being disrupted.”