Deloitte has published an interesting and useful piece, Reimagine Risk: Thrive in your Evolving Ecosystem based on its 2019 survey of risk management. The paper makes some good points, including:

In environments of change, professionals in a range of endeavours often fail to understand risks and their roles in managing them.

A lack of awareness of risks, of people’s roles in controlling them, and of ways to use risk data and new technologies and tools increases the challenges of risk management and undermines the achievement of strategic goals.

Companies that view risk management as among the most important factors for achieving strategic goals tend to achieve higher growth.

Organizations that achieve the greatest gains from risk management show a strong tendency to view the function from a more strategic perspective rather than treating it as a compliance and loss prevention function.

An integrated approach to risk eschews siloed solutions and aims to develop both an enterprise wide view of risk tied to the attainment of key corporate objectives.

In leading organizations, risk management now plays an offensive as well as a defensive role.

Risk management should proactively assist the organization in achieving superior strategy, innovation, and resilience, and not focus solely on avoiding losses and protecting assets.

Risk management’s presence at senior-level meetings increases impact. High-level presence of risk management clearly drives leaders’ confidence in risk data.

Risks are now too dynamic and unpredictable for outdated approaches. Be curious about emerging digital solutions.

Risk management has too much potential as a value-creating function to be viewed as primarily a compliance activity with no direct linkage to the attainment of enterprise objectives.

Deloitte’s 2019 risk management survey

Failure to understand and address enterprise risks holistically is often a result of inadequate processes, skills, systems and tools that effectively support intelligent and informed risk decision-making.

Often, people and organizations are unyielding of change. The natural tendency is to hold on to what we know best and how we have done things in the past.

As a result, instead of continuously scanning the environment for new risks to the business and its strategy we are tempted to believe that the future will turn out to be exactly the same as the past with similar risk exposures.

Effective risk management or decision making is not about building and maintaining a list of risk exposures identified in isolation to the overall strategy and performance of the business.

When organizations approach risk management from a “risks list” perspective, the focus is mostly on what might go wrong as opposed to the risks the organization should take in order to create value and drive business performance.

A business is an ecosystem of connected functions and other stakeholders working together to achieve the organization’s key objectives. The cause-and-effect relationship between the various stakeholders is significant.

Thus, a single decision made by one function or a group of stakeholders can have serious effects on other functions and stakeholders.

Yet despite this direct and indirect relationship between the different business functions and stakeholders, risk management is not always integrated across the enterprise. Risks are managed in silos often culminating in duplication of effort and unproductive use of resources.

Taking a system’s approach to risk thinking and decision-making is key to unlocking value from risk management processes as opposed to embracing a linear thinking approach.

Understand how the various parts of the business interrelate and work together to produce the desired outcomes.

Although compliance and risk management are closely aligned, there is a big difference between the two.

Compliance-related activities ensure the organization is compliant to established rules and regulations, while risk management helps protect organizations from risks that could lead to non-compliance.

Thus, effective risk management is more than a “box ticking” exercise performed solely to satisfy regulators. Though being compliant to prescribed rules and regulations should not be undervalued, in order to inform decision making risk management should be less reactive and more proactive.

In other words, integrate risk into your business and decision support. For example, facilitate periodic risk discussions in order to understand how business functions or units are integrating risk into their business, any opportunities and potential threats to the achievement of their business goals.

To provide effective decision support, the organization must move from a primarily compliance-based and value-protection approach to risk to an approach that also embraces risk-taking for value creation. It’s all about managing the upside and thriving in a constantly changing environment.

Further, in order to optimize results, organizations should avoid paying lip service to risk management and show commitment to intelligent and informed decision making by ensuring that risk management is represented at senior-level meetings to provide business-focused insight.

This does not necessarily mean someone with a CRO designate, as long there is clarity that the individual appointed is responsible for championing the integration of risk into the business, influence strategy and align risk reporting responsibilities.

As risks evolve, the organization must also evolve into an intelligent risk enterprise and ensure adequate processes, people, systems and tools are in place to provide informed decision support to the right people at the right time.