The Two Faces of Risk

Download for Kindle

The Two Faces of Risk

The Two Faces of Risk

Cultivating risk intelligence for competitive advantage

Enlightened executives don’t just worry about bad things that could happen, such as the theft of sensitive customer data. They also sweat the good things that might occur—the next hit product. How well does your organization anticipate and manage the various incarnations of risk?

You needn’t be a seer or sage to perceive risk. It’s as predictable and as devastating as a Florida hurricane and as far-reaching as a corporate scandal. But you do need to be a visionary to see the opposite side of the risk coin, the one that lands face down after you flip. The underside represents opportunity, competitiveness and growth.

What do these things have to do with risk? Quite a bit, in fact.

Rewards, and lack thereof

Traditional approaches to risk management emphasize mitigation, focusing on the readily apparent risks facing a company in the areas of security, privacy, credit, regulatory, technology, fraud and more. These threats are, of course, important and must be addressed.

But enlightened risk managers (and we are talking about the entire C-suite here, not just the chief risk officer) don’t worry just about the bad things that could happen, such as the theft of sensitive customer data. They also consider the good things that might occur, like introducing a hit product to the marketplace. While it’s important to evaluate potential crises, it’s equally critical to consider risks that are linked to success so you can capitalize on opportunities. What if, for example, your factory doesn’t have the production capacity to meet the demand for your new blockbuster product? You’ve just squandered an opportunity.

We call these two faces of risk “rewarded risk” and “unrewarded risk.”

Unrewarded risk represents what poker players call “table stakes”: you’ve got to ante up just to get into the game. The ante, of course, doesn’t guarantee success; it only ensures that a hand of cards will be dealt to you. Numerous examples of unrewarded risk appear in business. For instance, every public company in the United States must comply with payroll tax withholding laws, observe OSHA health and safety requirements, and pay bills when they come due. Yet companies that perform all of these tasks in a timely and competent manner don’t see their share prices surge as a result. These kinds of activities simply meet expectations of shareholders, regulators, suppliers, analysts and other stakeholders. The attendant risks can’t be ignored, but the primary incentive for addressing them is value protection, not value creation.

Conversely, rewarded risks represent the strategic bets that you place during your poker game. You’ve assessed your hand, sussed out the competition and wagered a stack of chips with the expectation of raking in many more than you’ve laid out. In business, rewarded risks are those bets you make as you develop new products, enter new markets or acquire new companies. The primary motivation for taking rewarded risks is to spur value creation.

Fixate on just one side of the coin and you’ll get a one-sided result. Focus on value creation (rewarded risk) to the exclusion of value protection (unrewarded risk) and you’ll quickly find yourself on the slippery slope of noncompliance, litigation, reputational risk and other nastiness. Similarly, address only unrewarded risk and ignore rewarded risk, and your company may survive but will never thrive.

In acknowledgement of these two faces of risk, we have coined the following business maxim:

“Organizations that are most effective and efficient in managing risks to both existing assets and to future growth will, in the long run, outperform those that are less so. Simply put, companies make money by taking intelligent risks and lose money by failing to manage risk intelligently.”

Why you should care

If risk is not on your radar screen, it’s time to upgrade your detection equipment. A convergence of factors has converted risk management programs from a “nice to have” option to a “can’t live without” imperative. These factors include the following.

Regulatory pressures have increased: The New York Stock Exchange now requires the audit committees of all listed companies to evaluate the risk management practices of the company.

Stakeholders are flexing their muscles: Institutional investors now routinely include risk management considerations in their investment decisions. Money will gravitate toward those companies with sound practices in place.

The cost of capital is impacted: Moody’s and Standard & Poor’s now include enterprise risk management (ERM) capabilities in their evaluation criteria. Companies deemed deficient can face an increase in the cost of capital.

The Internet has changed the game: When news, data and even cell phone video clips can traverse the globe in mere seconds, the ability of companies to discreetly deal with threats to their reputation has eroded.

Corporate risk has become personal: The out-of-pocket settlements in recent shareholder lawsuits have directors and executives clutching their wallets all across the country.

The failure taboo

If your executive suite is like most, you’ll hear little talk of failure around the boardroom table. Failure is simply taboo. Only “negative thinkers” and “naysayers” raise the specter of something going wrong, usually at their own peril. Instead, discussion usually centers on the positive aspects of the company’s strategy and the need to rally around said strategy, with scant consideration of the downside possibilities.

But at some point, you’ve got to push the head-nodders and the yes-people aside because it’s time to put failure on the agenda. Only by first acknowledging and then analyzing risks and uncertainties that threaten the achievement of corporate objectives can companies manage them effectively. Only by challenging the assumptions that underlie strategic planning can the prospect for success be strengthened. Only by recognizing the potential for failure can failure itself be avoided.

Organizations that don’t address failure in advance often find themselves feeling the effects later. Consider, for example, the hypothetical case of a successful American consumer products company about to make its first foray overseas. Perhaps blinded with enthusiasm over its expansion, the company makes some critical erroneous assumptions.

For one, it presumes that its new consumers are essentially non-English speaking clones of American customers, with the same needs and preferences. Based on this flawed assessment, the company creates a marketing campaign around colorful packaging and eye-catching floor displays, assuming these are major drivers of consumer behavior. Unfortunately, in this new territory, consumers prefer minimal adornment and look askance at garishly displayed goods. The company also presumes that it can severely undercut the competition on price, but soon learns that that loss-leader pricing is illegal. And finally, the company offers discount coupons in exchange for customer names and email addresses, only to discover that its new customers jealously guard their privacy and are reluctant to divulge personal data.

Organizations that are most effective and efficient in managing risks to both existing assets and to future growth will, in the long run, outperform those that are less so. Simply put, companies make money by taking intelligent risks and lose money by failing to manage risk intelligently.

This failure to anticipate and investigate the potential negative consequences of its overseas expansion proves a painful lesson, as evidenced by weak sales figures, scant market penetration and, ultimately, withdrawal from the country altogether. The cost of this folly? In the tens of millions.

For many companies, the failure to imagine failure represents a gaping void. Fundament questions that must be asked, not avoided, including the following.

What could cause us to fail in:

  • attaining and sustaining revenue growth?
  • increasing our operating margins and improve the efficiency of our assets?
  • meeting the expectations of our key stakeholders?

By asking these questions, and by understanding how the enterprise can fail, planners and decision-makers can then decide how to prevent it, how to more readily detect early warning signs and how to implement course corrections.

This capacity to imagine and then prevent failure must be built into the strategic planning process. Organizations need to be intelligent about the risks they take to gain and sustain competitive advantage as well as the risks they avoid or mitigate to protect their existing assets.

The Risk Intelligent Enterprise

We describe this type of organization as the Risk Intelligent Enterprise. These exceptional organizations have attained a high state of risk management capabilities. A Risk Intelligent Enterprise displays characteristics such as the following:

It develops full-spectrum vision: An abundance of risks assault companies every day, including compliance, competitive, environmental, security, privacy, strategic, reporting and operational risk. Yet, in our experience, it’s the rare company that keeps them all in view. For example, financial services companies may have a comprehensive grasp of interest rate, currency and credit risk, but how many are prepared to deal with a flu pandemic that incapacitates a large percentage of its workforce? While acknowledging that there’s no such thing as perfect protection, a Risk Intelligent Enterprise adopts management strategies that address the full spectrum of risks.

It bridges silos:There’s nothing wrong with risk specialization. In fact, in today’s high-risk environment, deep knowledge of specific risks and responses is essential. But problems arise when risk specialists work in divisional or geographic isolation, unaware of each other’s activities. Risk Intelligent Enterprises systematically build bridges between these risk “silos” to open lines of communication and share information. This entails more than a couple of risk managers meeting over an occasional cup of coffee. To gain what we call a “portfolio view” of risk, a risk management “charter” should be established that calls for the full roster of specialists to conduct meetings that are frequent, formal, structured and documented. Management and the board should be regularly apprised of these meetings and any outcomes.

It speaks a common language: One byproduct of the tendency of risk specialists to work in silos is that this insular world becomes its own ecosystem, with its own language, customs and metrics. This results in a fragmented view of risk, confusion for those outside the silo and a duplication of effort for risk assessment activities. Risk Intelligent Enterprises develop common risk terminology so that everyone in the organization speaks the same language. These companies also adopt similar metrics so that the risks facing one division can be reliably compared to those facing other segments of the company.

It assesses impact: With companies facing a nearly infinite number of risks, planning for every single one is a near-impossibility. Instead, we recommend that business leaders focus on the finite impacts that could result from multiple threats. For example, a terror attack, a hurricane, and a transit strike are three unrelated risks that can all have a similar outcome, preventing people from getting to work. Addressing the impact rather than the cause allows one contingency plan to accommodate multiple threats.

Only when risk management practices are
infused into the corporate culture, so that strategy and decision-making evolve out of a risk-informed process, can a company truly be considered risk intelligent.

It cultivates risk consciousness: If risk management is thought of as something that internal audit handles or that corporate counsel worries about or that the chief risk officer has under control, chances are that significant exposure remains. Rather, risk management should be considered an organization-wide responsibility and competency. Only when risk management practices are infused into the corporate culture, so that strategy and decision-making evolve out of a risk-informed process, can a company truly be considered risk intelligent. Those who traditionally focus on strategy while leaving risk considerations to others — the CEO, the CFO, the board, and other key executives — need to develop a risk consciousness of their own.

It pursues risk-taking for reward: As noted earlier, Risk Intelligent Enterprises practice not only risk mitigation but also risk-taking as a means to value creation. These companies value the ability to capitalize on market opportunities as highly as they do preparedness for potential disruptions. In other words, a risk intelligent approach is not simply about bad outcomes to be avoided but also about good outcomes to be attained.

Eavesdropping on the risk conversation

Our risk-related conversations with business executives generally take one of two tracks:

“ERM? Yeah, we’re doing that.”

To which we usually answer: “No, you’re not.”

To explain, we break down the term “Enterprise Risk Management.” We start with the first word, “Enterprise,” which, by definition, encompasses the entire organization. Yet rarely do risk management activities transcend corporate boundaries. An actuary or analyst, holed up in an office, may be practicing “RM,” but in the absence of coordination with other risk managers, the “E” cannot appropriately be appended to that description.

“Risk,” as we have defined it above, comes in two flavors, rewarded and unrewarded. If a company only focuses on one aspect of risk, as do most, it is ignoring an area of significant concern and thus not truly being risk-intelligent.

And, finally, “Management” implies a certain level of efficiency and effectiveness of activity. But if companies have neither the entire organization in line nor the full spectrum of risks covered, “management” seems like an overly generous description.

Thus, a company’s claim that it is “doing” ERM is summarily exposed.

Next we encounter response No. 2:

“ERM? I don’t have the time or the resources to take on another huge project.”

To which we reply: A program to bring risk intelligence to your organization doesn’t have to be a massive and expensive undertaking. In fact, we recommend just the opposite: small steps to bring about meaningful change.

Striding toward risk intelligence

Here are the first few paces that put companies on the path to risk intelligence. Some are simple and intuitive while others are more complex and challenging. But all represent small steps leading to a big reward.

Try tackling one per week or one per month.

  1. Think through risk. Read everything you can and determine how it applies to your situation.
  2. Get risk into the conversation. Engage peers, superiors, and subordinates. Talk it up to the executives and the board. Don’t miss an opportunity to discuss risk and risk intelligence.
  3. Have a one-day offsite meeting to address risk.
  4. Create crisis response and escalation procedures. Who is monitoring the early warning signs? Who needs to know what when? Who’s in charge?
  5. Go for growth but imagine failure and how you can overcome it. Challenge your most basic business assumptions. What could cause you to fail?
  6. Differentiate between rewarded versus unrewarded risk. What risks do you need to take to be successful? What risks do you need to avoid?
  7. Improve risk knowledge. Share intelligence and understand the inter-dependencies.
  8. Stress-test your resilience under different scenarios. Improve flexibility to deal with uncertainties.
  9. Focus on finite effects versus infinite causes. Understand critical assets and dependencies and how long you can go without them.
  10. Prioritize. Focus on the vital few versus the trivial many. Don’t “boil the ocean.”
  11. Speak the same language. Harmonize (ensure risk managers all speak the same language), synchronize (coordinate across institutional boundaries) and rationalize (eliminate duplication of effort) existing risk management functions to drive down the cost of good risk management.

And don’t forget the two faces of risk. You are in business to make money, to increase shareholder value, to beat the competition. Consider the risks that could prevent you from achieving these objectives. Risk-taking for reward is a fundamental premise of capitalism. Use risk intelligence to make good things happen.

About The Authors

Steve Wagner

Steve Wagner is the managing partner for Deloitte & Touche LLP’s U.S. Center for Corporate Governance and the innovation leader for its Audit and Enterprise Risk Services practice.

Mark Layton

Mark Layton is a partner at Deloitte & Touche LLP and global leader for Enterprise Risk Services.

The two faces of risk
Cover Image by Anthony Freda