Exploring Strategic Risk - Deloitte
Exploring Strategic Risk300 executives around the world saytheir view of strategic risk is changing
Contents3Executive summary5Strategic risk emerges as a key focus for businesses around the world6Companies changing how they manage strategic risks7Risk management now being integrated with business strategy8Boards and CEOs driving strategic risk management9Reputation cited as the #1 risk10Emerging technologies have the power to disrupt business models13New technologies drive new business strategies14Companies make specific improvements to strategic risk management16Organizations tackle social media risks both internally and externally17Companies invest in strategic assets to reduce risk18Hurtling forward19About the studyThe findings in this report are based on a global survey of over 300 respondents fromthe Americas (33%), Europe/Middle East/Africa (33%), and Asia/Pacific (34%). Nearlyall respondents were C-level executives (263), board members (22) or specialized riskexecutives (21). Surveyed companies came from all five major industry sectors (consumer/industrial products (C&IP), life sciences/health care (LS&HC), technology/media/telecommunications (TMT), energy/resources (E&R) and financial services (FS), and all hadannual revenues in excess of US 1 billion (or equivalent).Additional detailed insights were obtained from personal interviews with executives fromeight leading companies, with a balanced mix of representation from major industriesand global regions. For more information, visit www.deloitte.com/strategicrisksurvey.2Exploring Strategic Risk: A global survey
Executive summaryBusiness executives around the world say theirunderstanding of the universe of strategic risk ischanging. Here’s how.Managing risk effectively has always been a touchstoneof the most successful companies. But in today’s risk-filledbusiness environment, it can be hard for executives to haveconfidence that their plans and strategies will play out asexpected. A big reason is that strategic risks – those thateither affect or are created by business strategy decisions– can strike more quickly than ever before, hastened alongby rapid-fire business trends and technological innovationssuch as social media, mobile and big data. Companies thatfall behind on the innovation curve may quickly fall prey toinnovation’s evil twin – disruption. That is just one of thereasons managing strategic risk has become a high priorityfor many executives.“It used to be that if certain risks were to happen, a companycould have up to a news cycle to respond,” says Phil Maxwell,Director Enterprise Risk Management, The Coca-ColaCompany. “The speed of risks is so much greater now,and as a result you have to be more prepared – faster torespond than you were in the past. That’s one of the biggestdifferences today versus even three or four years ago.”In a recent study, we uncovered significant evidence thatmany other businesses around the world are also adoptinga new view of the risk universe. The study, conductedin the spring of 2013 by Forbes Insights, on behalf ofDeloitte, was a global survey of strategic risk managementpractices at more than 300 major companies around theworld. In the survey, Deloitte wanted to better understandhow businesses can manage strategic risk more effectively– both now and in the future. The survey explored awide range of issues and questions, including: To whatextent are companies considering and addressing riskswhen developing and evaluating their business strategies?What new risks do their strategies create? Which strategicrisks are critical to avoid – or essential to take? What isthe strategic impact of new technologies, and whichinvestments are essential to managing risks and exploitingnew opportunities? Also, even if a company’s strategy isexecuted flawlessly, what other risks could undermine thebusiness? Focus areas of the survey included the alignmentof strategy and risk, monitoring strategic investments, andemerging views of strategic risk management.While some findings reinforced what many already believe,there were also some surprises. Here are a few of ourkey findings: Strategic risk has become a major focus, with 81% ofsurveyed companies now explicitly managing strategicrisk – rather than limiting their focus to traditional riskareas such as operational, financial and compliancerisk. Also, many companies are taking a broad view ofstrategic risk that doesn’t just focus on challenges thatmight cause a particular strategy to fail, but on any majorrisks that could affect a company’s long-term positioningand performance.Exploring Strategic Risk: A global survey3
Most companies are not just making strategic riskmanagement a higher priority; they are changing howthey do it. In fact, nearly all respondents (94%) havechanged their approach to strategic risk managementover the past three years. The numbers were slightlyhigher in Asia/Pacific (96%) and slightly lower in Europe/Middle East/Africa (EMEA) (91%). A key improvement is that more and more companies areintegrating strategic risk analysis into their overall businessstrategy and planning processes – and the integrationseems to be working. Among the companies surveyed,61% now believe their risk management programsare performing at least adequately in supporting thedevelopment and execution of business strategy. Strategic risk management is a CEO and board-levelpriority. Two thirds (67%) of the surveyed companies saythe CEO, board or board risk committee has oversightwhen it comes to managing strategic risk. Reputation risk is now the biggest risk concern, due inlarge measure to the rise of social media, which enablesinstantaneous global communications that make itharder for companies to control how they are perceivedin the marketplace. Other technologies are also having a major impact onthe business and risk landscape. The majority of surveyedcompanies (53%) believe technology enablers anddisrupters such as social, mobile, and big data couldthreaten their established business models, and 91% havechanged their business strategies since those technologiesbegan to emerge. The technologies have had their biggestimpact in three sectors: TMT (97%), C&IP (96%), and LifeSciences (94%). Regionally, the biggest impact was in Asia/Pacific, where 98% of respondents report having changedtheir business strategies. Three years from now, human capital and the innovationpipeline are expected to be the top strategic assets thatbusinesses will need to invest in.We have witnessed an information explosion in the pastdecade – what Tom Friedman of The New York Timesrecently called “the Great Inflection”1 – a hyper-connectedworld grounded in social media, cloud computing, 4Gwireless, ultra-high-speed bandwidth, system-on-a-chip(SOC) circuits, mobile devices, tablets, etc. Managing dman-its-pq-and-cqas-much-as-iq.html?partner rssnyt&emc rss14Exploring Strategic Risk: A global surveyin this new business universe requires much more thanlistening to customer feedback. The accepted informationhierarchy – including established newspapers and mediaoutlets – has rapidly given way to a multidimensionalinformation matrix where no single voice dominates.Information and opinions of all kinds are easier to access –yet more difficult to evaluate and control.In response to these issues and trends, companies aremaking a deliberate effort to improve their strategic riskmanagement capabilities and performance.Traditional approaches for managing risk tend to focuson monitoring leading financial indicators as well as theevolving regulatory environment. However, because theyare generally grounded in audited financial statements, theresulting risk strategies and hedges are largely driven byprior performance and past negative events – and do notnecessarily serve to detect future strategic risks or predictfuture performance. As such, they are more focused onprotecting value than creating it.This report takes a closer look at our survey findings,and offers deep insights into what companies in mostmajor industries and regions around the world are doingto manage strategic risk more effectively – and howthey are using strategic risk management as a tool tomake decisions with more confidence and create greaterbusiness value.Four types of riskThroughout this report, we will refer to four maincategories of risk that Deloitte considers to be broadlyconsistent with the way many companies think about risk. Strategic risks are risks that affect or are created byan organization’s business strategy and strategicobjectives. Operational risks are major risks that affect anorganization’s ability to execute its strategic plan. Financial risks include areas such as financialreporting, valuation, market, liquidity, and credit risks. Compliance risks relate to legal and regulatorycompliance.
Strategic risk emerges as a key focusfor businesses around the worldThe survey shows that the vast majority of companies (81%) are now explicitly and actively managing strategic risks – andthe results were quite consistent across all regions and industries. What’s more, many companies are taking a broaderview that doesn’t just focus on the risks that might cause a particular strategy to fail, but on whatever key risks couldaffect a company’s long-term positioning and performance.Q. Does your organization have an explicit focus on managing strategic risks?Total respondentsNoAmericasEurope/Middle East/Africa83% Yes17% No79% Yes21% NoAsia/Pacific19%Yes 81%“Risk is at the forefront of everybody’s thinking,” says RetoJ. Kohler, Managing Director, Head of Strategy, Corporate& Investment Banking, Barclays. “When we develop astrategy we think about the risks associated with it, butalso what [business] risks are minimized by following thatparticular strategy.”“When you are dealing with risks, Corporate Managementshould proactively focus on strategic and transversal risksand Business Units are responsible for managing the risksthey own,” says Elisabeth Pacaud, Associate Vice President,Group Risk Management at Sanofi. “A strategic risk is onethat directly impacts the company’s identified strategicgoals whether they are diversification, innovation, oremerging countries.”81% Yes19% NoManaging strategic risks effectively can do more thanjust protect value by avoiding potential downsides; itcan actually help create value by taking advantage ofuncertainty and volatility to maximize gains and improvecompetitive positioning.“Risk is uncertainty, “says Sandra G. Carson, VP, EnterpriseRisk Management and Compliance, Sysco Corporation.“But we have to take risks to get to our goals, especiallyduring changing times. So strategic risk is not just thenegative impact of risk but also the sub optimization ofgain. I think companies that figure out both the valueprotection and value creation part of risk are going to setthemselves up for success.”Exploring Strategic Risk: A global survey5
Companies changing how theymanage strategic risksCompanies aren’t just increasing their focus on managing strategic risks; they are changing how they do it. In fact, nearlyall respondents (94%) have changed their approach to strategic risk management over the past three years. The numberswere slightly lower in EMEA (91%) and slightly higher in Asia/Pacific (96%).Q. Has your approach to managing strategic risks changed in the last three years?Total respondentsAmericasEurope/Middle East/AfricaAsia/PacificYes94%No 6%94% Yes06% No691% Yes09% No96% Yes04% NoStrategic risk management is “not about doing it the waywe’ve always done it,” says Jennifer Evans, Chief RiskOfficer Australia, ANZ, “but to have creative and innovativethinking around defining what the strategic risks are.”approach that allows integration of soft data for issuessuch as regulation, media or reputation. This provides amore comprehensive picture of the challenges that are infront of the company.”“In former times, we were very much focused onquantifiable risks and had the tendency to quantify risksin order to report them as part of our enterprise riskmanagement,” says Dr. Georg Klein, Chief Risk & InternalControl Officer, Corporate Finance and Controlling,Siemens AG. “However, we found that some of the mostrelevant risks might only have a financial implicationafter a couple of years or it might even be quite hard tohave a sensible estimate on the financial impact of theserisks. So we decided to consciously expand from a purequantification approach of risks to a more qualitative“We’ve evolved in our thinking about strategic risk,” saysSysco Corporation’s Sandra G. Carson. “When we startedout, we were trying to figure out the process. Now, as ourprogram and this discipline around enterprise risk evolves,so too does our thinking around strategic risks. We havea specific process that drives our enterprise risk discipline,and our strategic risk investments are determined by thisprocess. It is flexible enough to change and stay relevant,but also structured enough to provide value and be takenseriously.”Exploring Strategic Risk: A global survey
Risk management now beingintegrated with business strategyPerhaps the biggest change is that more companies are integrating strategic risk analysis into their overall businessstrategy and planning processes. And their efforts seem to be paying off. The survey results show that 61% of companiesnow believe their risk management programs are performing at least reasonably well in supporting the development andexecution of business strategy. The numbers are lower in EMEA (51%) and slightly higher in the Americas (67%) and Asia/Pacific (63%). That’s not to say there isn’t significant room for improvement. According to the overall results, only 13%of companies rate their risk management programs 5 out of 5 in terms of supporting the development and execution ofstrategy, and 40% consider them inadequate. The results are significantly worse in EMEA, where only 5% rate their riskmanagement programs 5 out of 5 and 49% rate them inadequate.Q. On a scale of 1 to 5, how well do you think your risk management program supports yourability to develop and execute your business strategy? (5 indicates very well)Total respondents1 21%53AmericasEurope/Middle East/AfricaAsia/Pacific8%31%13%448%33% Not as well67% Well/Very well49% Not as well51% Well/Very well1-3 Not as wellCisco is also making a deliberate effort to integrateenterprise risk management with the business. “In the past,we collected information via an assessment or a survey.However, we wanted to develop more of a consultativeapproach to ERM, as opposed to just filling out a survey,”says Valerie Spillman, Senior Manager, Enterprise RiskManagement, Cisco Systems. “We are working towards a37% Not as well63% Well/Very well4-5 Well/Very wellclosed-loop approach with the business where we collectinformation but also prove to be an enabler and value-addfunction. ERM is currently performing a deeper dive onenterprise risks to further validate quantifying the risk anddetermining what action plans, if any, are in place or needto be in place to better manage the risk.”Exploring Strategic Risk: A global survey7
Boards and CEOs driving strategicrisk managementTwo thirds (67%) of the surveyed companies say the CEO, board or board risk committee has oversight over strategicrisk. In EMEA, CEO direction is much lower than average and board direction is higher. Top-level oversight is particularlycommon at consumer companies, followed by companies in financial services and TMT.Q. Who primarily determines your company’s approach to managing strategic risk?Total respondentsC&IP25%23%19%17%17%Board-levelrisk committeeCEOBoardCompany-levelrisk committeeOther28% 27% 25% 13% fic28%14%At Pola Orbis Holdings “the board of directors isresponsible for setting the approach to risk managementstrategy after screening by the Group’s Corporate SocialResponsibility (CSR) officers, because the Group hasmultiple business operations and it’s necessary to set theapproach to strategic risk from different angles,” says AkiraFujii, the company’s director of PR/IR and CSR. “Each groupcompany determines risks and takes measures to meettheir business needs. Important matters – including the riskstrategy of each group company – will be discussed anddecided at Pola Orbis Holdings’ board meetings.”Exploring Strategic Risk: A global survey23% 23% 20% 10% 24%TMT31%“We have heavy involvement from the executives, thesenior leadership team, and the board,” says Sandra G.Carson of Sysco. “When I talk about enterprise risk, that’sreally top-down for us.”828% 20% 19% 18% 14%LS&HCEurope/Middle East/Africa28%29% 29% 10% 10% 22%11%15%33% 17% 13% 7% 30%“Our risk management policy is set by our managingboard,” says Siemens AG’s Dr. Georg Klein. “On the otherside, the organizational and accountability structure isprimarily set around Siemens’ four sectors: Energy, Industry,Infrastructure & Cities and Healthcare. Sector managers,together with regional clusters and corporate units,implement risk management programs that are tailored totheir specific industries and responsibilities, yet consistentwith the overall policy established by the managing board.”Today’s high level of CEO and board involvement is aclear indicator of the growing importance of strategic riskmanagement.
Reputation cited as the #1 riskReputation is now rated as the highest impact risk area – not just overall, but for most individual sectors as well. Threeyears ago, reputation was already the top risk area in financial services – and remains so today. However, in the energysector, for example, reputation risk wasn’t even in the top five three years ago, but today is number one – perhaps fueledby headlines about fracking, oil spills, and the Alberta tar sands. A similar rise in reputation risk has occurred in life sciencesand health care, likely driven by health care reform efforts in the U.S. and ongoing concerns about the skyrocketing cost ofpharmaceuticals and health services.Q. Which of the following risk areas have the most impact on your business strategy (threeyears ago, today, and three years from now)?*2010Today201641% Brand40% Reputation29% Economic32% Business26% Business28% Economictrends26% Reputationmodel27% Economictrends Competition“Business Strategy integrates the environmental changes.The emergence of new communication models such asmobile, social networks is one of these key changes whichmight impact reputation in different and faster modesthan before,” says Sanofi’s Elisabeth Pacaud. “Therefore,as other companies we have had to adapt our vigilanceon risks impacting reputation to ensure they are accuratelyanticipated and proactive controlled.”According to the companies interviewed, socialtechnologies are one of the main factors driving risingconcerns about reputation. Given the speed and globalreach of social media, companies today are at much greater*Respondents could choose more than one answer; the top three areshown above.trendsmodel24% Reputation Competitionrisk of losing control over how they are perceived in themarketplace2.“One of the big changes in recent years is speed tomarket,” says ANZ’s Jennifer Evans. “As a consequenceof social media, reputations built up over decades canbe challenged in an instant. Customers are able to makedecisions on an organization based on social mediacomment, potentially well before your ability to be able todefend or articulate a response.”2To view industry results, visit www.deloitte.com/strategicrisksurveyExploring Strategic Risk: A global survey9
Emerging technologies have the powerto disrupt business modelsThe majority of surveyed companies (53%) believe technology enablers and disrupters are emerging that won’t justaffect their business results b
an organization’s business strategy and strategic objectives. Operational risks are major risks that affect an organization’s ability to execute its strategic plan. Financial risks include areas such as financial reporting, valuation, market, liquidity, and credit risks. Compliance risks relate to legal and regulatory compliance.
XaaS Models: Our Offerings @DeloitteTMT As used in this document, "Deloitte" means Deloitte & Touche LLP, Deloitte Tax LLP, Deloitte Consulting LLP, and Deloitte Financial Advisory Services LLP. These entities are separate subsidiaries of Deloitte LLP. Deloitte & Touche LLP will be responsible for the services and the other subsidiaries
Deloitte & Touche South Africa is referred to throughout this report as Deloitte South Africa, and Deloitte Pan African Trust is referred to throughout this report as Deloitte Africa. Deloitte Africa holds practice rights to provide professional services using the Deloitte name which it extends to Deloitte entities within its territory,
May 02, 2011 · Deloitte & Touche LLP Cleveland, Ohio 1 216 589 5717 tgriffiths@deloitte.com Theresa Cui . Engagement Consultant . Deloitte & Touche LLP . Cleveland, Ohio Cleveland, Ohio 1 216 589 5018 1 216 . tcui@deloitte.com . Kathie Schwerdtfeger Advisory Principal Deloitte & Touche LLP . Austin, Texas 1 512 691 2333 . kschwerdtfeger@deloitte.com .File Size: 720KB
Knabe, Andrea Consulting Deloitte Consulting LLP Chicago Kwan, Anne Consulting Deloitte Consulting LLP San Francisco . Miller, Christian L. Tax Deloitte Tax LLP Washington DC . Smith, Sandra Consulting Deloitte Consulting LLP Chicago Spangrud, Chad Audit & Assurance Deloitte & Touche LLP Costa Mesa Springs, Christanna R. Tax Deloitte Tax .
** Deloitte Risk Advisory, Löffelstrasse 42, D-70597 Stuttgart, Germany, anlanger@deloitte.de *** Deloitte Legal, Schwannstraße 6, 40476 Düsseldorf, Germany, fwesche@deloitte.de **** Deloitte Risk Advisory, Löffelstrasse 42, D-7059
As used in this document, "Deloitte" means Deloitte & Touche LLP, which provides audit, assurance and risk management related services, Deloitte Consulting LLP, which provides strategy, operations, technology, systems, outsourcing and human capital consulting services, Deloitte Tax LLP, which provides tax services, and .
2 Exploring Strategic Risk: A global survey 3 Executive summary 5 Strategic risk emerges as a key focus for businesses around the world 6 Companies changing how they manage strategic risks 7 Risk management now being integrated with business strategy 8 Boards and CEOs driving st
Exploring Strategic Risk - A South African context 5 Four types of risk In our experience, there are generally four main categories of risk that are consistent with how many companies think about risk. Strategic risks are risks that affect or are created by a
