Many people still view the word “risk” negatively, thinking that is about trying to anticipate bad events and planning how to handle them. They remind me of people who look at weather forecasts strictly to see if there will be rain so they remember to take their umbrella. But a weather forecast provides much more information, such as showing the days when there will be nice weather so you can go bicycling outside or have a barbecue.
Risk is About Managing Uncertainty
The ISO 31000 – Risk Management standard defines risk as the “effect of uncertainty on objectives”, which means that the implementation of any risk management system must begin with a clear determination of corporate objectives. Risk management is not about making a list of all things that could possibly go wrong.
Once corporate objectives are determined, defined and documented, the risk management function can help achieve those objectives by assessing risks that can affect them. Achieving corporate objectives in turn helps the organization create value for its stakeholders, including employees, clients, partners, civil society, shareholders, etc. This is why leading risk practitioners realize that there is a direct alignment between value creation and risk management.
Senior Leaders See the Link Between Value and Risk Management
A recent report by Deloitte, “Taking Aim at Value”, which was featured in our , surveyed 300 senior stakeholders. All respondents were from the C-level or Board, but Chief Risk Officers were excluded in order to see how leaders outside of risk management perceived the function. Respondents were from a range of industries and the survey sampled companies from US$1 billion in revenue and up, including 23% over US$20 billion.
The report confirms that senior leaders perceive risk management as a tool for creating value and optimizing outcomes, not just to avoid losses. Risk management can help determine the right amount of risk to take, i.e. to balance risk and reward, and therefore to pursue the most beneficial opportunities with the least downside.
According to the survey, 87% of organizations recognize that risk management should focus on value creation, not mere risk avoidance. Only 18% are actively harnessing risk to create value, while 49% say they are taking steps to do so, and 20% see the benefit of value-driven focus but have yet to take any steps. Therefore, 67% of organizations are already focussing their risk management efforts on value creation, or in the process of doing so.
Risk Management Drives Value in Many Key Areas
What does “value creation” imply? In the Deloitte report, respondents whose risk management philosophies and programs focus on value creation cite the areas where risk management is delivering significant benefits today. Here are the top five:
- Improving customer loyalty: Cited by 38% of respondents
- Increasing operational resilience: 32%
- Identifying and exploiting new business opportunities: 30%
- Exploiting the power of new technologies: 23%
- Improving cost-effectiveness: 21%
It’s not a surprise that customer loyalty is the most cited area where value is created, because past research from Deloitte and other firms have shown that reputational risk is consistently ranked high among the types of risks on corporate agendas.
In conclusion, the main takeaway is that risk management must be a central part of corporate governance and strategy, not separate. Risk management is about balancing risk and opportunity, not just avoiding threats or losses. Uncertainty can produce both negative and positive outcomes.
A Governance, Risk and Compliance (GRC) platform can help you enable holistic risk management in your organization to adequately prepare for threats and crises. Download The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016 report and learn more about the 14 most significant GRC vendors.