US business leaders say that their organizations are risk-aware but not adequately risk-prepared...
- Published: Monday, 15 October 2018 08:24
In a survey report released by Deloitte, almost all (96 percent) of CEOs and board members say that they expect their organizations will face serious threats or disruptions to their growth prospects in the next two to three years. Despite that, many are not adequately prioritizing the strategic planning and investment needed to identify, respond to and mitigate critical risks.
‘Illuminating a path forward on strategic risk’, a survey of 400 CEOs and board members from US organizations with $1 billion or more in annual revenue, explores the leaders' posture on four critical and interconnected strategic risks:
- Brand and reputation;
- Extended enterprise.
"This survey validates what we're seeing in the marketplace - that many CEOs and board members are risk-aware but not adequately risk-prepared," said Chuck Saia, CEO, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP. "Leaders know there are threats on the horizon, but many are not viewing or managing them strategically or understanding how threats are interconnected. Many are still using traditional approaches, tools, and technologies to detect and manage threats. Today's risk environment requires leaders to challenge the status quo, prioritize investments and identify and analyze threats before they emerge. Simply put, accelerating performance and growth requires a different way of thinking about risk."
The survey results show that while organizations are laser-focused on digital transformation and disruptive technologies, many leaders fail to also recognize the critical importance of protecting brand and reputation. Fewer than half the leaders (42 percent of CEOs and 50 percent of board members) have discussed risks to the organization's reputation in the past year and approximately the same percentage of respondents (53 percent of CEOs and 46 percent of board members) lack the ability to identify events that can damage the organization's reputation. This is despite myriad examples of how reputational damage can sink stock prices, shareholder value, and disrupt executive and brand stability, which is only intensified by the 24-hour news cycle.
Rather than viewing reputational risk as a critical strategic threat, roughly 40 percent of survey respondents view it merely as a by-product of breaches and other security threats. This is concerning since market value largely stems from intangible assets such as brand equity, intellectual capital and goodwill.
In addition, about 70 percent of CEOs acknowledged that their organizations do not regularly report to executive management on culture and conduct risks. Three in four do not intend to improve upon or adopt such a report. These results are concerning, considering they are the areas over which leadership has significant control and responsibility.
The survey reveals that:
- Nearly two in three CEOs and board members surveyed lack a process to identify market signals that indicate a potential culture risk, yet only 35 percent of CEOs plan to invest in these processes in the next 12 months.
- Fewer than one in three organizations provide regular reports at the CEO and board level on culture and conduct risks.
- More than half of organizations lack the ability to analyze events and predict their impact on reputation. More than 50 percent of organizations lack a plan to develop or acquire new tools to manage reputational risks, including crisis response capabilities.
Cyber risk is everybody's problem
While most survey respondents ranked cybersecurity as their greatest area of concern, only 30 percent indicated they are ‘highly engaged’ in developing the cyber response strategy and governance.
Survey findings show that:
- Only about 25 percent (30 percent of CEOs and 21 percent of board members) of surveyed organizations are actively war-gaming and scenario planning for cyber incidents, even though these are demonstrated methods to assess vulnerabilities and create a crisis response strategy.
- CEOs and board members agree that Internet of Things and artificial intelligence pose significant risks to their cybersecurity program, yet they have different views on where to invest to protect against cyber incidents.
Third parties: a cause for concern
Many organizations underrate the importance of extended enterprise risk, even though third parties can create exposures as dangerous as those within the organization itself. Most don't hold third parties to the same risk standards they set for themselves and this can impact brand, reputation, culture and cyber risks. While almost two-thirds of CEOs think the risk management policies of their extended enterprise is weaker than that of their own organization, more than 50 percent don't have a program to establish formal risk monitoring standards.
About the survey
Deloitte's ‘Illuminating a path forward on strategic risk’ survey was conducted by Wakefield Research and included 200 CEOs and 200 board members at companies with $1 billion or more in annual revenue from six industries: technology, media and telecommunications; consumer; energy and industrials; financial services; life sciences/health care; and government. The survey was conducted between April 5 and April 25, 2018.