Most (96 percent) CEOs and board members say they expect their organizations will face serious threats or disruptions to their growth prospects in the next two to three years, according to new research from Deloitte. Despite that, many are not adequately prioritizing the strategic planning and investment needed to identify, respond to and mitigate critical risks.
The new report from the Deloitte Risk and Financial Advisory, Illuminating a Path Forward on Strategic Risk, surveyed 400 CEOs and board members from U.S. organizations with $1 billion or more in annual revenue to explore the leaders’ posture on four critical and interconnected strategic risks:
“This survey validates what we’re seeing in the marketplace—that many CEOs and board members are risk-aware but not adequately risk-prepared,” said Chuck Saia, CEO of the Deloitte Risk and Financial Advisory, in a news release. “Leaders know there are threats on the horizon, but many are not viewing or managing them strategically or understanding how threats are interconnected. Many are still using traditional approaches, tools, and technologies to detect and manage threats. Today’s risk environment requires leaders to challenge the status quo, prioritize investments and identify and analyze threats before they emerge. Simply put, accelerating performance and growth requires a different way of thinking about risk.”
Brand, reputation and culture risk—underappreciated, underestimated, and misunderstood
The survey results show that while organizations are laser-focused on digital transformation and disruptive technologies, many leaders fail to also recognize the critical importance of protecting brand and reputation. Fewer than half the leaders (42 percent of CEOs and 50 percent of board members) have discussed risks to the organization’s reputation in the past year and approximately the same percentage of respondents (53 percent of CEOs and 46 percent of board members) lack the ability to identify events that can damage the organization’s reputation. This despite myriad examples of how reputational damage can sink stock prices, shareholder value, and disrupt executive and brand stability, which is only intensified by the 24-hour news cycle.
Areas where investments are expected to be made in the next 2–3 years:
Rather than viewing reputational risk as a critical strategic threat, roughly 40 percent of survey respondents view it merely as a byproduct of breaches and other security threats. This is concerning since market value largely stems from intangible assets such as brand equity, intellectual capital and goodwill.
In addition, about 70 percent of CEOs acknowledged that their organizations do not regularly report to executive management on culture and conduct risks. Three in 4 do not intend to improve upon or adopt such a report. These results are concerning, considering they are the areas over which leadership has significant control and responsibility.
The survey reveals:
- Nearly 2 in 3 CEOs and board members surveyed lack a process to identify market signals that indicate a potential culture risk, yet only 35 percent of CEOs plan to invest in these processes in the next 12 months.
- Fewer than 1 in 3 organizations provide regular reports at the CEO and board level on culture and conduct risks.
- More than half of organizations lack the ability to analyze events and predict their impact on reputation. More than 50 percent of organizations lack a plan to develop or acquire new tools to manage reputational risks, including crisis response capabilities.
Organizations that take an integrated approach to risk governance and management—with greater rigor and heightened awareness of strategic risks—can accelerate performance and gain competitive advantage. However, this requires active CEO and board-level involvement and alignment, as well as a focus on reputational sensing tools, processes to monitor and predict, and effective governance models.
Risks that pose the greatest reputational threat in the next 12 months:
Cyber risk is everybody’s problem
While most survey respondents ranked cybersecurity as their greatest area of concern, only 30 percent indicated they are “highly engaged” in developing the cyber response strategy and governance. Additional survey findings reveal:
- Only about 25 percent (30 percent of CEOs and 21 percent of board members) of surveyed organizations are actively war-gaming and scenario planning for cyber incidents, even though these are demonstrated methods to assess vulnerabilities and create a crisis response strategy.
- CEOs and board members agree that Internet of Things and artificial intelligence pose significant risks to their cybersecurity program, yet they have different views on where to invest to protect against cyber incidents.
How well a board executes cyber governance is indicative of how it oversees its business strategy. In the past year, the U.S. Securities and Exchange Commission increased its guidance for public companies on cybersecurity. This guidance included the responsibilities of senior management and boards in cyber risk oversight.
The ubiquity of cyber warrants full senior leadership engagement, greater cyber risk governance and management frameworks.
Aspects of organizations’ cybersecurity programs that need improvement:
Third parties—a cause for concern
Many organizations underrate the importance of extended enterprise risk, even though third parties can create exposures as dangerous as those within the organization itself.
Most don’t hold third parties to the same risk standards they set for themselves and this can impact brand, reputation, culture and cyber risks. While almost two-thirds of CEOs think the risk management policies of their extended enterprise is weaker than that of their own organization, more than 50 percent don’t have a program to establish formal risk monitoring standards.
A shift in mindset to stay ahead
“The survey results clearly show that CEOs and board members need to elevate strategic risk as a top priority and understand that there are solutions available to identify, monitor and manage these complex threats,” said Saia. “An organization’s strategic approach to risks related to reputation, culture, cyber, and extended enterprise can mean the difference between being a disruptor and being disrupted.”
Deloitte’s “Illuminating a path forward on strategic risk” survey was conducted by Wakefield Research and included 200 CEOs and 200 board members at companies with $1 billion or more in annual revenue from six industries: technology, media and telecommunications; consumer; energy and industrials; financial services; life sciences/health care; and government. The survey was conducted between April 5 and April 25, 2018.