How many directors can name a chief risk officer who has advised them and the executive team that the organization is too risk-averse? In the digital age, not enough.
It has always been understood that one must take risks to grow. And typically, the more risk one takes, the higher the potential return. Conversely, a risk-averse mindset leads to a lower return. Given the pace of change in the digital age, the reality is such that it’s not just a matter of taking risk to grow or generate greater returns — it’s also a matter of survival. That’s why organizations might have to undertake more risk than they may be accustomed to taking if they are to survive.
Taking risks means more than introducing new products and entering new markets. It entails becoming more innovative in reimagining processes, disrupting business models, and even reinventing the organization itself. In the digital age, the board has an important role to play in strengthening and nurturing the risk culture that facilitates the initiative, creativity and digital thinking so critical to success.
Over three decades, best-of-class risk management has evolved from a fragmented, siloed model focused narrowly on myriad risks to an enterprisewide approach focused on the most critical business risks and integrated with strategy-setting and performance management.
To make an impact in the digital age, risk management should be framed around strategy. Traditional risk management applies an analytical framework to assess risks and opportunities with different characteristics and time horizon considerations, all in the same way and without contemplating multiple views of the future. Past experience and subjective assessments often influence this approach, fostering groupthink, preempting out-of-the-box thinking and offering little insight as to what to do about exposure to disruptive events. It also does not account for the increased velocity of change in the digital economy and ignores the reality of the uncertainties that organizations face.
Many risks and opportunities unique to the digital age are “compensated,” meaning they present enormous potential for an upside that compensates for the downside exposure. If all foreseeable future outcomes of undertaking a given risk or group of interrelated risks were listed, along with the expected net cash flows relating to each possible outcome and their respective probability of occurrence, a distribution of possible outcomes arises depicting both net positive and net negative cash flows, giving rise to performance variability.
Therefore, compensated risks are inseparable from setting and executing an organization’s strategy.
This is why traditional risk management often does not influence strategy, as it typically focuses on mitigating and avoiding uncompensated risks. Such risks are often one-sided because they offer the potential for downside with little or no upside potential (i.e., every foreseeable outcome results in net negative cash outflows, creating a loss exposure). That said, when managing such risks, care should be taken not to ignore interrelationships with other risks that offer upside potential, for they represent compensated risks.
For example, there is no upside if a cyber or privacy incident were to occur. However, an overly cautious approach that eliminates too much risk might limit or delay innovation opportunities offering significant upside. Therefore, managing cyber and privacy risk in isolation may not be in the best interests of the business. If a company is evaluating whether to apply digital technologies to enhance its processes, launch a new product or service, or differentiate customer experiences, it also needs to consider how much exposure to cyber and privacy risk it is willing to accept. With today’s optics, this question requires careful consideration.
In the digital age, risk management cannot only be about avoiding bad bets. It should also position leaders to make the best bets, from a risk/reward standpoint, that have the greatest potential for creating enterprise value. That means that the creation and protection of enterprise value in the digital age depends on the organization’s ability to pursue compensated risks and opportunities successfully and either avoid or transfer uncompensated risks or reduce them to an acceptable level.
A risk-informed approach fit for the digital age is one that is strategic in considering the impact of risk on strategy and performance; balanced in evaluating both opportunity and risk; integrated with strategy- setting, planning and business execution; and customized reflecting organizational business needs, expectations and cultural attributes.
Risk culture is the keystone that balances the inevitable tension between (a) creating enterprise value through innovative strategy and driving performance on the one hand and (b) protecting enterprise value through risk appetite and managing risk on the other hand. In essence, it balances the push and pull — the yin and yang — between strategy and risk appetite — an essential goal in the digital age.
You can read more on this topic in Revamping Risk Culture in the Digital Age and by exploring these tools on KnowledgeLeader: