Enabling the Risk Intelligent Enterprise

The economy and its hunkered-down survivors are warily beginning to find their legs, still unsure about the road ahead. The future of the tax code, the fate of healthcare, the strength of the recovery stateside and the stability of the global economy are just a few of the unknowns. The credit crisis upended what financial services firms believed they knew about risk management—a cornerstone of the health of their businesses. Now leaders in all industries have to confront that confounding question: How do we manage risk so we can climb high enough to see what’s ahead, yet not so far that we fall? How do we manage risk intelligently?

Indeed, those were the key questions on the minds of CEOs gathered for a Chief Executive roundtable discussion held in partnership with Deloitte at the CEO2CEO Summit. “Traditional risk management has failed,” noted Henry Ristuccia, partner with Deloitte & Touche LLP. That leaves CEOs with the daunting task of creating new systems and strategies for managing risk in four key areas: strategic, operational, financial and compliance. Boards, too, are piling on the pressure, as they feel the heat of new requirements for proxy disclosure of how directors execute their fiduciary responsibility for risk oversight.

As a result, the topic of risk has gone from “hors d’oeuvre to main course,” said Rick Funston, co-author of Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise. “So much so that we’re in danger of being too risk-averse.” That’s particularly true for more successful companies, he noted. In a climate where management is more fearful of risk, market leaders can easily become complacent, overconfident in following their proven recipe for success. “But that can overnight become a recipe for disaster, which is why so many of the financial institutions and others had a recipe of success and continued to ride it right off the cliff,” Funston noted. “Sooner or later, no matter what your business model is today, it will change. Shifts are inevitable. The question is: Will you be the one to recognize it and help drive that change, or will you be the one who gets changed?”

A Process for Managing Risk

One of the key breakdowns in 2008, CEOs agreed, was that many companies, financial services firms chief among them, failed to question their assumptions and did not have the right processes. “For many executives, all of their information systems are set up to prove what they believe—not to find proof that they’re wrong,” added Funston. Given the reluctance by most employees to be the bearer of bad news, information can easily be distorted on its way up the chain. “Nobody wants to hear that their baby is ugly. So unless you take very systematic efforts to define your worst nightmare and look for signals of that, then you will be surprised.”

For entrepreneurial companies that live by their optimism but are often moving too fast to see around corners, that gets even harder, noted Vishal Rupani, CEO of Tekvault, a regulatory-compliance consultancy. “How do you actually balance the need for building risk-mitigation while you’re experiencing this type of rapid growth? You try to bring in the right resources, but sometimes they don’t see it. What I’m noticing is it’s not easy for individuals to look at the bigger picture to those different areas of risk.”

That’s where processes become paramount, said Funston, who recommends institutionalizing the process of constructively identifying how you might fail. “Because you cannot predict turbulence,” he noted. “So how good are your signal detection systems? How quickly can you recognize a circumstance? How vigilant are you in your environment?” In the wild, he added, predators are typically focused forward, while prey have good peripheral vision and built-in sensory detection mechanisms. “Organizations do not. So you have to create that. And it takes a great deal of effort to create and sustain that.” A big part of that process is making explicit your assumptions about your industry structure, the company’s reputation, the global economy, the regional economy and so on. “That allows you to think the unthinkable by first clarifying what you think. What are your life-and-death assumptions about the business?”

Scenario-based planning is another way to be prepared for anything, noted Karyn Schoenbart, president and COO of the NPD Group, a global market research firm that began investing heavily in scenario planning toward the end of 2007. “[We look at,] is it going to be good, bad or ugly? Now, for the recovery, is it going to be aU,aVoranL?Andweinvestalot of management time. You can’t predict the future, but what would we do under these scenarios?”

At Navigant, a global consulting firm that helps its clients protect value in the face of risk, the company’s value is tied up with the inevitability of sudden turbulence, said CEO William M. Goodyear, whose assumptions include another future sub-prime crisis and chaos around the Obama healthcare plan. “Our risks are not financial-statement risk, but all the stuff that drives, frankly, the value of the enterprise,” Goodyear noted. “So we’re putting in a series of hopefully good controls around that.”

Tying risk management to compensation is another way to keep it in focus, said Jill Smith, CEO of DigitalGlobe, a provider of high-resolution imagery products. “It’s now as important as revenue or other factors,” she said. The company has both an internal risk-management officer and a risk committee at the board level, with risk allocated across committees.

Once a process is in place, it can serve as a kind of muscle memory for the company when risk-related challenges arise, said Margery Kraus, CEO of global consulting firm APCO. “You’re totally prepared to deal with them, so you can focus on the bigger pictures. It’s sort of like managing risk through crisis anticipation.”

The Role of the Board

With fiduciary obligations, and therefore personal stakes, higher than ever, boards have, on the whole, become more active overseers of corporate risk. The challenge for CEOs is making sure boards are engaged in oversight, but not actually taking responsibility for managing risk, said Stephen Wagner, former managing partner of Deloitte LLP’s Center for Corporate Governance and co-author of Surviving and Thriving in Uncertainty.“Because that’s not their role. We use the phrase, ‘Noses in, hands out.’ ” Indeed, as Christine Jacobs, CEO of Theragenics, pointed out, it is ultimately the CEO’s responsibility to sign on the dotted line every 90 days, so he or she must take the lead. “All of us are in a tough spot because we’re liable for everything,” she said. “I mean, for the sun coming up tomorrow—we are liable.”

Directors, for their part, should be peering over the fence, looking at the company’s risk-mitigating processes and making sure they’re working properly. They can then help by challenging the CEO’s assumptions about the future. “I think that’s the single most important benefit that boards can bring to the process,” added Wagner. “As painful as it is to have board members challenge the process that management’s undertaking, it’s also potentially the most helpful.”Sunit Patel, EVP and CFO of Level 3, agreed, adding that for CEOs, it can be extremely challenging, if not unnatural, to come up with the 10 potential crises that could derail their businesses. The outsider perspective, then, becomes all the more valuable. “The board isn’t involved in the day-to-day running of the business, so if you can get the right discussion going, that can be very helpful.”

Greater China CEO John Allen pointed to three lessons for running board meetings that he’d learned from former World Bank head Sir James Wolfensohn, who had been Allen’s boss at Schroder Bank. “The first is call everybody by their firstname, no matter where they come from. The second is, don’t let anybody leave the table without being called on. The third deals with these crisis situations—make sure every board member has everybody else’s telephone number and email address so that if there is a crisis you can get them immediately.”

At one financial services company, the CEO appointed a task force internally to deal with risk, but the board also divvied up risk according to the board committees, with some items the purview of the entire board and others the responsibility of individual committees, said Kraus, who sits on that company’s board. “So everybody has their piece of it. We all feel like we’re doing our job because we don’t have our fingers in the pie.”

One of the problems for both boards and CEOs is that they don’t necessarily have the granular information from a risk point of view, said Allan D. Grody, president of Financial Intergroup Holdings. “They have the probability of a worst-case scenario a thousand years out and how big thevolcano explosion is going to be, but they don’t have a measure of sitting under the volcano and seeing the pressure build up.”

Too often, added Funston, risk management assessments focus on probability, leaving out the more critical question: “How bad can it get and how fast can it get that bad?” Had BP paid better attention to its pattern of safety violations—760 to Exxon’s one in the same period—it might have been better able to forecast and perhaps prevent the calamity that followed.

Whatever a company’s biggest source of risk, whether strategic or operational, in it lies the greatest potential for leaping forward. Taking the “frontier risk” of constantly challenging one’s own competitive model can lead to great things, said Funston, pointing to Apple as an example of a company that continually cannibalizes its own products with newer, better models. But vigilance must be continuing and response quick, because opportunity is fleeting. “If you’re not agile and able to see it, then it will probably escape you.”