Deloitte Survey Finds Many CEOs and Boards May Be Missing the Mark on Strategic Risk Investment and Readiness
Monday, October 29th, 2018
In a report released by Deloitte, most (96 percent) CEOs and board members say they expect their organizations will face serious threats or disruptions to their growth prospects in the next two to three years. Despite that, many are not adequately prioritizing the strategic planning and investment needed to identify, respond to and mitigate critical risks.
"Illuminating a path forward on strategic risk," the Deloitte Risk and Financial Advisory survey of 400 CEOs and board members from U.S. organizations with $1 billion or more in annual revenue, explores the leaders' posture on four critical and interconnected strategic risks:
-
Brand and reputation
-
Culture
-
Cyber
-
Extended enterprise
"This survey validates what we're seeing in the marketplace — that many CEOs and board members are risk-aware but not adequately risk-prepared," said Chuck Saia, CEO, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP. "Leaders know there are threats on the horizon, but many are not viewing or managing them strategically or understanding how threats are interconnected. Many are still using traditional approaches, tools, and technologies to detect and manage threats. Today's risk environment requires leaders to challenge the status quo, prioritize investments and identify and analyze threats before they emerge. Simply put, accelerating performance and growth requires a different way of thinking about risk."
Brand, reputation and culture risk…underappreciated, underestimated, and misunderstood
The survey results show that while organizations are laser-focused on digital transformation and disruptive technologies, many leaders fail to also recognize the critical importance of protecting brand and reputation. Fewer than half the leaders (42 percent of CEOs and 50 percent of board members) have discussed risks to the organization's reputation in the past year and approximately the same percentage of respondents (53 percent of CEOs and 46 percent of board members) lack the ability to identify events that can damage the organization's reputation. This despite myriad examples of how reputational damage can sink stock prices, shareholder value, and disrupt executive and brand stability, which is only intensified by the 24-hour news cycle.
Rather than viewing reputational risk as a critical strategic threat, roughly 40 percent of survey respondents view it merely as a byproduct of breaches and other security threats. This is concerning since market value largely stems from intangible assets such as brand equity, intellectual capital and goodwill.
In addition, about 70 percent of CEOs acknowledged that their organizations do not regularly report to executive management on culture and conduct risks. Three in 4 do not intend to improve upon or adopt such a report. These results are concerning, considering they are the areas over which leadership has significant control and responsibility.
The survey reveals:
-
Nearly 2 in 3 CEOs and board members surveyed lack a process to identify market signals that indicate a potential culture risk, yet only 35 percent of CEOs plan to invest in these processes in the next 12 months.
-
Fewer than 1 in 3 organizations provide regular reports at the CEO and board level on culture and conduct risks.
-
More than half of organizations lack the ability to analyze events and predict their impact on reputation. More than 50 percent of organizations lack a plan to develop or acquire new tools to manage reputational risks, including crisis response capabilities.
Organizations that take an integrated approach to risk governance and management — with greater rigor and heightened awareness of strategic risks — can accelerate performance and gain competitive advantage. However, this requires active CEO and board-level involvement and alignment, as well as a focus on reputational sensing tools, processes to monitor and predict, and effective governance models.
Cyber risk is everybody's problem
While most survey respondents ranked cybersecurity as their greatest area of concern, only 30 percent indicated they are "highly engaged" in developing the cyber response strategy and governance. Additional survey findings reveal:
-
Only about 25 percent (30 percent of CEOs and 21 percent of board members) of surveyed organizations are actively war-gaming and scenario planning for cyber incidents, even though these are demonstrated methods to assess vulnerabilities and create a crisis response strategy.
-
CEOs and board members agree that Internet of Things and artificial intelligence pose significant risks to their cybersecurity program, yet they have different views on where to invest to protect against cyber incidents.
How well a board executes cyber governance is indicative of how it oversees its business strategy. In the past year, the U.S. Securities and Exchange Commission increased its guidance for public companies on cybersecurity. This guidance included the responsibilities of senior management and boards in cyber risk oversight.
The ubiquity of cyber warrants full senior leadership engagement, greater cyber risk governance and management frameworks.
Third parties…a cause for concern
Many organizations underrate the importance of extended enterprise risk, even though third parties can create exposures as dangerous as those within the organization itself.
Most don't hold third parties to the same risk standards they set for themselves and this can impact brand, reputation, culture and cyber risks. While almost two-thirds of CEOs think the risk management policies of their extended enterprise is weaker than that of their own organization, more than 50 percent don't have a program to establish formal risk monitoring standards.
A shift in mindset to stay ahead
"The survey results clearly show that CEOs and board members need to elevate strategic risk as a top priority and understand that there are solutions available to identify, monitor and manage these complex threats," said Saia. "An organization's strategic approach to risks related to reputation, culture, cyber, and extended enterprise can mean the difference between being a disruptor and being disrupted."