Reputation Takes Over as Corporates’ Top Strategic Risk Concern: Deloitte
Company reputation and the fallout from reputational damage has become the top strategic risk for large companies, according to a global survey by Deloitte. Overall, progress on strategic risk management is evident, though most executives admit that their programmes do not support their business strategy well enough.
Exploring Strategic Risk
survey report is based on responses from over 300 C-level executives and board members from the Americas (33%), Europe, Middle East and Africa (EMEA) (33%), and Asia Pacific (34%).
Reputational risk was ranked third among strategic risk concerns three years ago, according to companies surveyed. Also back in 2010, brand and economic trends were identified by senior executives as the key strategic risks, but both have fallen since. In some industry sectors, reputation has risen from outside the top five strategic risk concerns to the top of the list. In the energy and resources sector, for example, reputation ranked only 11th on the list of strategic risks in 2010, though three years later has risen to the top spot.
The rise of reputation risk as the key strategic risk is mirrored by executives listing social media, which has transformed reputation management as the biggest technology disrupter and threat to their business model. Nearly 50% of survey respondents listed this above other technologies such as analytics, mobile applications and cyber-attacks.
“The rise of reputation as the prime strategic risk is a natural reaction to recent high profile reputational crises, as well as the speed of digital and social media and the potential loss of control that accompanies it,” said Henry Ristuccia, Deloitte global leader, governance, risk and compliance (GRC).
“The time it takes for damaging news to spread is quicker, it goes to a wider audience more easily, and the record of it is stored digitally for longer. Even in an environment where economic conditions remain tough and technology threatens business models, this is why companies place reputation at the top of their strategic risk agenda.
“Several reputational episodes in the past three years have really brought this issue into focus for every industry. Indeed, the only sector where reputation hasn’t risen as a strategic risk factor is financial services where it was already No. 1 following the financial crisis and subsequent fallout.”
Strategic risk now firmly on the boardroom agenda
Attention and investment in strategic risk management at senior management levels continues to grow according to the Deloitte report. More than 80% of companies say they explicitly manage strategic risk rather than just limiting their focus to traditional risk areas such as operational, financial and compliance risk. However, there remains work to be done to tie strategic risk management to strategy, with only 13% of executives surveyed stating that their risk management program supports their business strategy ‘very well’.
Boards and senior executives are increasingly involved in strategic risk management also. Two-thirds of companies surveyed stated that their chief executive officer (CEO), board or board risk committee now has oversight when it comes to managing strategic risk.
However, the ultimate owner of strategic risk management varies significantly geographically and across industry sectors. In Europe, only 9% of companies state that their CEO primarily determines the company’s approach to strategic risk, compared to 23% globally. Likewise, in the energy sector, only 10% of CEOs are responsible, while in the technology sector CEOs are more hands-on with 33% determining the strategic risk approach.
“No single preferred approach to owning strategic risk management is evident at present, except that it is now being handled at the CEO and board level,” said Ristuccia. “Across two-thirds of companies there is an almost even split between the CEO, board or board-level risk committee on ultimate responsibility for this. What really matters though is the fact that strategic risk is being owned by the CEO and the board in the first place the idea of strategic risk is now firmly established at the highest level.
“The large variation in approach across regions and sectors suggests company culture and external events may well influence how companies manage strategic risk. The dominant founder/CEO model often prevalent in the technology sector is reflected by the higher number of CEOs holding ultimate responsibility for strategic risk in this sector, for example. In contrast, risk committees dominate in the energy sector perhaps a result of several high profile risk and reputation issues for companies in that sector.”
Overall, 61% of companies believe their strategic risk programs are performing at least adequately in supporting business strategy development and execution. However, only 13% of companies rate their risk management programs as being five out of five in terms of supporting the development and execution of business strategy. Confidence in this aspect is also lower in Europe, the Middle East and Africa.
Companies view technology as both an opportunity and a strategic risk
After reputation, companies identified their business model as the second highest strategic risk in 2013, and forecast this to remain the case in 2016. The role of technology looks to play a large part in this concern, with 53% of companies surveyed believing that technology enablers and disrupters are emerging that could threaten their established business models.
Perhaps surprisingly, companies identified data mining and analytics, normally seen as beneficial to a business, as the second most concerning technology threat. Together, the top five technology threats to the business were social media (47%), data mining and analytics (44%), mobile applications (40%), cloud computing (38%) and cyberattacks (36%).
“The risks of social media are well-known, but concern about how new technologies affect the core business model is also top-of-mind,” said Ristuccia. “Cyberattacks and the transformative power of apps and cloud computing present obvious risks, though some may find it surprising to see analytics and ‘Big Data’ in this list. Companies recognise the potential of this data, but appear concerned about how to grasp it properly. The key question is how to examine the data to find meaningful and relevant takeaways for business strategy.”
Other key findings from the survey include:
Many companies are working to hone their definition of strategic risk:
At present, 66% have established a common definition of strategic risk. More companies in Asia-Pacific, and the technology, energy and financial services sectors have done so than elsewhere
Investments to counter strategic risks:
Asked which strategic assets they are investing in to counter perceived strategic risks, companies identified human capital (47%), brand name and reputation (32%), customer capital (26 percent) as key items. Three years from now, innovation pipeline takes the second slot at (24%). “One of the most critical strategic risks is the ability to keep pace with innovation,” said Ristuccia. “Companies that fail to keep pace may soon discover that a competitor’s innovation has become a major disruption to their business model.”
Strategic risk management is constantly evolving:
Nearly all companies surveyed (94%) have changed their approach to strategic risk management over the past three years.