Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

The risk executive agenda -- A compendium of Deloitte insights

4 857 vues

Publié le

Articles published as sponsored content in the Risk & Compliance Journal from The Wall Street Journal from August 2017 to August 2018. https://deloi.tt/2CMG6lI

Publié dans : Business
  • Soyez le premier à commenter

The risk executive agenda -- A compendium of Deloitte insights

  1. 1. The risk executive agenda A compendium of Deloitte insights Articles published as sponsored content in the Risk & Compliance Journal from The Wall Street Journal from August 2017 to August 2018 Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  2. 2. Enterprise risk management Previous Next Broadening the lens of EERM to focus on value creation Managing the digital risks of new business models How ERM can support strategy and performance Transparency: Key to managing information exchange risks in outsourcing A strategic risk approach to disaster recovery: Beyond traditional planning The networked economy: Strengthening organizations across the extended enterprise Strategic resiliency: Striking a balance between protecting and creating value Inadequate visibility into third parties raises risks: Global survey Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  3. 3. Enterprise risk management Inadequate visibility into third parties raises risks: Global survey Organizations are placing a renewed focus on enhancing extended enterprise risk management (EERM) amid increasing dependence on third-parties. Yet progress toward EERM maturity has been slower than expected, according to Deloitte Global’s third annual EERM survey, “Focusing on the climb ahead.” Dependence on third parties continues to grow, with 53 percent of the more than 900 respondents reporting “some” or “significant” increase in their level of dependence on third parties. Another 57 percent of respondents feel their organizations do not have adequate knowledge and an appropriate level of visibility over fourth or fifth parties (third-party outsourced relationships) in their extended enterprise. Similarly, 53 percent of respondents from the U.S. feel the same way about not having adequate knowledge or an appropriate level of visibility. The survey responses reflect the views of 975 senior leaders from a variety of organizations in 15 countries across the Americas, Europe Middle East, and Africa (EMEA), and Asia Pacific. “The survey findings reveal that organizations are taking an earlier, more strategic view of third-party risk drivers to create value and identify new opportunities,” observes Chuck Saia, CEO of Deloitte Risk and Financial Advisory at Deloitte & Touche LLP. “Organizations seem to have a more balanced outlook with regard to establishing the business case for investment in EERM initiatives. For example, they tend to focus on mitigating the downside threats of risk while enabling calculated risk-taking aligned to strategic opportunities, such as innovation and positive cost reduction,” says Saia. Despite this awareness, and some associated improvements in third- party governance and risk management, the survey also identified six areas where many organizations may need to make further efforts: inherent risk and maturity; business case and investment; centralized control; technology platforms; sub-contractor risk; and organizational imperatives and accountability. —by Chuck Saia, partner; Kristian Park, partner; and Dan Kinsella, partner, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on June 25, 2018. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  4. 4. Journey to Maturity Amid critical levels of third-party dependency, only 20 percent of organizations have streamlined their EERM systems and processes, and 53 percent of respondents now believe their journey to achieve EERM maturity is two to three years or more. “This is a significantly longer journey than anticipated in earlier surveys, when respondents reported that this could be achieved in six months to a year,” according to Kristian Park, the EMEA leader, Extended Enterprise Risk Management at Deloitte Global Risk Advisory. “This reflects a more realistic time-frame, and we’d expect organizations to be closely aligning plans to address the expected regulatory outlook over this period.” In addition, board oversight and engagement with EERM programs continue to be relatively low, according to the survey report. Globally, 38 percent of board members and 39 percent of risk domain owners still have lower to insignificant levels of engagement on the EERM agenda. Among U.S. respondents, the number is slightly better with only 23.5 percent saying their organization’s board members have lower to insignificant levels of engagement. “Boards recognize that many third-party relationships have traditionally been managed in siloes within business units in a manner that is neither strategic nor consistent,” notes Dan Kinsella, a partner with Deloitte Risk and Financial Advisory at Deloitte & Touche LLP. “The good news is that boards are becoming more engaged and applying oversight, which is creating a more centralized, ‘federated’ approach to EERM. This type of approach can reduce redundancies and leverage technologies to help enterprises drive gains, open new markets, and decrease the uncertainty that can exist with third parties,” adds Kinsella. Visibility and Dependency While more than half of respondents say knowledge and appropriate levels of visibility over third-party outsourced relationships is adequate, only 2 percent indicate that they regularly identify and monitor their subcontractors (fourth/fifth parties). Another 10 percent do so only for those subcontractors identified as critical. The other 88 percent either rely on their third parties to regularly identify and monitor subcontractors; have an unstructured/ad hoc approach; do not identify or monitor subcontractors at all; or do not know their organizational policy and practices in this regard. The financial services industry underscores the contradiction with 71 percent of respondents from that sector reporting a heightened perception of risks inherent in third parties. Yet the most notable increases in the level of dependence on the extended enterprise have taken place in the financial services industry segment, with 59 percent of respondents reporting some or significant increase during the last year. In addition to a focus on increasing maturity and subcontractor risk, the report also explores other areas where most organizations could benefit from further EERM efforts. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  5. 5. Organizational imperatives and accountability. Ownership and accountability for EERM seems to be well established in the C-suite, with 78 percent of organizations suggesting that the CEO, CFO, CRO, chief procurement officer, or a member of the board is ultimately accountable for this topic. The most significant concern for respondents appears to be skills, bandwidth, and competence of talent engaged in EERM-related activities (45 percent), followed by the clarity of roles and responsibilities, and EERM processes (41 percent in both cases). Centralized control. Many organizations are adopting central oversight and management to accelerate risk awareness and efficiency. Fifty-five percent of organizations are now equally or more decentralized than centralized (down from 62 percent from the prior survey). This reflects that organizations are starting to scale back on decentralization in the overall organization. Business case and investment. While the main catalysts for EERM focus on mitigating risk and compliance, there is an increasing focus on driving value. The business case for investment in EERM is now being driven by other factors that exploit the upside of risk, such as enhancing organizational responsiveness and flexibility, innovation, brand confidence, and increasing revenues. Among U.S. respondents, more than 46 percent considered investment in EERM a revenue- generating opportunity. Globally, 21 percent considered investment in EERM a revenue-generating opportunity. Technology platforms. In keeping with the trend of increased centralized oversight of EERM activities, technology decisions are now being made more centrally and a standard tiered technology architecture is emerging. Less than 10 percent of respondents are currently using bespoke systems for EERM, a sharp drop from just over 20 percent in the prior survey. “The critical success factors for capturing the upside opportunity of risk will be measured not only on how cost efficient or effective the frameworks are designed or operated, but primarily on how well risk is managed and mitigated,” says Saia. “Should organizations lose this strategic insight and reduce their annual investments in EERM, it is likely to be at the expense of reputation, regulatory scrutiny, and ultimately consumer backlash,” he adds. About the Survey Deloitte Global’s 2018 EERM survey, “Focusing on the climb ahead,” is based on 975 responses from a variety of organizations across major industry segments and from 15 countries across the Americas, Europe Middle East, and Africa, and Asia Pacific. A record number of participants this year reflects the ever-increasing profile of third-party risk and the investment third-party risk management is receiving within organizations. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  6. 6. Enterprise risk management Broadening the lens of EERM to focus on value creation —by Dan Kinsella, partner; Jonathan Rizzo, senior manager; and Carolyn Axisa, senior manager, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on May 29, 2017. The extended enterprise — the hundreds and sometimes thousands — of third parties a business works with each day has evolved into more than a network of back-office service vendors. While the main drivers for EERM center on mitigating risk and compliance, there is an increasing focus on driving value, according to Deloitte Touche Tohmatsu Limited’s 2018 Global EERM Survey. “Many organizations are using third parties to perform core operations and processes, as well as to help meet strategic objectives,” says Dan Kinsella, a Deloitte Risk and Financial Advisory partner with Deloitte & Touche LLP. “ And that makes a significant difference in the way senior executives and boards should think about extended enterprise risk management (EERM),” he adds. “One approach is to think about third parties as teaming with the business to help create value,” he adds. The business case for investment in EERM is now being driven by other factors that focus on the upside of risk, such as enhancing organizational responsiveness and flexibility, innovation, brand confidence and increasing revenues — such as when agents help open new markets or suppliers provide access to new geographies. Globally, 21 percent of the 975 executives responding to the survey consider investment in EERM a revenue generating opportunity, while among U.S. respondents, 46 percent felt the same way. “The survey results indicate that organizations are taking a more balanced view of EERM than in the past, acknowledging that value creation is as critical as value preservation,” notes Kinsella. Connecting the Dots to Value Creation Traditionally, the value derived from EERM programs have focused on loss avoidance in terms of fines, regulatory actions, and reputation risk. “However, revenue recovery efforts that can ‘plug leaks’ in the bottom line should also be considered,” says Jonathan Rizzo, a Deloitte Risk and Financial Advisory senior manager with Deloitte & Touche LLP. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  7. 7. He notes that an effective EERM program might include, for example, efforts to reduce future costs, increase confidence in information shared with third-parties, promote transparency in third-party processes, and clarify contractual expectations. “These are all activities that likely have potential revenue recovery benefits and link back to effective management of extended enterprise risk,” says Rizzo. In Deloitte’s experience with cost recovery projects, there are many potential benefits. A review of accounts payable, for example, could generate average savings of up to 10 percent, and a review of contract compliance could yield up to 5 percent on average of related spend. Similarly, reviews of joint ventures could produce up to 15 percent in average savings on related expenses, while software asset management could yield up to 20 percent of average savings on software spend. Enhancing assurance activities over third parties, if done effectively, also can generate value. “Proactive efforts to manage the extended enterprise can open doors to revenue opportunities by qualifying a company to do business with other entities,” says Carolyn Axisa, a Deloitte Risk and Financial Advisory senior manager with Deloitte & Touche LLP. From the buyer’s standpoint, well-defined supplier standards, along with governance processes and enabling technologies, can form the backbone of a supply chain compliance optimization program. “Such programs not only seek to ensure third-party adherence to policies and standards, but also to drive revenue by aligning the extended enterprise with the organization’s broader business objectives, such as improving product quality, entering new markets, and satisfying demands for sustainable sourcing,” notes Axisa. Building a strong EERM program has the potential to bolster financial performance as well. “Implementing and managing EERM programs using technologies that are well-suited to the task can drive efficiency, reduce costs, improve service levels, and increase return on equity,” says Rizzo.” He points to recent Deloitte research that says organizations with a well-defined technology-enabled EERM framework typically tend to realize an additional four to five percent return on equity. “Better tools and technology can significantly reduce the time spent on pre-contract, post-contract, and ongoing tracking and monitoring activities, which provides for more time for focusing on broader, strategic areas of risk management and value creation, such as performance, strategy, innovation and commercial efforts,” adds Rizzo. Technology enhancements can include predictive and sensing analytics, highly customized decision-support tools, and internal data that is centralized and easily accessible. A New EERM Perspective for Boards A well-executed EERM program not only enables value creation through by taking advantage of opportunities that third parties create, but also revisits roles of people, technology, and processes, which in turn enables risk management processes. Further, effective EERM programs advocate a greater oversight role for the boards as a fourth line of defense. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  8. 8. “Due to the added complexity of many extended enterprises, EERM may have outgrown its fundamental three-lines-of-defense model — management and internal control measures; compliance and risk controls; and internal audit. In today’s environment, where businesses operate with a host of ecosystems, a four-line model that advocates a greater oversight role for the board may be needed to make sure the board, or a board committee, monitors EERM issues,” suggests Kinsella. Results from the 2018 survey indicate a shift in how senior executives and board members think about EERM. Boards and C-suite executives believe their accountability around EERM is increasing. At the same time, they believe that their levels of engagement and coordination need improvement. Only 20 percent of board members have a high level of engagement where a member of the board has ultimate accountability, according to the survey. This may imply that levels of engagement in the remaining 80 percent of organizations where the board operates in an oversight or supervisory role are, at best, moderate (42 percent of respondents), if not low (19 percent). The 2018 survey findings also indicate that reputation risk has supplanted regulatory compliance as the biggest driver of investment in EERM in the financial services industry, a sector that is one of the most mature with regard to EERM. Reputation risk also was cited by respondents as one of the top “value-destroying” risks that organizations are the least prepared to address. For boards to play a more comprehensive oversight role in EERM, they will need access to management data from across the enterprise,and organizations would need to consider how to provide such access. Boards also would require the capability to monitor and track risks in the external environment. “The traditional three-lines- of-defense model may need to be updated, especially as extended enterprises grow more complex—another reason for greater board engagement as the fourth line,” observes Axisa. If boards don’t have the time or resources to focus on EERM, a risk committee could become the fourth line of defense, working with the full board to oversee risk management of the extended enterprise. “The audit committee could be another option to oversee EERM; however, that committee often is more focused on operational and financial risks than on the extended enterprise,” notes Rizzo. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  9. 9. Rethinking the Extended Enterprise Risk Management Emerging EERM trends One Going monitoring Risk and performance data must be monitored on a near real-time basis and used to alter the course of third-party risk management Leveraging utilities Utilities provide a solution to the increasing assessment"fatigue" through shared assessments, innovative technology, and more advantageous pricing Organizing for EERM There is no one-size-fits all approach; each organization should customize its EERM organization in line with strategic context Emerging technology enablement A portfolio of technology is used to enable an EERM program and should be prioritized in alignment with the organization's risk approach Source: Deloitte Dbriefs: The new extended enterprise: Resetting the front line. Moving Toward a New EERM Approach EERM is a board and C-suite led transformational approach focused on value creation—in addition value preservation—and enabled by governance structures roles, responsibilities, processes, and technologies. “EERM is transformative because it pushes the focus of third-party risk management from being only compliance- and reporting-oriented to enabling identification and exploration of value creation opportunities through third parties. “There is no one-size-fits-all approach to EERM. However, managing third-party risk from both a revenue and cost perspective can provide significant opportunity to drive additional business value, create efficiencies, and build resilience,” observes Kinsella. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  10. 10. Enterprise risk management Managing the digital risks of new business models —by William Ribaudo, partner, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on May 7, 2018. As industries continue to converge and companies adopt new business models to compete, digital risks are becoming a rising concern for the C-suite and boards. To address the most significant digital risk—created by business model disruption by competitors— it is critical to examine whether the core strategy itself remains sufficient in the face of new technologies and as nontraditional competitors enter the marketplace, according to William (Bill) Ribaudo, managing partner of Deloitte Risk and Financial Advisory’s Digital Risk Venture Portfolio, Deloitte & Touche LLP. A member of Deloitte’s US CFO Program leadership team, Mr. Ribaudo discusses why organizations should reassess their business models to understand their digital maturity, and what steps can be deployed to address the strategic risks that come with today’s increasingly ubiquitous digital technologies. Q: How do you define digital risk? Bill Ribaudo: An organization’s digital risk will vary depending on how it incorporates technology into the core of its business model. In the last decade, many organizations have applied digital applications and features to their businesses with various degrees of success. For example, some more traditional organizations applied digital technologies using a bolt-on approach through acquisition, without integrating them into the core business model. But rather than merely add new technologies, they should have considered making a more connected and fundamental shift in the business model itself. By taking a piecemeal approach, these organizations may have increased the associated digital risks. That’s not to say companies need to be fully digital to survive. Rather, they need to find the right mix of physical and digital assets, a strategy that is still elusive to many. Based on our research, shareholders place a higher value, measured as a multiple of revenue, on more digitally enabled companies. CEOs, particularly those of more traditional companies, are growing aware of the need to invest in digital operations and infrastructure. And the way they make that transformation is critical to their future competitive success, and managing the risks they will face. So when we talk about digital risk, it’s important to first look at how organizations are applying digital. Generally, they fall into one of two Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  11. 11. broad categories: they either use digital in the business or they use digital as the business, and the difference is significant for their risk profiles. Digital in the business refers to those organizations that are adapting digital applications to their existing physical businesses. A large retailer using digital technology for their point of sale (POS) system is an example. If the POS system goes down, customers can continue to make some purchases, such as with cash and check, and the retailer can still conduct business. In contrast, digital as the business refers to companies in which digital is the way they transact, such as an online e-hailing ride service. In this case, if there’s disruption in internet connectivity, it cannot conduct business; and typically as a result, business with customers stops. So the digital risks in this business model are dramatically different than a business that uses technology in the business, and the risks likely will have a more significant impact on the business. Q: How does digital risk differ from more traditional types of risk that organizations face? Bill Ribaudo: What is different is the speed of impact. If you analyze how those risks play out within a business, they work through three traditional risk management channels—strategic risk, operational risk, and governance risk. Strategic digital risk is the fundamental threat now faced by many companies that have not successfully incorporated a digital framework into their business model. Companies may do a solid job executing operationally focused strategies, but if they don’t progress toward business models that balance physical and digital capabilities, they increase the risk of being disintermediated and losing direct interactions with their customers. Operational digital risk derives from not implementing today’s IT applications to do things better, faster, cheaper, and it mostly impacts productivity and efficiency. For example, if a company adopts new IT associated with robotic process automation (RPA) or blockchain, merely to automate existing processes or steps without changing the fundamentals of the company’s business model, this can create digital risks to operations. The third area, governance digital risk, is an outcome or result of both strategic and operational strategy. Management has the responsibility to ensure that all the digital technologies employed, whether strategic (think business model) or operational (as in better, faster, cheaper) are fulfilling the goals set and that new risks are addressed. One step in that process would be to inventory and manage the many different RPA applications installed and ask: “Do we have bots that are talking to bots that are talking to other bots, and do we know all the linkages to our legacy systems?” Imagine the risks that can arise when you have 100 RPA projects happening at once, feeding off of 80 different systems. Someone needs to be looking at that inventory of risks across all business units. Q: What are some considerations and strategic risks when transforming to a digital business model? Bill Ribaudo: Understand that the purpose of transforming to digital falls under the category of using today’s latest technology Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  12. 12. to serve customers better than your competitors. The challenge for management and boards is that the speed of technological advancement has accelerated beyond their knowledge and capability, and as a result they are likely not investing as needed to stay ahead. That opens the door to new competitors who can enter their space and create disintermediation and, therefore, strategic risks. To deal with these realities, executives can consider five broad steps: First, start with a clear understanding of the company’s current business model and be prepared to shift your mental model about understanding where value comes from and what shareholders are now valuing. The next step is to create a “market-based balance sheet” that reflects market-based valuations and identifies any implied intangible assets. Leveraged or monetized intangible assets, such as customer connection, customer information, operating data, etc., are more valued in the digital economy. It’s these assets that can become the building blocks of a new business model. The third and fourth steps entail developing new business models based on those intangible assets, and creating a plan to reallocate capital to leverage those assets. Based on our research, new business models can be valued using a revenue multiplier applied to a certain type of business model—asset-based, service-based, IP- based, or network-based. The last step involves establishing ways to measure and manage these new models, including new sets of key performance indicators (KPIs). New business models require new KPIs, and as the saying goes: “People manage and respect what you measure.” Q: Why might some organizations hesitate to embrace digital? Bill Ribaudo: With respect to digital in the business, we are not seeing hesitation. This, I believe, is because management is generally comfortable employing operational technologies—better, faster, cheaper—to improve operations. However, when it comes to strategically changing business models, management has, at times, had a hard time making the transition. Typically, traditional companies have leaders who have not grown up in the digital age and, as a result, many of these companies and their leaders may not have the familiarity or comfort to venture into this unknown space. For companies to make the leap, they also need to get the entire leadership team to buy into the new direction and ensure the board is supportive, too. This alignment alone is difficult for many organizations to achieve and why often times companies fail, when others are better able to manage change more successfully. Another obstacle is reallocating capital from supporting the historical business to investing in new digital areas, where digital means in the business, at the same timethat current investors want the organization to keep doing what it has been doing. Changing strategies often involves shifting groups of investors and there can be a market penalty for doing so. In the end, investors pay for the promise of growth, and if the new strategy is not communicated effectively, or shareholders are not convinced of the benefit, there can be much risk-related turbulence. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  13. 13. Q: What are the roles of the CFO and CRO in managing the risks that come with shifting to business models that embed digital? Bill Ribaudo: The CFO has a pivotal role in being what I call the great translator as a company embarks on a digital business model transformation. The CFO needs to work closely with operating management and be able to explain the financial implications of different strategies. How will the market and investors react to strategy A versus strategy B? Understanding that requires financial modeling, scenario planning and buy-in from the board. It’s also essential to understand and convey the cost and risks of standing still and doing nothing. For the CFO and CRO, it is critical to anticipate, assess, and monitor this new risk frontier triggered by new digital business models. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  14. 14. Enterprise risk management How ERM can support strategy and performance —by Keri Calagna, principal; and Jacqi Fifield, specialist leader, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on February 26, 2018. With the 2017 update of the Enterprise Risk Management (ERM) framework, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission recognized the importance of aligning ERM to an organization’s strategy and performance. Keri Calagna, principal, and leader of the Strategic Risk Management practice at Deloitte & Touche LLP, and Jacqi Fifield, a specialist leader within the practice, discuss aspects of the updated framework, what organizations can do to better connect risk management to strategy and performance, and what boards are expecting from ERM programs. Q: Why did COSO update its ERM framework? Keri Calagna: The initial ERM Integrated Framework was first released by COSO in 2004. The update released last year comes at a time when organizations are challenged by technology innovation, ongoing changes in consumer preferences, regulatory uncertainty and other business disruptions that threaten their ability to compete effectively. Executives need to anticipate and address these challenges while making choices about risk that enable strategy, build resilience and drive value. The updated COSO framework emphasizes the connections between risk, strategy, and value and provides a new lens for evaluating how risk informs strategic decisions, which ultimately affects performance. Equally important, it elevates the role of risk in leadership’s conversation about the future of their organization. Jacqi Fifield: Executives need to understand and think strategically about known and emerging risks that affect or are created by business strategy decisions.Many organizations and ERM programs already connect strategy and risk management by identifying and assessing known risks to executing a strategy, but this is not enough. Risk programs must also address risks to strategy caused by external changes that may not have been foreseen when the strategy was originally developed. These new risks may need to be addressed or strategies may need to be modified. Q: What are some challenges organizations have in implementing ERM effectively? Keri Calagna: We see a few common challenges implementing effective ERM.  Some organizations have a hard time demonstrating the value of ERM and investing adequate resources to build a strong risk capability. Some find it difficult to integrate risk management Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  15. 15. across the organization, embedding it into business units, functions and processes. Other organizations fail to build a risk-aware culture that is embraced and governed by a strong tone at the top among senior leadership. An effective ERM program has a few basic requirements. It should escalate the right risks to the right people in a timely manner, and as a result, drive meaningful risk conversations with leaders to inform decision-making. When ERM is working properly, it should increase resource efficiency and effectiveness in the management of core risks to the enterprise, while reducing the impact of crisis events and protecting the reputation of the organization. Last, ERM should support the achievement of strategic goals and objectives as determined by leadership. Jacqi Fifield: One of the top challenges I see is the difficulty to identify emerging risks to strategy. There could be an ERM program in place, but it may be only identifying current known risks rather than also helping executives anticipate unknown risks that may be emerging. One sign an ERM program is not effective is when executives see the same risk heat map year after year, which does not help them make better decisions. What is often missing are deep discussions at the C-suite and board levels on root causes of the known risks and what more could be done to act on the risk information they are getting. Ongoing risk discussions can help integrate risk into strategic decision making on a formal and informal basis. Q: What is the linkage between the ERM framework and performance? Keri Calagna:  Strong ERM enhances an organization’s desired performance and chances of success in achieving its strategy. ERM can be used for both offense and defense, to both protect value and to enhance value. ERM helps identify and manage risks that could limit an organization’s ability to achieve its strategic objectives. When done well, ERM also allows leaders to take smarter risks in the pursuit of opportunities that can lead to greater rewards. In order to get there, organizations need to have confidence in their ability to identify, analyze and strategically think about the risks to strategic decisions on an ongoing basis and to be confident in their ability to monitor, respond and correct course in the face of unforeseen events. Jacqi Fifield: Let me share an example of how this can work. Position a risk team member within a business unit to help embed risk intelligence into day-to-day operations and link risk to performance goals. The risk analyst can build and conduct risk assessments, monitor risks and work directly with the business owners to advise them on how best to manage risks. The better risks are managed, the stronger the business is likely to perform. Q: What do boards expect from ERM? Jacqi Fifield: Boards in general want more transparency, and many are not receiving the risk reporting and updates they need. Many boards and executives are indicating a lack of confidence in the robustness of existing ERM programs and question whether the programs allow them to effectively oversee and Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  16. 16. guide strategic decisions for the organization. Are ERM programs identifying the right risks at the right time, given the complexities in the environment? ERM programs should support the board’s risk oversight role by providing specific insights into risks to the organization’s strategy and support leadership’s decision- making processes on an ongoing process. Risk reporting to the board should include how effectively risks are being addressed by tracking metrics that are impactful, valid, and measurable, including key risk indicators that impact performance. Keri Calagna: To further Jacqi’s point, board members are worried about the unknown risks that are out there. They want confidence that they are not missing something significant, and as a result, that they are asking more insightful questions of their executives. A leading practice is to have a chief risk officer (CRO)-type role at the executive level. This helps set a strong tone at the top and signals that risk has a seat at the table to help set and achieve strategy. A CRO can give the CEO and the board the comfort that they have a peer and a partner whose job is to help manage and mitigate risk, and help grow the business in line with strategy. For those organizations that do not have a C-suite level risk executive in place, initiating risk management pilot programs in a few key areas, such as M&A or strategic planning, and incorporating a risk framework into the decision-making process, can be a place to start. Similar coordinated initiatives can be introduced in other areas, helping to show the value that integrating risk into strategic decisions can bring. Board members want confidence in risk management, and they want to know that the organization has strong risk governance in place with executive level accountability. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  17. 17. Enterprise risk management Transparency: Key to managing information exchange risks in outsourcing —by Dan Kinsella, partner, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on December 19, 2017. The use of outsourcing providers by organizations is increasing globally, and the functions and tasks being sent to third parties are more closely related to those organizations’ core business than in the past, according to research from Deloitte. * Effectively managing risks that can penetrate the extended enterprise requires executives and board members to “think beyond their four walls in diverse ways,” observed Dan Kinsella, Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP, who led a panel on bringing more transparency to the information exchange process in outsourcing arrangements at a Compliance Week conference. “These risks are no longer relegated to accounts payable or the exchange of financial information,” added Mr. Kinsella. He explained that third-party relationships can affect an organization’s reputation and create risks around the disclosure of nonfinancial information, such as personal identifiable information or research—breaches that may not be caught by accounting and inventory controls because they are unrelated to financial transactions. Mr. Kinsella’s discussion focused on how to improve the exchange of information between the two parties by improving efficiency and addressing related risks. Information Exchange Challenges The information passed between a customer of outsourced services and its third-party provider can include security and controls documentation from the vendor, as well as evidence of the vendor’s credit worthiness and financial stability. “The information exchange challenge begins at a fundamental level, early in the customer- vendor relationship,” commented Jeremy Taylor, vice president, chief compliance officer and associate counsel—Litigation, at Dover Corporation. “As a client or customer, I will request information from third parties on an ongoing basis to evaluate the risk in the relationship to manage my company’s compliance efforts and follow up on anything that causes me concern,” he added. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  18. 18. Jim Theisen, associate general counsel and chief compliance officer at Union Pacific Corp., talked about how his organization uses information to populate a comprehensive scorecard as part of an annual review of critical suppliers to vet the quality of third-party services and materials. The scorecard process provides assurance that vendors meet security and financial criteria, as well as Union Pacific’s cultural goals, which is another layer of information. “It’s not just on-time delivery and project performance that we score, but also company goals, such as whether the vendor partners with us on safety, diversity and social responsibility. As a railroad company, safety is the number-one concern of management and our people, and it must be a top priority of our third-party providers,” added Mr. Theisen. Vendors in outsourcing arrangements experience a different set of information exchange challenges from their customers. Jonathan Klein, chief information security officer, Broadridge Financial Solutions, explains that his organization works with customers to formulate “reasonable” information requests. For example, when asked to provide information about every software patch Broadridge applied to its data systems, which amounted to a 60,000-line spreadsheet of patches, Mr. Klein noted, “I worked with the customer to provide a six-month sampling of patches as reassurance that Broadridge has a patch program in place that is functioning properly.” Managing Information Requests The process for managing multiple customer requests from the same client also was discussed, with Mr. Klein supporting an approach that would funnel requests from different customer functions into one department to consolidate and perhaps standardize them. That way, vendors would not find themselves responding to the same request for information multiple times during the year. In some cases, “customers respond to the call for better oversight by asking vendors for the ‘kitchen sink,’” noted Mr. Klein. “It could be a tough conversation when a vendor begins negotiating with a customer about what is a ‘reasonable’ information request,” observed Mr. Taylor. But the panel generally agreed that such negotiations keep the lines of communication open, which often helps nurture a mutually beneficial relationship. Mr. Taylor noted that at Dover, information requests are made after a decision-making process that takes into consideration what management targets to meet compliance expectations. “Organizations that choose to more cohesively engage with third- party management can often increase value, for example, by staving off revenue leakage,” noted Mr. Kinsella. He said a cohesive approach can be centralized and still allow business units to work with third parties to achieve objectives and drive value. From Board Oversight to Reputation Risk Boards, not only management, have a role to play in overseeing third-party risk. “Boards need to hear from their chief compliance officers about their organizations’ third-party oversight program and whether it is effective,” said Mr. Theisen, who updates Union Pacific’s board on a variety of third-party matters and the measures Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  19. 19. in place to handle such risks. He noted that a strong board, with solid fiduciary responsibilities, promotes confidence in ethical leadership and provides knowledgeable oversight of third-party risk. Reputation risk with respect to third parties also is a concern. “At a very high level, managing reputation risk means making sure we are working with the ‘right’ partners, something Dover’s third-party vetting program is designed to give us comfort around,” commented Mr. Taylor. Dover assigns a risk score to third parties that work on the organization’s behalf. For vendors that fall into the “small bucket” of higher risk, Dover requires additional detailed information and approval from senior level leadership to enter into an arrangement, and manages those vendors more closely than vendors with low-risk profiles. Further, higher-risk vendors are required to have a sponsor from within the business unit that uses the third-party products or services. Moving Forward Automation may help organizations streamline and scale their vetting process for third parties, which tends to be a manual task. Some vendors are working with customers on ways to automatically feed information directly into their risk management systems. Such a system would enable customers to crunch data automatically— rather than sift through it manually—and flag potential issues, by using key indicators. In addition, vendors may want to consider developing standard reports for customers that operate in the same industry. However, for that approach to be effective organizations should be ready to accept those types of advances and outsource providers ready to deliver them. Mr. Kinsella suggested a basic framework to help customers and providers improve their transparency and information exchange. For example, the customer and vendor may want to undertake a joint inventory. For customers, that might include identifying the providers that could impact the organization’s risk domains, while providers could take stock of proactive ways to meet customer information needs. Developing an integrated risk and controls framework is another step. In general, the framework could help customers match the level of risk to the information being requested and monitor a vendor’s effectiveness at receiving, responding to, and delivering on information requests, Mr. Kinsella explained. Providers could use the framework to organize what information to provide, when and how to supply it, and their effectiveness in customer support. While third-party management likely will mature over time, the current process at many companies continues to be a hands-on operation carried out by the workforce, although it is increasingly becoming a priority of leadership. “Senior executives recognize that the compliance function is no longer just about compliance, but rather is a critical part of the sales chain,” said Mr. Klein. *“Overcoming threats and uncertainty: Extended enterprise risk management global survey 2017,” Deloitte Risk and Financial Advisory, Deloitte & Touche LLP. Copyright © 2017 Deloitte Development LLC. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  20. 20. Enterprise risk management A strategic risk approach to disaster recovery: Beyond traditional planning —by Chris Ruggeri, principal; and Kathryn Schwerdtfeger, partner, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on November 13, 2017. The recent intensity of the hurricane season has put a new emphasis on how organizations deliver on their crisis response planning and execution, according to Chris Ruggeri, a principal in Deloitte Transactions and Business Analytics LLP and national managing principal who oversees Strategic & Reputation Risk Management for Deloitte Risk and Financial Advisory; and Kathie Schwerdtfeger, a partner and the leader of the National Grants Management and Recovery practice in Deloitte Risk and Financial Advisory’s Strategic Risk practice at Deloitte & Touche LLP. Effective response requires timely information gathering and planning related to all employees and critical assets, as well as skills in interacting with other stakeholders, including business partners, customers, regulators and shareholders during the recovery period. Q: How does preparing for and responding to a natural disaster differ from other crises that organizations and boards face? Kathie Schwerdtfeger: Preparation for and response to natural disasters differ from other crises in two distinct ways: early warning and connection to impact. From a preparation standpoint, organizations are able to rely on established warning or early identification systems such as weather forecasts, climate patterns, and geological indicators that suggest a natural disaster is imminent. As a result, organizations have the advantage of notice to better prepare or at least evacuate critical assets prior to the arrival of the event. Other types of crises typically do not have such established or reliable systems and are largely dependent on the real-time actions of its people. From a response perspective, natural disasters pose peculiar challenges. Because natural disasters are not “targetable” or controllable events, their impact is not exclusive to a single organization. This factor magnifies the impact and number of affected parties such as extensive loss of life, power, electronic connectivity, etc. Their physical manifestation also creates a psychological and emotional connection with stakeholders that is very human and personal. As such, the response effort has to carefully address the human side and apply more emotional than logical approaches. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  21. 21. Chris Ruggeri: If you consider the life cycle of risk, organizations are going to face several types of crises throughout their history. In the case of a public company, where sustaining market capitalization is critical, management and boards should be undertaking not only crisis planning, but also planning for what could put their core strategic assets at risk. These are the assets that are central to an organization’s future growth, and that very much includes the operational workforce. Under strategic risk planning, organizations actively anticipate and manage response to, and recovery from, various types of events to protect assets and be resilient. It’s focused on recovering quickly and adeptly because an organization’s resilience is tied to how well it anticipates disruptions in its supply chain and the impact on customers, and whether back-up plans based on the various contingencies is in place. If an organization waits until after an event to figure out how to respond, it risks losing employees, customers, days of operations, and possibly the market share that made it competitive in the first place. Q: Disasters highlight the thirst for information that different stakeholders have. What can organizations do to manage their needs effectively? Kathie Schwerdtfeger: When a crisis hits, the worst thing is an absence of information. It’s critical that organizations inform their employees, as well the people and communities they serve, as quickly and fully as possible. Clients, suppliers, and business partners should be told early on how the organization that is experiencing the disruption is going to help each of them to minimize their own damages and help get them back up and running. Demonstrating care and concern for other organizations in a time of tremendous need can be an important way of building trust and lasting connections. Chris Ruggeri: What Kathie said about the absence of information applies to customers, business partners and shareholders as well. Under normal circumstances, it’s essential that management creates confidence in the minds of partners, customers, and especially investors that they’re going to deliver on their strategic objectives— and, equally important, have plans in place to deliver those objectives when a major disruption happens. When a disruption occurs, it’s critical that leadership proactively manages the situation on an ongoing basis and demonstrates that they’re on top of it. To the extent possible, leadership should also provide guidance on what they expect the event’s overall impact on operations to be when temporary or longer-term disruptions occur, and when they expect operations to get back to normal. From investors’ perspectives, when management communicates and executes at this level, it can provide confidence that, first of all, management knows what it’s doing, and that information is available so they can populate their models and determine what the impact might be. Q: What is the role of the board during a natural disaster, and what are issues to consider that may not be needed in calmer times? Chris Ruggeri: Ideally, the role of the board has already been well established well ahead of the crisis. Advance crisis planning is no longer a “nice to have” but rather a must have in today’s fast-paced Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  22. 22. market environment. Failure to demonstrate command over the situation is typically met with a loss of confidence by customers, suppliers, regulators, investors, and other key stakeholders and can result in permanent brand damage. The board should be well-acquainted with the company’s crisis plan and key roles and responsibilities. Some companies have tasked specific board committees with oversight over crisis planning and response. Whether that is the case or not, the board should get regular updates and exercise appropriate oversight. In times of natural disasters, when conditions are extreme and unpredictable, the board should be available to provide input to management and assess progress against recovery plans. The board can add value by challenging whether the crisis plan needs to be adjusted in real time as events unfold, while being mindful of doing so in a way that is constructive and not disruptive in an already tense environment. Kathie Schwerdtfeger: It’s also important that boards and management have a common vernacular to describe both a routine operational mishap and a catastrophic event. They need to consider what it could mean to have these types of events impact the business and what it would look like when they’re in the middle of one. That’s where education and simulations can help, and why board members as well as senior management should be involved in training and exercises. The organizations that not only survive, but thrive, after a natural disaster are the ones where the board and management are in sync and operate from a common playing field with respect to how they will execute on a plan and what they expect to see at the end of the process. Q: Who in the organization should oversee natural disaster planning and recovery? Kathie Schwerdtfeger: Typically, the chief risk officer (CRO) is responsible for enterprise-wide risk management, including planning for catastrophic events such as natural disasters. The role may also be played by a chief security officer (CSO) or chief legal officer (CLO), depending on the organization’s structure. Planning should include a strategy for identifying from across the business the key stakeholders who are expected to respond during a catastrophic event. Executing the plan and recovery would typically involve operational leaders to act tactically and at the frontlines to prevent further escalation. For example, the IT function will be needed to help ensure that core systems are up and running. The finance office and thecommercial entity also will be critical to the process, as willthe insurance teams that will focus on accessing policies and determining coverage. Q: What should organizations consider in terms of reputational risk during and after a natural disaster? Chris Ruggeri: They need to consider that their every move is being watched by the stakeholders they need to communicate and work with during the disaster recovery phase. Again, that is why the right planning is critical. If the board and management are caught unaware about what the extent of the damage caused by the disaster is or how to get things back up and running, the chances of a negative outcome will be great. If the senior executive team is not engaged, Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  23. 23. and if no one is talking knowledgeably to the community, the media and the investment community, that’s a risky position to be in. So it’s essential to have the necessary skilled people in place as a disaster response team, and to recognize the job requires the organization to anticipate beyond what’s easily known or anticipated no matter the extent of the crisis. From a reputational standpoint, people are going to look closely at what is said and done during the disaster recovery period, the tone of the response, how quickly it’s made, and how issues are being resolved. There is a social responsibility issue to be considered as well, since deep down any organization is part of a community and is expected to take responsibility for negative events stemming from natural disasters when they happen. Getting in front of potential disaster events with planning that is broad and deep is likely the best defense any organization can have to protect the business and its reputation. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  24. 24. Enterprise risk management The networked economy: Strengthening organizations across the extended —by Brent Nickerson, partner; and Kevin Lane, principal, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on October 26, 2017. The networked economy often is described as the natural outcome of what happens when all the actors inside a business ecosystem are interconnected. Through technology, these interconnections enable customers to drive choices, select preferences and make their predispositions known. This interconnectedness fundamentally takes some of the power away from producers of goods and services to drive value and puts it in the hands of consumers in the extended enterprise. According to Brent Nickerson, a Deloitte Risk and Financial Advisory partner at Deloitte & Touche LLP, the networked economy also transforms the “enterprise” as industries have defined it for years. Historically, this term encompassed the people, processes, technology and systems within a company. But as Nickerson describes it, a networked economy broadens the scope of everything, necessitating a new way of thinking. “Really, now it’s all about the extended enterprise—the exterprise,” he says. “All the connections that a company has with third parties, all the distribution channels—everywhere a company does business is a part.” Trends to Follow These exterprises—and a networked economy itself, for that matter—don’t happen in a vacuum. They need to capitalize on a number of trends to work, which can include: 1. Collaborating on business models. One of the biggest trends to drive the networked economy is collaborative business models, or models that enable different types of businesses to work together to drive sales. The Internet of Things (IoT), the ultimate extended enterprise, is a good enabler of this type of collaboration. If, for instance, a consumer has a smart washing machine, the customer can instruct it to order more detergent pods online whenever the supply runs low. In this case, collaboration breeds convenience, which typically leads to happy customers. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  25. 25. 2. Being radically transparent. Another important trend driving the networked economy: the widespread movement to radical transparency. Kevin Lane, a Deloitte Risk and Financial Advisory principal at Deloitte & Touche LLP, says that when companies begin to interlink networks, it’s important that all parties be transparent about how they do business throughout their own respective extranets, so as not to alienate any potential customers. Lane adds that companies must ask themselves what kinds of networks they want to associate with and what sorts of belief systems they’re willing to tolerate from partners they collaborate with. “Everything out there can be seen, and the consumer sees it all and makes his or her own judgments,” says Mr. Lane, who also serves as the retail industry leader for Deloitte’s Enterprise Compliance Services practice. “No one ever fully gets his or her way, but the idea is that the networks, somewhat organically through the interconnection, develop their own consensus point and middle- ground answer.” 3. Getting a handle on an organization’s risks. Companies that wish to create exterprises must also have a handle on their risks. And they must perform regular risk assessments to quantify how vulnerable their networked economy is to threats. On the most basic level, risk assessment is about physical security— locking down facilities so that only authorized employees come and go. But the broader day-to-day realities of risk assessment go hand-in-hand with a push for more transparency. As companies learn more about the other companies in their exterprise, previously undisclosed risks emerge, creating an opportunity for remediation, or at least a backup plan. In evaluating this risk, companies must think not only of themselves but also their customers. Something could be both legal and ethical, but it may still not align to the preferences of the consumers involved. Leveraging Connections for the Networked Economy Approach As the first wave of companies begins to embrace the networked economy approach, opportunities abound to leverage the ensuing connections into smart business decisions for the extended enterprise. Following are steps organization can take to create value. 1. Extend and amplify connections. For starters, companies must extend and amplify connections through consortia and other industry groups. Some of these groups are more marketing-oriented in nature and enable participants to network with each other and share leading practices. Others are functional—participants meet to collaborate on devising standards, rules and other forms of self regulation. 2. Innovate to capture new revenue streams. Looking forward, companies must also figure out how to capture new revenue streams. Subject matter experts say this likely will be driven almost entirely by the networked economy and the exterprise—by third parties that spark new products, new development and innovation. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  26. 26. A number of contract manufacturers around the world have already set up product innovation centers where they offer design, engineering, prototyping and manufacturing necessary to build out new products. In addition to changing the product catalog, these centers have sparked a sea change in strategy. Now more than ever, innovation is coming from the edges of a corporate network and working its way in. The exterprise also has indirectly expanded distribution channels, since companies are now connected to so many other companies. Ultimately, the one-two punch of more innovation and more places to sell new products enables companies to penetrate deeper into their existing consumer bases and, at the same time, acquire new consumers. In the context of a networked economy, both scenarios can lead to additional revenue—yet another way risk, when managed well, can create value in the business world of today. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  27. 27. Enterprise risk management Strategic resiliency: Striking a balance between protecting and creating value —by Chris Ruggeri, principal; Andrew Blau, managing director; Maureen Bujno, managing director; and Yeolin Jung, manager, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on August 25, 2017. For many organizations, risk management tends to have a more operational than strategic focus. And risks tend to be addressed only after they occur. By focusing solely on mitigating risks and preventing the recurrence of a risk, organizations face a slow-down in the decision-making process. In contrast, organizations that align strategy and risk are likely to be able to exercise “strategic resiliency,” which is the ability to anticipate, know and act on risks when introducing or executing new strategies to increase the chances of success—in spite of uncertainty.​ Strategic resiliency is rooted in a framework designed to strike the right balance between value creation and value protection. Applying a risk lens to strategy helps organizations understand which risks provide opportunities for long-term value creation and which to protect against. Optimizing value on a risk-weighted basis, organizations should first make sure they have a strong enterprise risk management program as the foundation upon which to build. That includes, for example, having a risk governance and reporting cadence, and standardizing and deploying enterprisewide risk management processes with regard to operational, strategic, financial and compliance risks, as well as developing risk responses and mitigation plans. Identifying Strategic Risks  Uncovering potentially disruptive or innovative strategic risks with little or no historic precedent generally requires a different approach than traditional risk discovery methodology and processes. Organizations should also take the time to focus on “what’s next” with scenario planning, which can provide strategic options and flexibility should the industry, market or organization face unexpected change. The value in the face of potential disruption or other changes and how the organization will sustain its competitive advantage and continued resilience may be considered as well. Creating strategic resiliency also requires risk valuation modeling for each scenario, where the underlying circumstances can be assessed Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  28. 28. for various levels of uncertainty and risk, to yield a range of outcomes and the likelihood of each outcome. Organizations can compare outcomes for each risk-adjusted alternative and select the alternative that provides the optimal risk/reward profile. True strategic resiliency requires a clear understanding of risk tolerance. The organization outlines which strategic objectives are supported in taking risks and when putting strategic objectives into action, keeping within agreed-upon risk limits. For any organization, there are still chances that unexpected events will occur. Organizations should consider formalizing a crisis response program and framework and be prepared to respond effectively. Having a rigorous, coordinated response to incidents can limit lost time, money and customers, as well as minimize damage to brand and reputation and the costs of recovery. Crisis response programs should also include steps to normalize operations, which may mean a change in strategy. Organizations should tap into the insights of boards. As a diverse group of highly experienced individuals, these seasoned leaders can provide an “outside-in” view, offer broader perspectives and be essential partners in achieving strategic resiliency with management.​ How to Get Started Following are several questions an organization’s management and board may want to consider to start on a path toward strategic resiliency. •• Have strategic risks been identified by management and has the board provided input? •• What mechanisms does management have in place for risk sensing and monitoring risks that could result in a shift of strategy? •• Is the strategy flexible enough to allow for a shift? •• Does the strategy identify the organization vulnerabilities? •• Is the board confident that management has the right information to make high-stakes decisions? •• Does the board have the right composition to effectively advise on the strategy? •• Who is ready to lead if strategic risks aren’t managed? •• Is the organization prepared for a crisis? •• Has the board engaged with management in a deep-dive, brainstorming session on strategy? •• Does the board have ongoing conversations with management about the strategy? Are strategy discussions frequently built into board agenda topics throughout the year?​ With the business environment rapidly changing, organizations that continually innovate, stay ahead of the risk of disruption and take advantage of strategic risks—as well as the opportunities they can signal—have the potential to lead the way. Previous Next Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  29. 29. Brand and reputation risk Previous Next Building reputation resilience Strong reputations help companies withstand crises Assessing brand health risk Taking the pulse of brand health risk Managing reputation risk Tackling the CX measurement challenge Three steps for executing brand promise Delivering on the brand promise Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  30. 30. Brand and reputation risk Building reputation resilience —by Mike Fay, principal, Deloitte & Touche LLP; Keri Calagna, principal, Deloitte & Touche LLP; Antonio Crombie, manager, Deloitte & Touche LLP; and Jennifer Turner, manager, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on June 12, 2018. A brand’s reputation is among its most important—and most vulnerable—assets today, but cultivating reputational resilience with a cohesive and technology-enhanced strategy can enable companies to both prepare for crises and create enduring value. Reputation and brand are two sides of the same coin. A company’s brand—which is focused on the products and services a company promises to its customers—is aspirational. It’s how the organization hopes it will be perceived. A company’s reputation—the thoughts and feelings about it held by its broad set of stakeholders—is how the company is actually perceived. While many organizations are good at building their brands, many fail to apply the same level of discipline to managing their reputations. A number of factors can contribute to this. Managing reputational risk often doesn’t fit neatly into a single function, creating unclear ownership and accountability. There may be insufficient understanding of the sources of reputational risk, how to manage those risks, or what the full impact of a reputational crisis could be. In addition, there may be cultural resistance to the changes in behaviors required to manage reputation risk more effectively. Yet, corporate reputation has never been more important—or more fragile. It’s one of the most important assets in almost any organization, typically playing a critical role in creating value and driving the business forward. In today’s 24/7 media cycle, customers and other stakeholders are increasingly connected and well informed—and a reputation that’s taken decades to build can be torn apart in seconds. Reputation-linked losses at public companies have increased by 301 percent over the past five years, according to a study by Steel City Re.¹ Last year was a record one for business crises, according to the Institute for Crisis Management 2018 Annual Crisis Report, with the number of incidents increasing 25 percent over the previous year.² It’s likely no surprise, then, that in a recent global survey by Aon Risk Solutions, executives rank brand and reputation damage as the number one enterprise risk.³ Nearly three quarters (73 percent) of board members responding to a recent Deloitte survey say NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  31. 31. reputational risk is the area in which they feel the most vulnerable, but only 39 percent say they have a plan to address a reputation crisis.⁴ The potential consequences of not having such a plan when things go sideways can be significant, including loss of customers and revenue, damage to investor confidence, significant recovery costs, and boardroom and C-suite casualties. There are likely opportunities for organizations to more proactively manage reputation to stay ahead in this competitive and dynamic marketplace—in their day-to-day activities as well as in times of trouble. Those that create a systematic, company-wide approach to reputation management and adopt new risk-sensing tools and capabilities may not only increase their reputational resilience, but also harness their reputations to drive their corporate strategies forward. A Cohesive Approach Companies with well-defined, effective reputation management practices are often able to build their reputation resilience and shape business outcomes in good times and bad. Those that manage reputation well likely understand the business ecosystems and build trusted relationships with stakeholders that matter most. The trust and value of these relationships can serve as money in the bank that can be drawn upon in times of crisis or brand shocks. That goodwill can enable leaders to navigate these situations with confidence because they have built the resilience necessary to not just emerge—but to emerge stronger—from potential setbacks. A key is to not just protect the reputation, but also to deploy strategies to enhance it. Often the most successful companies take a proactive approach to managing, nurturing, and monitoring their reputations. Many approach it not just as a byproduct of other risks, but as a critical asset that can fuel the business. A programmatic, enterprise-wide approach to reputation management commonly includes four key elements: Strategy: A clear and consistently applied vision for reputation management, aligned to business objectives, can help to amplify brand and reputation and differentiate the organization in the marketplace. Advocacy: Engaging and empowering internal and external stakeholders in purposeful ways can enable these diverse groups to champion the brand and protect the organization’s reputation. Resilience: Sensing, assessing, and managing risks and proactively planning to protect reputation from crises can enable an organization to respond to and recover from reputational jolts more effectively. Governance: A cohesive program can help ensure that the above components work together in concert and includes means for measurement, monitoring, and continuous improvement. NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  32. 32. When done well, this approach can connect capabilities and resources throughout the organization to effectively manage internal and external threats to reputation. It’s not about creating a new function or additional work, but about connecting reputation management to the things a company may already be doing in the area of risk management and business resilience. The Return on Risk Sensing Successful reputation management often involves sensing, assessing, mitigating, managing, and responding to threats. Those companies that build such capabilities into their risk governance structures can identify potential risks and opportunities early, evaluate their impact, and make better decisions about how to act on them. At one time, risk sensing and response was largely a matter of hiring a public relations firm to advise on what was happening to the company from an outside perspective. However, the state of the art has advanced. With today’s technology, reputation risk sensing can be done in a more cost-effective—and near-real-time—manner. Many leading risk management programs incorporate 24/7 monitoring of traditional and social media sources, along with other internal and third-party data sources. Top-notch teams of analysts, enabled by analytics and risk intelligence tools, scan the environment for trends, high-impact events, and other changes in the ecosystem. They continuously monitor those topics across a variety of data sources and generate regular reports that can enable their company to act on risk factors before it’s too late. This can be helpful in deciding how best to navigate reputational threats and manage communications and relationships with important stakeholders. Such risk-sensing capabilities can be applied across the enterprise, including talent in the workplace, high-impact events, financial risk, digital assets, socio-economic and geopolitical risk, and competitive trends. It can help organizations accelerate the discovery of reputational risk and, in the best cases, preempt them. Just as powerfully, it can inform strategic choices and drive the corporate agenda forward. In fact, there can be a huge opportunity in considering reputation in the full business context and linking it to strategy and planning. In so doing, reputation becomes more than just a risk to manage, but a critical asset that can be leveraged to help enable the organization’s overall success. 01. Dr. Nir Kossovsky and Peter J. Gerken, CPCU, Steel City Re, “The Looming Reputation Risk Explosion: Massive Financial Impact Possible in 2018 from Corporate Reputational Crises,” December 2017 02. ICM Annual Crisis Report, April 2018 03. AON, Global Risk Management Survey, 2017 04. Peter Dent, Deloitte global crisis management leader, “A crisis of confidence” NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  33. 33. Brand and reputation risk Strong reputations help companies withstand crises —by Keri Calagna, principal, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on January 16, 2018. Prioritizing reputational resilience can help organizations prepare for the worst while laying the groundwork for creating long-term value in brand equity, strategic positioning, and future growth. The increased prevalence of crisis events, such as product recalls, cyber breaches, and executive misconduct, have had a significant impact on many organizations’ reputations. At the same time, the value of reputation has increased considerably. According to the 2016 US Reputation Dividend Report, “corporate reputations accounted for $3.98 billion of market capitalization across the S&P in March of 2016,” which was “20.7 percent of all shareholder value and 2.5 percentage points more than a year before.” It’s no surprise, then, that reputation risk has jumped to the top of executives’ priority lists. Nonetheless, many organizations still find managing this risk problematic. In a recent Deloitte study, “A crisis of confidence,” 73 percent of board members identified reputation risk as the area about which they felt most vulnerable, but only 39 percent had a plan to address it. The good news: There are many ways organizations can manage their reputations to protect, preserve, and enhance enterprise value. It’s not only about preparing for a crisis; it’s also about creating value by purposefully managing reputation. By implementing a proactive approach to reputation management, an organization can sense threats, seize opportunities, and shape behaviors to achieve desired outcomes. The following key steps can help companies start thinking about and building reputational resilience: Set a clear strategy. A successful reputation strategy includes the development of a well-defined master narrative that is consistently used to help an organization amplify its brand, differentiate itself in the marketplace, and achieve business goals. Cultivate advocacy. Advocacy is about empowering stakeholders, both internal and external, to actively champion and protect the organization’s reputation, especially during times of crisis or brand shocks. Organizations can provide leaders and employees with: •• A compelling brand narrative •• Tools and processes to identify, report, and respond to brand risks NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  34. 34. •• Resources, training, and incentives to build resiliency and enable them to act as brand ambassadors. The organizations that cultivate advocacy well focus relentlessly on strengthening relationships—via targeted campaigns and meaningful engagement strategies—to transform external stakeholders into advocates. Purposeful stakeholder engagement helps both parties achieve what they need and expect out of a relationship. Build reputation resilience. Resilience is about proactively taking steps to protect an organization’s reputation from a crisis. This includes developing capabilities to sense threats early, evaluating and assessing risk impact, and preparing for and responding to threats. Examples of building resilience include monitoring traditional and social media outlets 24/7 and embedding a risk-sensing team in the risk governance structure to help inform decision-making. These practices can be used to spot potential risks while also creating strategic value for an organization by monitoring and acting on industry trends. Another important practice is the implementation of a crisis response program that continually adapts. Leading programs have a crisis playbook, conduct scenario planning and rehearsals, train response leaders, and establish mitigation strategies to elevate preparedness for reputational crises. Provide strong governance. These steps cannot truly work without strong governance to establish a cohesive platform and approach for managing reputation. An effective governance model includes measurement, monitoring, and aspects of continual improvement. It is not necessarily about creating a new function or new jobs, but rather about connecting existing capabilities to a consistent and unified model that helps protect, preserve, and enhance an organization’s brand and reputation. Questions for Leaders to Consider The following questions can help leaders begin to understand their organizations’ reputation risks, as well as opportunities for value enhancement: •• Which brand strategy will drive the greatest value for the organization? •• Is management doing enough to engage key stakeholders? •• Do leaders and employees understand brand and reputation risk? •• Is the organization prepared to handle a reputational crisis? •• Do employees understand their roles in building and protecting brand and reputation? •• What can the organization do to better protect, preserve, and enhance its brand and reputation? Reputation is the foundation on which an organization is built. It is the basis for customer loyalty. It’s the culmination of every aspect of the organization—from product quality to employee behavior and everything in between. Effectively promoting, protecting, and preserving an organization requires leaders to prioritize reputation as a key strategy and manage it programmatically. By taking a forward-thinking approach, companies can use reputation not only as a defense against crisis but also as an asset to fuel their businesses. NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  35. 35. Brand and reputation risk Assessing brand health risk —by Tony DeVincentis, partner; Rob Rush, managing director; and Zach Conen, senior manager, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on January 11, 2018. To gauge the strength of their brands, organizations increasingly are looking at the business operations behind the customer experience. Branding is no longer limited to what consumers experience when they encounter a company’s advertising, marketing, communications, or customer service representatives. As revenue models and customer expectations continue to evolve rapidly, every aspect of a business can affect the brand—from logistics and inventory management to the in-store experience. As a result, organizations increasingly are considering the connection between their brands and their underlying business operations, with a focus on how performance can affect brand health. “With stronger links to operational performance, brand health has become—in many cases—a component of an organization’s risk profile,” says Tony DeVincentis, a Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP. “As a result, brand health is of interest not just to CMOs but also to chief risk officers and the rest of the C-suite.” Brand health can be defined as a measure of how well a company or brand delivers on certain attributes of a product or service that it promises its customers, especially how those attributes are perceived by customers in terms of quality and delight. “A healthy brand delivers consistent, memorable, and differentiated experiences for the customer, while less satisfactory brand health is often associated with customer experiences that are inconsistent and delivered with little emotional connection to the customer,” says Rob Rush, a Deloitte Risk and Financial Advisory managing director, Deloitte & Touche LLP. “The closer a customer experience is to the brand promise, the healthier the brand.” Brand Health Risks Across many industries—from health care and hospitality to retail—today’s consumers have a growing number of choices and, as a result, higher expectations for brand experiences. Many organizations, meanwhile, are still adjusting to the more basic challenges of a digital world, such as managing negative buzz on social media or providing a consistent omnichannel brand experience. NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  36. 36. Employees can also can present a brand health challenge. “Not all employees may get on board with the vision a company has for its consumer experience,” Rush says. “That can create a misalignment with the company’s brand and damage brand health.” Most leading hospitality organizations, for example, invest a significant amount of time in identifying, hiring, training, and nurturing their employees so they can deliver a specific customer experience. “Hiring the right employees takes significantly more time, effort, and capital,” Rush says. “Ultimately, however, it makes a difference. Turnover rates often are lower for those employees, and when they interact with customers, managers can sleep better knowing they have an effective brand ambassador.” A Plan for Brand Health To improve brand health, organizations can begin by defining the optimal customer experience, based on feedback from customer research and focus groups as well as input from management and branding agencies. The next step is to develop a playbook that organizes and codifies brand service standards for customer-facing associates. The playbook defines the unique brand experience the company seeks to deliver and explains how employees can create that experience. For example, the playbook might detail how to maintain a store’s appearance, and what infrastructure and processes support the desired behavior. To make the playbook more effective, organizations can identify metrics to benchmark and measure customer interactions against the desired experience. “Standard metrics could include, for example, customer and franchisee satisfaction ratings, economic performance, and employee turnover,” says Zach Conen, a Deloitte Risk and Financial Advisory senior manager, Deloitte & Touche LLP. Some organizations may also want to define customized metrics that give an overall indication of brand health, such as how effectively customer relationships are renewed, which typically is a function of customer loyalty, he says. After determining relevant metrics and measuring against them, companies can begin to identify gaps and develop a strategy to address any shortcomings. Addressing gaps might require, for example, more effective training, additional capital for facility updates and staff rewards, or improved operational oversight. Weighing Tradeoffs It’s important for organizations to understand their level of tolerance for brand health tradeoffs. For example, when is it appropriate to preserve or improve brand health at the expense of revenue generation? The franchise industry offers a relevant example: Consider an acquisition in which a leading brand acquires a chain with a lower level of brand health. To improve customer experiences, the acquirer imposes its training and operational rigor on the target company as well as its compliance expectations for brand standards. Licensees unwilling to adhere to the new operating model, or to take on the associated costs, exit the franchise relationship. NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  37. 37. The decision to let licensees leave the franchise generally impacts franchise fee revenue, but this self-selection process often strengthens the acquirer’s brand by weeding out underperforming franchisees, Rush says. “However, not every management team and board are willing to walk away from underperforming licensees and revenue to bolster their brand,” he notes. Although that’s just one example, many organizations may find themselves making such tradeoff decisions as they seek to strengthen brand health. “Every interaction with a customer is a moment of truth that either strengthens or weakens the customer’s perception of an organization’s brand,” DeVincentis says. “Identifying and measuring these moments can help build sustained customer loyalty and manage the risks to brand health for long-term competitive advantage.” NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  38. 38. Brand and reputation risk Taking the pulse of brand health risk —by Tony DeVincentis, partner; Rob Rush, managing director; and Zach Conen, senior manager, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on December 12, 2017. The traditional view of brand is that it is strengthened or harmed by what consumers experience through advertising, marketing, communications, and interactions with representatives of the brand. More recently, however, organizations are considering the connection between brand and their underlying business operations, with a focus on how effective performance can impact brand health. “With stronger links to operational performance, brand health has become — in many cases — a component of an organization’s risk profile,” says Tony DeVincentis, a Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP. “As a result, brand health has risen to the level of the C-suite.” Brand health can be defined as a measure of how well a company or brand delivers on certain attributes of a product or service that it promises to its customers, especially how those attributes are perceived by the customer in terms of quality and delight. “A healthy brand delivers consistent, memorable, and differentiated experiences for the customer, while less satisfactory brand health is often associated with customer experiences that are inconsistent and delivered with little emotional connection to the customer,” says Rob Rush, a Deloitte Risk and Financial Advisory managing director, Deloitte & Touche LLP. “In short, the closer a customer experience is to the brand promise, the healthier the brand,” he adds. Brand Health Risks Fundamental changes in sectors from health care and hospitality to retail and government are giving consumers more choices, and requiring organizations to deliver exceptional experiences to capture and retain customers and maintain brand health. At the same time, organizations are challenged by new, disruptive forces that were not a significant factor as recently as five years ago. These forces include negative word-of-mouth comments on social media, efforts to provide a consistent brand experience in an omnichannel world, and significant variation in survey scores among locations, which usually indicate an issue with the operator rather than with an underlying process or infrastructure issue. NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  39. 39. Another brand health challenge organizations face is not having the right players on the field. That can happen when rigor in identifying and recruiting the “right” employees is missing and the organization instead is just hiring to fill open positions. “Oftentimes in service industries, delivering the intended experience is not something that just any employee can deliver, and not all employees may get on board with the vision a company has for its consumer experience. That can create a misalignment with the company’s brand and damage brand health,” observes Rush. Most leading hospitality organizations, for example, invest a significant amount of time into identifying, hiring, training, and nurturing their employees who in turn deliver a specific customer experience. “It probably takes 10 times as much time, effort and capital in terms of the recruitment, identification, and interview processes to hire the ‘right’ employee than it does just to hire anyone,” says Rush. “But, ultimately it makes a difference because the more touches that employee has with the customer the better, turnover rates often are lower, and when those employees interact with customers, management sleeps better knowing they have an effective brand ambassador.” Developing a Playbook for Brand Health Improving brand health typically begins with the organization’s view of the optimal customer experience informed by management’s expertise, customer research, focus groups, branding agencies, and other inputs. The next step is developing a playbook that organizes and codifies brand service standards for customer-facing associates. The playbook defines the one, unique brand experience that should be delivered to customers and how employees should behave to promote the experience. For example, the playbook might focus on when to open a store and how to maintain it, as well as what infrastructure and processes need to be in place to support the desired behavior. For a playbook to be effective, organizations should develop metrics to benchmark and measure customer interactions to understand how close they come to the optimal experience, and then identify gaps and a strategy to address any shortcomings. Addressing gaps could include more effective training, additional capital for facility updates and staff rewards, or improved operational oversight. Organizations may find that measuring brand health prompts adjustments to the playbook which could require going through the assessment cycle between regularly scheduled evaluations. “To understand if the playbook is effective, organizations can look at standard metrics, such as customer and franchisee satisfaction ratings, economic performance, and employee turnover,” says Zach Conen, a Deloitte Risk and Financial Advisory senior manager, Deloitte & Touche LLP. Some organizations may want to define customized metrics that give an overall indication of brand health, such as how effectively customer relationships are renewed, which typically is a function of customer loyalty. “If a loyalty metric is used as a proxy for brand health, then the aim is to design the metric so it is based on what NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services
  40. 40. goes into a consumer’s decision-making process to renew the relationship on an ongoing basis,” says Conen. In the sports industry, for example, research indicates that a season ticket renewal is driven less by team performance and more by the relationship the ticket holder has with their personal ticket sales representative. That insight led more teams to invest in that interpersonal relationship and created metrics to gauge how effectively their service staff was engaging their portfolio of ticket holders. Pitfalls and Tradeoffs An effective brand health playbook generally includes a social media monitoring component. However, avoiding pitfalls inherent in the monitoring process is just as important. DeVincentis notes that social media feedback tends to be skewed, reflecting the opinions of outliers rather than a typical customer experience. Feedback usually is posted by consumers who are either fully engaged or disengaged from a business because of positive or negative experiences, respectively. “Often, the feedback is situational, and not representative of whether the average customer experience is consistent and on-brand. That’s why it is important for organizations to capture and measure average experiences rather than outlier experiences,” notes DeVincentis. He emphasizes that what drives customer experiences on a regular basis “are the operational processes that occur every day, a thousand times a day,” and explains that “taking steps to ensure that customers receive an on-brand experience consistently across all geographies can require added capital and resources. The effort may strengthen brand health and provide an effective defense against negative, situational social media comments,” adds DeVincentis. Also important is understanding the organization’s tolerance for brand health tradeoffs. For example, when is it appropriate to preserve or improve brand health at the expense of revenue generation? The franchise industry offers a relevant example: Consider an acquisition in which a leading brand acquires a chain with a lower level of brand health. To improve customer experiences, the acquirer imposes its training and operational rigor on the target company as well as its compliance expectations for brand standards. Licensees unwilling to adhere to the new operating model, or to take on the associated costs, exit the franchise relationship. The decision to let licensees leave the franchise generally impacts franchise fee revenue, but ultimately this self-selection process often strengthens the acquirer’s brand by weeding out underperforming franchisees, says Rush. “But not every management team and board are willing to walk away from under-performing licensees and revenue to bolster their brand,” he notes. Effective brand health strategies consider both the way a brand touches customers, as well as the way a brand operates behind the scenes to deliver on its promise. Further, the strategic nature of decisions about brand health, including those involving operational models, reputation, and revenue, has turned it into a C-suite issue, weighed along with other factors when assessing an organization’s long-term viability. “There even seems to be a willingness today NextPrevious Enterprise risk management Brand and reputation risk Crisis management About Deloitte Risk Intelligence services

×