The risk executive agenda -- A compendium of Deloitte insights

The risk executive agenda
A compendium
of Deloitte insights
Articles published as sponsored content in
the Risk & Compliance Journal from The Wall Street
Journal from August 2017 to August 2018
Enterprise risk management Brand and reputation risk Crisis management
About Deloitte Risk
Intelligence services

Enterprise risk management
Previous Next
Broadening the lens of EERM to focus on value creation
Managing the digital risks of new business models
How ERM can support strategy and performance
Transparency: Key to managing information exchange risks in outsourcing
A strategic risk approach to disaster recovery: Beyond traditional planning
The networked economy: Strengthening organizations across the extended enterprise
Strategic resiliency: Striking a balance between protecting and creating value
Inadequate visibility into third parties raises risks: Global survey
About Deloitte Risk

Inadequate visibility into third parties raises risks: Global survey
Organizations are placing a renewed focus on enhancing extended
enterprise risk management (EERM) amid increasing dependence on
third-parties. Yet progress toward EERM maturity has been slower
than expected, according to Deloitte Global’s third annual EERM
survey, “Focusing on the climb ahead.”
Dependence on third parties continues to grow, with 53 percent of
the more than 900 respondents reporting “some” or “significant”
increase in their level of dependence on third parties. Another
57 percent of respondents feel their organizations do not have
adequate knowledge and an appropriate level of visibility over
fourth or fifth parties (third-party outsourced relationships) in their
extended enterprise. Similarly, 53 percent of respondents from the
U.S. feel the same way about not having adequate knowledge or an
appropriate level of visibility.
The survey responses reflect the views of 975 senior leaders from a
variety of organizations in 15 countries across the Americas, Europe
Middle East, and Africa (EMEA), and Asia Pacific.
“The survey findings reveal that organizations are taking an earlier,
more strategic view of third-party risk drivers to create value and
identify new opportunities,” observes Chuck Saia, CEO of Deloitte
Risk and Financial Advisory at Deloitte & Touche LLP. “Organizations
seem to have a more balanced outlook with regard to establishing
the business case for investment in EERM initiatives. For example,
they tend to focus on mitigating the downside threats of risk while
enabling calculated risk-taking aligned to strategic opportunities,
such as innovation and positive cost reduction,” says Saia.
Despite this awareness, and some associated improvements in third-
party governance and risk management, the survey also identified six
areas where many organizations may need to make further efforts:
inherent risk and maturity; business case and investment; centralized
control; technology platforms; sub-contractor risk; and organizational
imperatives and accountability.
—by Chuck Saia, partner; Kristian Park, partner; and Dan Kinsella, partner, Deloitte Risk and Financial Advisory,
Deloitte & Touche LLP
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on June 25, 2018.
Previous Next
About Deloitte Risk

Journey to Maturity
Amid critical levels of third-party dependency, only 20 percent of
organizations have streamlined their EERM systems and processes,
and 53 percent of respondents now believe their journey to achieve
EERM maturity is two to three years or more.
“This is a significantly longer journey than anticipated in earlier
surveys, when respondents reported that this could be achieved in
six months to a year,” according to Kristian Park, the EMEA leader,
Extended Enterprise Risk Management at Deloitte Global Risk
Advisory. “This reflects a more realistic time-frame, and we’d expect
organizations to be closely aligning plans to address the expected
regulatory outlook over this period.”
In addition, board oversight and engagement with EERM programs
continue to be relatively low, according to the survey report. Globally,
38 percent of board members and 39 percent of risk domain owners
still have lower to insignificant levels of engagement on the EERM
agenda. Among U.S. respondents, the number is slightly better with
only 23.5 percent saying their organization’s board members have
lower to insignificant levels of engagement.
“Boards recognize that many third-party relationships have
traditionally been managed in siloes within business units in a
manner that is neither strategic nor consistent,” notes Dan Kinsella, a
partner with Deloitte Risk and Financial Advisory at Deloitte & Touche
LLP. “The good news is that boards are becoming more engaged and
applying oversight, which is creating a more centralized, ‘federated’
approach to EERM. This type of approach can reduce redundancies
and leverage technologies to help enterprises drive gains, open
new markets, and decrease the uncertainty that can exist with third
parties,” adds Kinsella.
Visibility and Dependency
While more than half of respondents say knowledge and appropriate
levels of visibility over third-party outsourced relationships is
adequate, only 2 percent indicate that they regularly identify and
monitor their subcontractors (fourth/fifth parties). Another 10
percent do so only for those subcontractors identified as critical. The
other 88 percent either rely on their third parties to regularly identify
and monitor subcontractors; have an unstructured/ad hoc approach;
do not identify or monitor subcontractors at all; or do not know their
organizational policy and practices in this regard.
The financial services industry underscores the contradiction with
71 percent of respondents from that sector reporting a heightened
perception of risks inherent in third parties. Yet the most notable
increases in the level of dependence on the extended enterprise
have taken place in the financial services industry segment, with 59
percent of respondents reporting some or significant increase during
the last year.
In addition to a focus on increasing maturity and subcontractor risk,
the report also explores other areas where most organizations could
benefit from further EERM efforts.
Previous Next
About Deloitte Risk

Organizational imperatives and accountability. Ownership
and accountability for EERM seems to be well established in the
C-suite, with 78 percent of organizations suggesting that the CEO,
CFO, CRO, chief procurement officer, or a member of the board is
ultimately accountable for this topic. The most significant concern
for respondents appears to be skills, bandwidth, and competence
of talent engaged in EERM-related activities (45 percent), followed
by the clarity of roles and responsibilities, and EERM processes (41
percent in both cases).
Centralized control. Many organizations are adopting central
oversight and management to accelerate risk awareness and
efficiency. Fifty-five percent of organizations are now equally or more
decentralized than centralized (down from 62 percent from the prior
survey). This reflects that organizations are starting to scale back on
decentralization in the overall organization.
Business case and investment. While the main catalysts for EERM
focus on mitigating risk and compliance, there is an increasing focus
on driving value. The business case for investment in EERM is now
being driven by other factors that exploit the upside of risk, such as
enhancing organizational responsiveness and flexibility, innovation,
brand confidence, and increasing revenues. Among U.S. respondents,
more than 46 percent considered investment in EERM a revenue-
generating opportunity. Globally, 21 percent considered investment
in EERM a revenue-generating opportunity.
Technology platforms. In keeping with the trend of increased
centralized oversight of EERM activities, technology decisions are
now being made more centrally and a standard tiered technology
architecture is emerging. Less than 10 percent of respondents are
currently using bespoke systems for EERM, a sharp drop from just
over 20 percent in the prior survey.
“The critical success factors for capturing the upside opportunity of
risk will be measured not only on how cost efficient or effective the
frameworks are designed or operated, but primarily on how well
risk is managed and mitigated,” says Saia. “Should organizations lose
this strategic insight and reduce their annual investments in EERM, it
is likely to be at the expense of reputation, regulatory scrutiny, and
ultimately consumer backlash,” he adds.
About the Survey
Deloitte Global’s 2018 EERM survey, “Focusing on the climb ahead,”
is based on 975 responses from a variety of organizations across
major industry segments and from 15 countries across the Americas,
Europe Middle East, and Africa, and Asia Pacific. A record number of
participants this year reflects the ever-increasing profile of third-party
risk and the investment third-party risk management is receiving
within organizations.
Previous Next
About Deloitte Risk

Broadening the lens of EERM to focus on value creation
—by Dan Kinsella, partner; Jonathan Rizzo, senior manager; and Carolyn Axisa, senior manager, Deloitte Risk and
Financial Advisory, Deloitte & Touche LLP
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on May 29, 2017.
The extended enterprise — the hundreds and sometimes thousands
— of third parties a business works with each day has evolved into
more than a network of back-office service vendors.
While the main drivers for EERM center on mitigating risk and
compliance, there is an increasing focus on driving value, according to
Deloitte Touche Tohmatsu Limited’s 2018 Global EERM Survey.
“Many organizations are using third parties to perform core
operations and processes, as well as to help meet strategic
objectives,” says Dan Kinsella, a Deloitte Risk and Financial Advisory
partner with Deloitte & Touche LLP. “ And that makes a significant
difference in the way senior executives and boards should think
about extended enterprise risk management (EERM),” he adds. “One
approach is to think about third parties as teaming with the business
to help create value,” he adds.
The business case for investment in EERM is now being driven by
other factors that focus on the upside of risk, such as enhancing
organizational responsiveness and flexibility, innovation, brand
confidence and increasing revenues — such as when agents help
open new markets or suppliers provide access to new geographies.
Globally, 21 percent of the 975 executives responding to the survey
consider investment in EERM a revenue generating opportunity,
while among U.S. respondents, 46 percent felt the same way. “The
survey results indicate that organizations are taking a more balanced
view of EERM than in the past, acknowledging that value creation is
as critical as value preservation,” notes Kinsella.
Connecting the Dots to Value Creation
Traditionally, the value derived from EERM programs have focused on
loss avoidance in terms of fines, regulatory actions, and reputation
risk. “However, revenue recovery efforts that can ‘plug leaks’ in
the bottom line should also be considered,” says Jonathan Rizzo, a
Deloitte Risk and Financial Advisory senior manager with Deloitte &
Touche LLP.
Previous Next
About Deloitte Risk

He notes that an effective EERM program might include, for example,
efforts to reduce future costs, increase confidence in information
shared with third-parties, promote transparency in third-party
processes, and clarify contractual expectations. “These are all
activities that likely have potential revenue recovery benefits and
link back to effective management of extended enterprise risk,”
says Rizzo.
In Deloitte’s experience with cost recovery projects, there are
many potential benefits. A review of accounts payable, for example,
could generate average savings of up to 10 percent, and a review of
contract compliance could yield up to 5 percent on average of related
spend. Similarly, reviews of joint ventures could produce up to 15
percent in average savings on related expenses, while software asset
management could yield up to 20 percent of average savings on
software spend.
Enhancing assurance activities over third parties, if done effectively,
also can generate value. “Proactive efforts to manage the extended
enterprise can open doors to revenue opportunities by qualifying
a company to do business with other entities,” says Carolyn
Axisa, a Deloitte Risk and Financial Advisory senior manager with
Deloitte & Touche LLP.
From the buyer’s standpoint, well-defined supplier standards, along
with governance processes and enabling technologies, can form the
backbone of a supply chain compliance optimization program. “Such
programs not only seek to ensure third-party adherence to policies
and standards, but also to drive revenue by aligning the extended
enterprise with the organization’s broader business objectives, such
as improving product quality, entering new markets, and satisfying
demands for sustainable sourcing,” notes Axisa.
Building a strong EERM program has the potential to bolster
financial performance as well. “Implementing and managing EERM
programs using technologies that are well-suited to the task can
drive efficiency, reduce costs, improve service levels, and increase
return on equity,” says Rizzo.” He points to recent Deloitte research
that says organizations with a well-defined technology-enabled EERM
framework typically tend to realize an additional four to five percent
return on equity.
“Better tools and technology can significantly reduce the time spent
on pre-contract, post-contract, and ongoing tracking and monitoring
activities, which provides for more time for focusing on broader,
strategic areas of risk management and value creation, such as
performance, strategy, innovation and commercial efforts,” adds
Rizzo. Technology enhancements can include predictive and sensing
analytics, highly customized decision-support tools, and internal data
that is centralized and easily accessible.
A New EERM Perspective for Boards
A well-executed EERM program not only enables value creation
through by taking advantage of opportunities that third parties
create, but also revisits roles of people, technology, and processes,
which in turn enables risk management processes. Further, effective
EERM programs advocate a greater oversight role for the boards as a
fourth line of defense.
Previous Next
About Deloitte Risk

“Due to the added complexity of many extended enterprises, EERM
may have outgrown its fundamental three-lines-of-defense model
— management and internal control measures; compliance and
risk controls; and internal audit. In today’s environment, where
businesses operate with a host of ecosystems, a four-line model that
advocates a greater oversight role for the board may be needed to
make sure the board, or a board committee, monitors EERM issues,”
suggests Kinsella.
Results from the 2018 survey indicate a shift in how senior
executives and board members think about EERM. Boards and
C-suite executives believe their accountability around EERM is
increasing. At the same time, they believe that their levels of
engagement and coordination need improvement. Only 20 percent
of board members have a high level of engagement where a member
of the board has ultimate accountability, according to the survey.
This may imply that levels of engagement in the remaining 80
percent of organizations where the board operates in an oversight or
supervisory role are, at best, moderate (42 percent of respondents),
if not low (19 percent).
The 2018 survey findings also indicate that reputation risk has
supplanted regulatory compliance as the biggest driver of investment
in EERM in the financial services industry, a sector that is one of
the most mature with regard to EERM. Reputation risk also was
cited by respondents as one of the top “value-destroying” risks that
organizations are the least prepared to address.
For boards to play a more comprehensive oversight role in EERM,
they will need access to management data from across the
enterprise,and organizations would need to consider how to provide
such access. Boards also would require the capability to monitor and
track risks in the external environment. “The traditional three-lines-
of-defense model may need to be updated, especially as extended
enterprises grow more complex—another reason for greater board
engagement as the fourth line,” observes Axisa.
If boards don’t have the time or resources to focus on EERM, a risk
committee could become the fourth line of defense, working with the
full board to oversee risk management of the extended enterprise.
“The audit committee could be another option to oversee EERM;
however, that committee often is more focused on operational and
financial risks than on the extended enterprise,” notes Rizzo.
Previous Next
About Deloitte Risk

Rethinking the Extended Enterprise Risk Management
Emerging EERM trends
One Going
monitoring
Risk and performance
data must be
monitored on a near
real-time basis and
used to alter the course
of third-party risk
management
Leveraging utilities
Utilities provide a
solution to the
increasing
assessment"fatigue"
through shared
assessments,
innovative technology,
and more
advantageous pricing
Organizing for EERM
There is no one-size-ﬁts
all approach; each
organization should
customize its EERM
organization in line with
strategic context
Emerging technology
enablement
A portfolio of
technology is used to
enable an EERM
program and should be
prioritized in alignment
with the organization's
risk approach
Source: Deloitte Dbriefs: The new extended enterprise: Resetting the front line.
Moving Toward a New EERM Approach
EERM is a board and C-suite led transformational approach focused
on value creation—in addition value preservation—and enabled
by governance structures roles, responsibilities, processes, and
technologies. “EERM is transformative because it pushes the focus
of third-party risk management from being only compliance- and
reporting-oriented to enabling identification and exploration of value
creation opportunities through third parties.
“There is no one-size-fits-all approach to EERM. However, managing
third-party risk from both a revenue and cost perspective can
provide significant opportunity to drive additional business value,
create efficiencies, and build resilience,” observes Kinsella.
Previous Next
About Deloitte Risk

Managing the digital risks of new business models
—by William Ribaudo, partner, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on May 7, 2018.
As industries continue to converge and companies adopt new
business models to compete, digital risks are becoming a rising
concern for the C-suite and boards. To address the most significant
digital risk—created by business model disruption by competitors—
it is critical to examine whether the core strategy itself remains
sufficient in the face of new technologies and as nontraditional
competitors enter the marketplace, according to William (Bill)
Ribaudo, managing partner of Deloitte Risk and Financial Advisory’s
Digital Risk Venture Portfolio, Deloitte & Touche LLP. A member of
Deloitte’s US CFO Program leadership team, Mr. Ribaudo discusses
why organizations should reassess their business models to
understand their digital maturity, and what steps can be deployed
to address the strategic risks that come with today’s increasingly
ubiquitous digital technologies.
Q: How do you define digital risk?
Bill Ribaudo: An organization’s digital risk will vary depending on
how it incorporates technology into the core of its business model. In
the last decade, many organizations have applied digital applications
and features to their businesses with various degrees of success.
For example, some more traditional organizations applied digital
technologies using a bolt-on approach through acquisition, without
integrating them into the core business model. But rather than
merely add new technologies, they should have considered making
a more connected and fundamental shift in the business model
itself. By taking a piecemeal approach, these organizations may have
increased the associated digital risks. That’s not to say companies
need to be fully digital to survive. Rather, they need to find the
right mix of physical and digital assets, a strategy that is still elusive
to many.
Based on our research, shareholders place a higher value, measured
as a multiple of revenue, on more digitally enabled companies.
CEOs, particularly those of more traditional companies, are growing
aware of the need to invest in digital operations and infrastructure.
And the way they make that transformation is critical to their future
competitive success, and managing the risks they will face.
So when we talk about digital risk, it’s important to first look at how
organizations are applying digital. Generally, they fall into one of two
Previous Next
About Deloitte Risk

broad categories: they either use digital in the business or they use
digital as the business, and the difference is significant for their risk
profiles. Digital in the business refers to those organizations that are
adapting digital applications to their existing physical businesses.
A large retailer using digital technology for their point of sale (POS)
system is an example. If the POS system goes down, customers can
continue to make some purchases, such as with cash and check, and
the retailer can still conduct business.
In contrast, digital as the business refers to companies in which
digital is the way they transact, such as an online e-hailing ride
service. In this case, if there’s disruption in internet connectivity, it
cannot conduct business; and typically as a result, business with
customers stops. So the digital risks in this business model are
dramatically different than a business that uses technology in the
business, and the risks likely will have a more significant impact on
the business.
Q: How does digital risk differ from more traditional types of risk that
organizations face?
Bill Ribaudo: What is different is the speed of impact. If you analyze
how those risks play out within a business, they work through three
traditional risk management channels—strategic risk, operational
risk, and governance risk.
Strategic digital risk is the fundamental threat now faced by
many companies that have not successfully incorporated a digital
framework into their business model. Companies may do a solid job
executing operationally focused strategies, but if they don’t progress
toward business models that balance physical and digital capabilities,
they increase the risk of being disintermediated and losing direct
interactions with their customers.
Operational digital risk derives from not implementing today’s
IT applications to do things better, faster, cheaper, and it mostly
impacts productivity and efficiency. For example, if a company
adopts new IT associated with robotic process automation (RPA) or
blockchain, merely to automate existing processes or steps without
changing the fundamentals of the company’s business model, this
can create digital risks to operations.
The third area, governance digital risk, is an outcome or result
of both strategic and operational strategy. Management has the
responsibility to ensure that all the digital technologies employed,
whether strategic (think business model) or operational (as in better,
faster, cheaper) are fulfilling the goals set and that new risks are
addressed. One step in that process would be to inventory and
manage the many different RPA applications installed and ask: “Do
we have bots that are talking to bots that are talking to other bots,
and do we know all the linkages to our legacy systems?” Imagine
the risks that can arise when you have 100 RPA projects happening
at once, feeding off of 80 different systems. Someone needs to be
looking at that inventory of risks across all business units.
Q: What are some considerations and strategic risks when
transforming to a digital business model?
Bill Ribaudo: Understand that the purpose of transforming to
digital falls under the category of using today’s latest technology
Previous Next
About Deloitte Risk

to serve customers better than your competitors. The challenge
for management and boards is that the speed of technological
advancement has accelerated beyond their knowledge and capability,
and as a result they are likely not investing as needed to stay ahead.
That opens the door to new competitors who can enter their space
and create disintermediation and, therefore, strategic risks.
To deal with these realities, executives can consider five broad steps:
First, start with a clear understanding of the company’s current
business model and be prepared to shift your mental model about
understanding where value comes from and what shareholders
are now valuing. The next step is to create a “market-based balance
sheet” that reflects market-based valuations and identifies any
implied intangible assets. Leveraged or monetized intangible assets,
such as customer connection, customer information, operating data,
etc., are more valued in the digital economy. It’s these assets that can
become the building blocks of a new business model.
The third and fourth steps entail developing new business models
based on those intangible assets, and creating a plan to reallocate
capital to leverage those assets. Based on our research, new
business models can be valued using a revenue multiplier applied
to a certain type of business model—asset-based, service-based, IP-
based, or network-based.
The last step involves establishing ways to measure and manage
these new models, including new sets of key performance indicators
(KPIs). New business models require new KPIs, and as the saying
goes: “People manage and respect what you measure.”
Q: Why might some organizations hesitate to embrace digital?
Bill Ribaudo: With respect to digital in the business, we are
not seeing hesitation. This, I believe, is because management is
generally comfortable employing operational technologies—better,
faster, cheaper—to improve operations. However, when it comes
to strategically changing business models, management has, at
times, had a hard time making the transition. Typically, traditional
companies have leaders who have not grown up in the digital age
and, as a result, many of these companies and their leaders may not
have the familiarity or comfort to venture into this unknown space.
For companies to make the leap, they also need to get the entire
leadership team to buy into the new direction and ensure the
board is supportive, too. This alignment alone is difficult for many
organizations to achieve and why often times companies fail, when
others are better able to manage change more successfully.
Another obstacle is reallocating capital from supporting the
historical business to investing in new digital areas, where digital
means in the business, at the same timethat current investors want
the organization to keep doing what it has been doing. Changing
strategies often involves shifting groups of investors and there can
be a market penalty for doing so. In the end, investors pay for the
promise of growth, and if the new strategy is not communicated
effectively, or shareholders are not convinced of the benefit, there
can be much risk-related turbulence.
Previous Next
About Deloitte Risk

Q: What are the roles of the CFO and CRO in managing the risks that
come with shifting to business models that embed digital?
Bill Ribaudo: The CFO has a pivotal role in being what I call the
great translator as a company embarks on a digital business model
transformation. The CFO needs to work closely with operating
management and be able to explain the financial implications
of different strategies. How will the market and investors react
to strategy A versus strategy B? Understanding that requires
financial modeling, scenario planning and buy-in from the board.
It’s also essential to understand and convey the cost and risks of
standing still and doing nothing. For the CFO and CRO, it is critical
to anticipate, assess, and monitor this new risk frontier triggered by
new digital business models.
Previous Next
About Deloitte Risk

How ERM can support strategy and performance
—by Keri Calagna, principal; and Jacqi Fifield, specialist leader, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on February 26, 2018.
With the 2017 update of the Enterprise Risk Management (ERM)
framework, the Committee of Sponsoring Organizations (COSO) of
the Treadway Commission recognized the importance of aligning
ERM to an organization’s strategy and performance. Keri Calagna,
principal, and leader of the Strategic Risk Management practice
at Deloitte & Touche LLP, and Jacqi Fifield, a specialist leader
within the practice, discuss aspects of the updated framework,
what organizations can do to better connect risk management to
strategy and performance, and what boards are expecting from
ERM programs.
Q: Why did COSO update its ERM framework?
Keri Calagna: The initial ERM Integrated Framework was first
released by COSO in 2004. The update released last year comes at
a time when organizations are challenged by technology innovation,
ongoing changes in consumer preferences, regulatory uncertainty
and other business disruptions that threaten their ability to compete
effectively. Executives need to anticipate and address these
challenges while making choices about risk that enable strategy, build
resilience and drive value. The updated COSO framework emphasizes
the connections between risk, strategy, and value and provides a
new lens for evaluating how risk informs strategic decisions, which
ultimately affects performance. Equally important, it elevates
the role of risk in leadership’s conversation about the future of
their organization.
Jacqi Fifield: Executives need to understand and think strategically
about known and emerging risks that affect or are created by
business strategy decisions.Many organizations and ERM programs
already connect strategy and risk management by identifying and
assessing known risks to executing a strategy, but this is not enough.
Risk programs must also address risks to strategy caused by external
changes that may not have been foreseen when the strategy was
originally developed. These new risks may need to be addressed or
strategies may need to be modified.
Q: What are some challenges organizations have in implementing
ERM effectively?
Keri Calagna: We see a few common challenges implementing
effective ERM. Some organizations have a hard time demonstrating
the value of ERM and investing adequate resources to build a strong
risk capability. Some find it difficult to integrate risk management
Previous Next
About Deloitte Risk

across the organization, embedding it into business units, functions
and processes. Other organizations fail to build a risk-aware culture
that is embraced and governed by a strong tone at the top among
senior leadership.
An effective ERM program has a few basic requirements. It should
escalate the right risks to the right people in a timely manner, and
as a result, drive meaningful risk conversations with leaders to
inform decision-making. When ERM is working properly, it should
increase resource efficiency and effectiveness in the management
of core risks to the enterprise, while reducing the impact of crisis
events and protecting the reputation of the organization. Last, ERM
should support the achievement of strategic goals and objectives as
determined by leadership.
Jacqi Fifield: One of the top challenges I see is the difficulty to
identify emerging risks to strategy. There could be an ERM program
in place, but it may be only identifying current known risks rather
than also helping executives anticipate unknown risks that may
be emerging. One sign an ERM program is not effective is when
executives see the same risk heat map year after year, which does
not help them make better decisions. What is often missing are
deep discussions at the C-suite and board levels on root causes
of the known risks and what more could be done to act on the
risk information they are getting. Ongoing risk discussions can
help integrate risk into strategic decision making on a formal and
informal basis.
Q: What is the linkage between the ERM framework
and performance?
Keri Calagna: Strong ERM enhances an organization’s desired
performance and chances of success in achieving its strategy. ERM
can be used for both offense and defense, to both protect value
and to enhance value. ERM helps identify and manage risks that
could limit an organization’s ability to achieve its strategic objectives.
When done well, ERM also allows leaders to take smarter risks in
the pursuit of opportunities that can lead to greater rewards. In
order to get there, organizations need to have confidence in their
ability to identify, analyze and strategically think about the risks
to strategic decisions on an ongoing basis and to be confident in
their ability to monitor, respond and correct course in the face of
unforeseen events.
Jacqi Fifield: Let me share an example of how this can work.
Position a risk team member within a business unit to help
embed risk intelligence into day-to-day operations and link risk to
performance goals. The risk analyst can build and conduct risk
assessments, monitor risks and work directly with the business
owners to advise them on how best to manage risks. The better risks
are managed, the stronger the business is likely to perform.
Q: What do boards expect from ERM?
Jacqi Fifield: Boards in general want more transparency, and
many are not receiving the risk reporting and updates they need.
Many boards and executives are indicating a lack of confidence
in the robustness of existing ERM programs and question
whether the programs allow them to effectively oversee and
Previous Next
About Deloitte Risk

guide strategic decisions for the organization. Are ERM programs
identifying the right risks at the right time, given the complexities in
the environment?
ERM programs should support the board’s risk oversight role by
providing specific insights into risks to the organization’s strategy
and support leadership’s decision- making processes on an
ongoing process. Risk reporting to the board should include how
effectively risks are being addressed by tracking metrics that are
impactful, valid, and measurable, including key risk indicators that
impact performance.
Keri Calagna: To further Jacqi’s point, board members are worried
about the unknown risks that are out there. They want confidence
that they are not missing something significant, and as a result, that
they are asking more insightful questions of their executives.
A leading practice is to have a chief risk officer (CRO)-type role at the
executive level. This helps set a strong tone at the top and signals
that risk has a seat at the table to help set and achieve strategy. A
CRO can give the CEO and the board the comfort that they have a
peer and a partner whose job is to help manage and mitigate risk,
and help grow the business in line with strategy.
For those organizations that do not have a C-suite level risk executive
in place, initiating risk management pilot programs in a few key
areas, such as M&A or strategic planning, and incorporating a risk
framework into the decision-making process, can be a place to start.
Similar coordinated initiatives can be introduced in other areas,
helping to show the value that integrating risk into strategic decisions
can bring. Board members want confidence in risk management, and
they want to know that the organization has strong risk governance
in place with executive level accountability.
Previous Next
About Deloitte Risk

Transparency: Key to managing information exchange
risks in outsourcing
—by Dan Kinsella, partner, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on December 19, 2017.
The use of outsourcing providers by organizations is increasing
globally, and the functions and tasks being sent to third parties are
more closely related to those organizations’ core business than in the
past, according to research from Deloitte. *
Effectively managing risks that can penetrate the extended
enterprise requires executives and board members to “think beyond
their four walls in diverse ways,” observed Dan Kinsella, Deloitte Risk
and Financial Advisory partner, Deloitte & Touche LLP, who led a
panel on bringing more transparency to the information exchange
process in outsourcing arrangements at a Compliance Week
conference. “These risks are no longer relegated to accounts payable
or the exchange of financial information,” added Mr. Kinsella.
He explained that third-party relationships can affect an
organization’s reputation and create risks around the disclosure
of nonfinancial information, such as personal identifiable
information or research—breaches that may not be caught by
accounting and inventory controls because they are unrelated to
financial transactions.
Mr. Kinsella’s discussion focused on how to improve the exchange
of information between the two parties by improving efficiency and
addressing related risks.
Information Exchange Challenges
The information passed between a customer of outsourced services
and its third-party provider can include security and controls
documentation from the vendor, as well as evidence of the vendor’s
credit worthiness and financial stability. “The information exchange
challenge begins at a fundamental level, early in the customer-
vendor relationship,” commented Jeremy Taylor, vice president,
chief compliance officer and associate counsel—Litigation, at Dover
Corporation. “As a client or customer, I will request information
from third parties on an ongoing basis to evaluate the risk in the
relationship to manage my company’s compliance efforts and follow
up on anything that causes me concern,” he added.
Previous Next
About Deloitte Risk

Jim Theisen, associate general counsel and chief compliance officer
at Union Pacific Corp., talked about how his organization uses
information to populate a comprehensive scorecard as part of an
annual review of critical suppliers to vet the quality of third-party
services and materials. The scorecard process provides assurance
that vendors meet security and financial criteria, as well as Union
Pacific’s cultural goals, which is another layer of information.
“It’s not just on-time delivery and project performance that we
score, but also company goals, such as whether the vendor partners
with us on safety, diversity and social responsibility. As a railroad
company, safety is the number-one concern of management and our
people, and it must be a top priority of our third-party providers,”
added Mr. Theisen.
Vendors in outsourcing arrangements experience a different set of
information exchange challenges from their customers. Jonathan
Klein, chief information security officer, Broadridge Financial
Solutions, explains that his organization works with customers to
formulate “reasonable” information requests. For example, when
asked to provide information about every software patch Broadridge
applied to its data systems, which amounted to a 60,000-line
spreadsheet of patches, Mr. Klein noted, “I worked with the customer
to provide a six-month sampling of patches as reassurance that
Broadridge has a patch program in place that is functioning properly.”
Managing Information Requests
The process for managing multiple customer requests from the
same client also was discussed, with Mr. Klein supporting an
approach that would funnel requests from different customer
functions into one department to consolidate and perhaps
standardize them. That way, vendors would not find themselves
responding to the same request for information multiple times
during the year. In some cases, “customers respond to the call for
better oversight by asking vendors for the ‘kitchen sink,’” noted
Mr. Klein.
“It could be a tough conversation when a vendor begins negotiating
with a customer about what is a ‘reasonable’ information request,”
observed Mr. Taylor. But the panel generally agreed that such
negotiations keep the lines of communication open, which often
helps nurture a mutually beneficial relationship. Mr. Taylor noted that
at Dover, information requests are made after a decision-making
process that takes into consideration what management targets to
meet compliance expectations.
“Organizations that choose to more cohesively engage with third-
party management can often increase value, for example, by staving
off revenue leakage,” noted Mr. Kinsella. He said a cohesive approach
can be centralized and still allow business units to work with third
parties to achieve objectives and drive value.
From Board Oversight to Reputation Risk
Boards, not only management, have a role to play in overseeing
third-party risk. “Boards need to hear from their chief compliance
officers about their organizations’ third-party oversight program
and whether it is effective,” said Mr. Theisen, who updates Union
Pacific’s board on a variety of third-party matters and the measures
Previous Next
About Deloitte Risk

in place to handle such risks. He noted that a strong board, with solid
fiduciary responsibilities, promotes confidence in ethical leadership
and provides knowledgeable oversight of third-party risk.
Reputation risk with respect to third parties also is a concern. “At
a very high level, managing reputation risk means making sure we
are working with the ‘right’ partners, something Dover’s third-party
vetting program is designed to give us comfort around,” commented
Mr. Taylor. Dover assigns a risk score to third parties that work on
the organization’s behalf. For vendors that fall into the “small bucket”
of higher risk, Dover requires additional detailed information and
approval from senior level leadership to enter into an arrangement,
and manages those vendors more closely than vendors with low-risk
profiles. Further, higher-risk vendors are required to have a sponsor
from within the business unit that uses the third-party products
or services.
Moving Forward
Automation may help organizations streamline and scale their
vetting process for third parties, which tends to be a manual task.
Some vendors are working with customers on ways to automatically
feed information directly into their risk management systems. Such
a system would enable customers to crunch data automatically—
rather than sift through it manually—and flag potential issues, by
using key indicators. In addition, vendors may want to consider
developing standard reports for customers that operate in the same
industry. However, for that approach to be effective organizations
should be ready to accept those types of advances and outsource
providers ready to deliver them.
Mr. Kinsella suggested a basic framework to help customers and
providers improve their transparency and information exchange.
For example, the customer and vendor may want to undertake a
joint inventory. For customers, that might include identifying the
providers that could impact the organization’s risk domains, while
providers could take stock of proactive ways to meet customer
information needs.
Developing an integrated risk and controls framework is another
step. In general, the framework could help customers match the
level of risk to the information being requested and monitor a
vendor’s effectiveness at receiving, responding to, and delivering on
information requests, Mr. Kinsella explained. Providers could use the
framework to organize what information to provide, when and how
to supply it, and their effectiveness in customer support.
While third-party management likely will mature over time, the
current process at many companies continues to be a hands-on
operation carried out by the workforce, although it is increasingly
becoming a priority of leadership. “Senior executives recognize that
the compliance function is no longer just about compliance, but
rather is a critical part of the sales chain,” said Mr. Klein.
*“Overcoming threats and uncertainty: Extended enterprise risk management
global survey 2017,” Deloitte Risk and Financial Advisory, Deloitte & Touche LLP.
Copyright © 2017 Deloitte Development LLC.
Previous Next
About Deloitte Risk

A strategic risk approach to disaster recovery: Beyond
traditional planning
—by Chris Ruggeri, principal; and Kathryn Schwerdtfeger, partner, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on November 13, 2017.
The recent intensity of the hurricane season has put a new emphasis
on how organizations deliver on their crisis response planning
and execution, according to Chris Ruggeri, a principal in Deloitte
Transactions and Business Analytics LLP and national managing
principal who oversees Strategic & Reputation Risk Management
for Deloitte Risk and Financial Advisory; and Kathie Schwerdtfeger,
a partner and the leader of the National Grants Management and
Recovery practice in Deloitte Risk and Financial Advisory’s Strategic
Risk practice at Deloitte & Touche LLP. Effective response requires
timely information gathering and planning related to all employees
and critical assets, as well as skills in interacting with other
stakeholders, including business partners, customers, regulators and
shareholders during the recovery period.
Q: How does preparing for and responding to a natural disaster
differ from other crises that organizations and boards face?
Kathie Schwerdtfeger: Preparation for and response to natural
disasters differ from other crises in two distinct ways: early
warning and connection to impact. From a preparation standpoint,
organizations are able to rely on established warning or early
identification systems such as weather forecasts, climate patterns,
and geological indicators that suggest a natural disaster is imminent.
As a result, organizations have the advantage of notice to better
prepare or at least evacuate critical assets prior to the arrival of the
event. Other types of crises typically do not have such established or
reliable systems and are largely dependent on the real-time actions
of its people.
From a response perspective, natural disasters pose peculiar
challenges. Because natural disasters are not “targetable” or
controllable events, their impact is not exclusive to a single
organization. This factor magnifies the impact and number of
affected parties such as extensive loss of life, power, electronic
connectivity, etc. Their physical manifestation also creates a
psychological and emotional connection with stakeholders that
is very human and personal. As such, the response effort has to
carefully address the human side and apply more emotional than
logical approaches.
Previous Next
About Deloitte Risk

Chris Ruggeri: If you consider the life cycle of risk, organizations
are going to face several types of crises throughout their history. In
the case of a public company, where sustaining market capitalization
is critical, management and boards should be undertaking not
only crisis planning, but also planning for what could put their core
strategic assets at risk. These are the assets that are central to
an organization’s future growth, and that very much includes the
operational workforce.
Under strategic risk planning, organizations actively anticipate and
manage response to, and recovery from, various types of events to
protect assets and be resilient. It’s focused on recovering quickly
and adeptly because an organization’s resilience is tied to how
well it anticipates disruptions in its supply chain and the impact
on customers, and whether back-up plans based on the various
contingencies is in place. If an organization waits until after an event
to figure out how to respond, it risks losing employees, customers,
days of operations, and possibly the market share that made it
competitive in the first place.
Q: Disasters highlight the thirst for information that different
stakeholders have. What can organizations do to manage their
needs effectively?
Kathie Schwerdtfeger: When a crisis hits, the worst thing is
an absence of information. It’s critical that organizations inform
their employees, as well the people and communities they serve,
as quickly and fully as possible. Clients, suppliers, and business
partners should be told early on how the organization that is
experiencing the disruption is going to help each of them to minimize
their own damages and help get them back up and running.
Demonstrating care and concern for other organizations in a time
of tremendous need can be an important way of building trust and
lasting connections.
Chris Ruggeri: What Kathie said about the absence of information
applies to customers, business partners and shareholders as well.
Under normal circumstances, it’s essential that management creates
confidence in the minds of partners, customers, and especially
investors that they’re going to deliver on their strategic objectives—
and, equally important, have plans in place to deliver those
objectives when a major disruption happens. When a disruption
occurs, it’s critical that leadership proactively manages the situation
on an ongoing basis and demonstrates that they’re on top of it.
To the extent possible, leadership should also provide guidance
on what they expect the event’s overall impact on operations to
be when temporary or longer-term disruptions occur, and when
they expect operations to get back to normal. From investors’
perspectives, when management communicates and executes at this
level, it can provide confidence that, first of all, management knows
what it’s doing, and that information is available so they can populate
their models and determine what the impact might be.
Q: What is the role of the board during a natural disaster, and what
are issues to consider that may not be needed in calmer times?
Chris Ruggeri: Ideally, the role of the board has already been well
established well ahead of the crisis. Advance crisis planning is no
longer a “nice to have” but rather a must have in today’s fast-paced
Previous Next
About Deloitte Risk

market environment. Failure to demonstrate command over the
situation is typically met with a loss of confidence by customers,
suppliers, regulators, investors, and other key stakeholders and
can result in permanent brand damage. The board should be
well-acquainted with the company’s crisis plan and key roles and
responsibilities. Some companies have tasked specific board
committees with oversight over crisis planning and response.
Whether that is the case or not, the board should get regular
updates and exercise appropriate oversight. In times of natural
disasters, when conditions are extreme and unpredictable, the
board should be available to provide input to management and
assess progress against recovery plans. The board can add value
by challenging whether the crisis plan needs to be adjusted in real
time as events unfold, while being mindful of doing so in a way that is
constructive and not disruptive in an already tense environment.
Kathie Schwerdtfeger: It’s also important that boards and
management have a common vernacular to describe both a
routine operational mishap and a catastrophic event. They need to
consider what it could mean to have these types of events impact
the business and what it would look like when they’re in the middle
of one. That’s where education and simulations can help, and why
board members as well as senior management should be involved
in training and exercises. The organizations that not only survive,
but thrive, after a natural disaster are the ones where the board and
management are in sync and operate from a common playing field
with respect to how they will execute on a plan and what they expect
to see at the end of the process.
Q: Who in the organization should oversee natural disaster planning
and recovery?
Kathie Schwerdtfeger: Typically, the chief risk officer (CRO)
is responsible for enterprise-wide risk management, including
planning for catastrophic events such as natural disasters. The role
may also be played by a chief security officer (CSO) or chief legal
officer (CLO), depending on the organization’s structure. Planning
should include a strategy for identifying from across the business
the key stakeholders who are expected to respond during a
catastrophic event.
Executing the plan and recovery would typically involve operational
leaders to act tactically and at the frontlines to prevent further
escalation. For example, the IT function will be needed to help
ensure that core systems are up and running. The finance office
and thecommercial entity also will be critical to the process, as
willthe insurance teams that will focus on accessing policies and
determining coverage.
Q: What should organizations consider in terms of reputational risk
during and after a natural disaster?
Chris Ruggeri: They need to consider that their every move is being
watched by the stakeholders they need to communicate and work
with during the disaster recovery phase. Again, that is why the right
planning is critical. If the board and management are caught unaware
about what the extent of the damage caused by the disaster is or
how to get things back up and running, the chances of a negative
outcome will be great. If the senior executive team is not engaged,
Previous Next
About Deloitte Risk

and if no one is talking knowledgeably to the community, the media
and the investment community, that’s a risky position to be in. So it’s
essential to have the necessary skilled people in place as a disaster
response team, and to recognize the job requires the organization to
anticipate beyond what’s easily known or anticipated no matter the
extent of the crisis.
From a reputational standpoint, people are going to look closely at
what is said and done during the disaster recovery period, the tone
of the response, how quickly it’s made, and how issues are being
resolved. There is a social responsibility issue to be considered as
well, since deep down any organization is part of a community and
is expected to take responsibility for negative events stemming from
natural disasters when they happen. Getting in front of potential
disaster events with planning that is broad and deep is likely the
best defense any organization can have to protect the business and
its reputation.
Previous Next
About Deloitte Risk

The networked economy: Strengthening organizations
across the extended
—by Brent Nickerson, partner; and Kevin Lane, principal, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on October 26, 2017.
The networked economy often is described as the natural outcome
of what happens when all the actors inside a business ecosystem
are interconnected. Through technology, these interconnections
enable customers to drive choices, select preferences and make
their predispositions known. This interconnectedness fundamentally
takes some of the power away from producers of goods and
services to drive value and puts it in the hands of consumers in the
extended enterprise.
According to Brent Nickerson, a Deloitte Risk and Financial Advisory
partner at Deloitte & Touche LLP, the networked economy also
transforms the “enterprise” as industries have defined it for
years. Historically, this term encompassed the people, processes,
technology and systems within a company.
But as Nickerson describes it, a networked economy broadens the
scope of everything, necessitating a new way of thinking. “Really,
now it’s all about the extended enterprise—the exterprise,” he says.
“All the connections that a company has with third parties, all the
distribution channels—everywhere a company does business is
a part.”
Trends to Follow
These exterprises—and a networked economy itself, for that
matter—don’t happen in a vacuum. They need to capitalize on a
number of trends to work, which can include:
1. Collaborating on business models. One of the biggest trends
to drive the networked economy is collaborative business models, or
models that enable different types of businesses to work together
to drive sales. The Internet of Things (IoT), the ultimate extended
enterprise, is a good enabler of this type of collaboration. If, for
instance, a consumer has a smart washing machine, the customer
can instruct it to order more detergent pods online whenever the
supply runs low. In this case, collaboration breeds convenience,
which typically leads to happy customers.
Previous Next
About Deloitte Risk

2. Being radically transparent. Another important trend driving
the networked economy: the widespread movement to radical
transparency. Kevin Lane, a Deloitte Risk and Financial Advisory
principal at Deloitte & Touche LLP, says that when companies begin
to interlink networks, it’s important that all parties be transparent
about how they do business throughout their own respective
extranets, so as not to alienate any potential customers. Lane adds
that companies must ask themselves what kinds of networks they
want to associate with and what sorts of belief systems they’re willing
to tolerate from partners they collaborate with.
“Everything out there can be seen, and the consumer sees it all and
makes his or her own judgments,” says Mr. Lane, who also serves
as the retail industry leader for Deloitte’s Enterprise Compliance
Services practice. “No one ever fully gets his or her way, but the
idea is that the networks, somewhat organically through the
interconnection, develop their own consensus point and middle-
ground answer.”
3. Getting a handle on an organization’s risks. Companies that
wish to create exterprises must also have a handle on their risks.
And they must perform regular risk assessments to quantify how
vulnerable their networked economy is to threats.
On the most basic level, risk assessment is about physical security—
locking down facilities so that only authorized employees come
and go. But the broader day-to-day realities of risk assessment go
hand-in-hand with a push for more transparency. As companies
learn more about the other companies in their exterprise, previously
undisclosed risks emerge, creating an opportunity for remediation,
or at least a backup plan. In evaluating this risk, companies must
think not only of themselves but also their customers.
Something could be both legal and ethical, but it may still not align to
the preferences of the consumers involved.
Leveraging Connections for the Networked
Economy Approach
As the first wave of companies begins to embrace the networked
economy approach, opportunities abound to leverage the ensuing
connections into smart business decisions for the extended
enterprise. Following are steps organization can take to create value.
1. Extend and amplify connections. For starters, companies
must extend and amplify connections through consortia and other
industry groups. Some of these groups are more marketing-oriented
in nature and enable participants to network with each other and
share leading practices. Others are functional—participants meet
to collaborate on devising standards, rules and other forms of
self regulation.
2. Innovate to capture new revenue streams. Looking forward,
companies must also figure out how to capture new revenue
streams. Subject matter experts say this likely will be driven almost
entirely by the networked economy and the exterprise—by third
parties that spark new products, new development and innovation.
Previous Next
About Deloitte Risk

A number of contract manufacturers around the world have
already set up product innovation centers where they offer design,
engineering, prototyping and manufacturing necessary to build out
new products.
In addition to changing the product catalog, these centers have
sparked a sea change in strategy. Now more than ever, innovation is
coming from the edges of a corporate network and working its way
in. The exterprise also has indirectly expanded distribution channels,
since companies are now connected to so many other companies.
Ultimately, the one-two punch of more innovation and more places
to sell new products enables companies to penetrate deeper into
their existing consumer bases and, at the same time, acquire new
consumers.
In the context of a networked economy, both scenarios can lead to
additional revenue—yet another way risk, when managed well, can
create value in the business world of today.
Previous Next
About Deloitte Risk

Strategic resiliency: Striking a balance between
protecting and creating value
—by Chris Ruggeri, principal; Andrew Blau, managing director; Maureen Bujno, managing director; and Yeolin Jung, manager, Deloitte
Risk and Financial Advisory, Deloitte & Touche LLP
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on August 25, 2017.
For many organizations, risk management tends to have a more
operational than strategic focus. And risks tend to be addressed
only after they occur. By focusing solely on mitigating risks and
preventing the recurrence of a risk, organizations face a slow-down
in the decision-making process. In contrast, organizations that align
strategy and risk are likely to be able to exercise “strategic resiliency,”
which is the ability to anticipate, know and act on risks when
introducing or executing new strategies to increase the chances of
success—in spite of uncertainty.
Strategic resiliency is rooted in a framework designed to strike the
right balance between value creation and value protection. Applying
a risk lens to strategy helps organizations understand which risks
provide opportunities for long-term value creation and which to
protect against.
Optimizing value on a risk-weighted basis, organizations should first
make sure they have a strong enterprise risk management program
as the foundation upon which to build. That includes, for example,
having a risk governance and reporting cadence, and standardizing
and deploying enterprisewide risk management processes with
regard to operational, strategic, financial and compliance risks, as
well as developing risk responses and mitigation plans.
Identifying Strategic Risks
Uncovering potentially disruptive or innovative strategic risks with
little or no historic precedent generally requires a different approach
than traditional risk discovery methodology and processes.
Organizations should also take the time to focus on “what’s
next” with scenario planning, which can provide strategic options
and flexibility should the industry, market or organization face
unexpected change. The value in the face of potential disruption or
other changes and how the organization will sustain its competitive
advantage and continued resilience may be considered as well.
Creating strategic resiliency also requires risk valuation modeling for
each scenario, where the underlying circumstances can be assessed
Previous Next
About Deloitte Risk

for various levels of uncertainty and risk, to yield a range of outcomes
and the likelihood of each outcome. Organizations can compare
outcomes for each risk-adjusted alternative and select the alternative
that provides the optimal risk/reward profile.
True strategic resiliency requires a clear understanding of risk
tolerance. The organization outlines which strategic objectives are
supported in taking risks and when putting strategic objectives into
action, keeping within agreed-upon risk limits.
For any organization, there are still chances that unexpected events
will occur. Organizations should consider formalizing a crisis response
program and framework and be prepared to respond effectively.
Having a rigorous, coordinated response to incidents can limit lost
time, money and customers, as well as minimize damage to brand
and reputation and the costs of recovery. Crisis response programs
should also include steps to normalize operations, which may mean
a change in strategy.
Organizations should tap into the insights of boards. As a diverse
group of highly experienced individuals, these seasoned leaders
can provide an “outside-in” view, offer broader perspectives and be
essential partners in achieving strategic resiliency with management.
How to Get Started
Following are several questions an organization’s management and
board may want to consider to start on a path toward strategic
resiliency.
•• Have strategic risks been identified by management and has the
board provided input?
•• What mechanisms does management have in place for risk
sensing and monitoring risks that could result in a shift of
strategy?
•• Is the strategy flexible enough to allow for a shift?
•• Does the strategy identify the organization vulnerabilities?
•• Is the board confident that management has the right information
to make high-stakes decisions?
•• Does the board have the right composition to effectively advise
on the strategy?
•• Who is ready to lead if strategic risks aren’t managed?
•• Is the organization prepared for a crisis?
•• Has the board engaged with management in a deep-dive,
brainstorming session on strategy?
•• Does the board have ongoing conversations with management
about the strategy? Are strategy discussions frequently built into
board agenda topics throughout the year?
With the business environment rapidly changing, organizations that
continually innovate, stay ahead of the risk of disruption and take
advantage of strategic risks—as well as the opportunities they can
signal—have the potential to lead the way.
Previous Next
About Deloitte Risk

Brand and reputation risk
Previous Next
Building reputation resilience
Strong reputations help companies withstand crises
Assessing brand health risk
Taking the pulse of brand health risk
Managing reputation risk
Tackling the CX measurement challenge
Three steps for executing brand promise
Delivering on the brand promise
About Deloitte Risk

Building reputation resilience
—by Mike Fay, principal, Deloitte & Touche LLP; Keri Calagna, principal, Deloitte & Touche LLP; Antonio Crombie, manager, Deloitte &
Touche LLP; and Jennifer Turner, manager, Deloitte & Touche LLP
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on June 12, 2018.
A brand’s reputation is among its most important—and most
vulnerable—assets today, but cultivating reputational resilience with
a cohesive and technology-enhanced strategy can enable companies
to both prepare for crises and create enduring value.
Reputation and brand are two sides of the same coin. A company’s
brand—which is focused on the products and services a company
promises to its customers—is aspirational. It’s how the organization
hopes it will be perceived. A company’s reputation—the thoughts
and feelings about it held by its broad set of stakeholders—is how
the company is actually perceived.
While many organizations are good at building their brands, many fail
to apply the same level of discipline to managing their reputations.
A number of factors can contribute to this. Managing reputational
risk often doesn’t fit neatly into a single function, creating
unclear ownership and accountability. There may be insufficient
understanding of the sources of reputational risk, how to manage
those risks, or what the full impact of a reputational crisis could
be. In addition, there may be cultural resistance to the changes in
behaviors required to manage reputation risk more effectively.
Yet, corporate reputation has never been more important—or
more fragile. It’s one of the most important assets in almost any
organization, typically playing a critical role in creating value and
driving the business forward. In today’s 24/7 media cycle, customers
and other stakeholders are increasingly connected and well
informed—and a reputation that’s taken decades to build can be
torn apart in seconds. Reputation-linked losses at public companies
have increased by 301 percent over the past five years, according
to a study by Steel City Re.¹ Last year was a record one for business
crises, according to the Institute for Crisis Management 2018 Annual
Crisis Report, with the number of incidents increasing 25 percent
over the previous year.²
It’s likely no surprise, then, that in a recent global survey by Aon
Risk Solutions, executives rank brand and reputation damage as
the number one enterprise risk.³ Nearly three quarters (73 percent)
of board members responding to a recent Deloitte survey say
NextPrevious
About Deloitte Risk

reputational risk is the area in which they feel the most vulnerable,
but only 39 percent say they have a plan to address a reputation
crisis.⁴ The potential consequences of not having such a plan when
things go sideways can be significant, including loss of customers
and revenue, damage to investor confidence, significant recovery
costs, and boardroom and C-suite casualties.
There are likely opportunities for organizations to more proactively
manage reputation to stay ahead in this competitive and dynamic
marketplace—in their day-to-day activities as well as in times of
trouble. Those that create a systematic, company-wide approach
to reputation management and adopt new risk-sensing tools and
capabilities may not only increase their reputational resilience,
but also harness their reputations to drive their corporate
strategies forward.
A Cohesive Approach
Companies with well-defined, effective reputation management
practices are often able to build their reputation resilience and shape
business outcomes in good times and bad. Those that manage
reputation well likely understand the business ecosystems and
build trusted relationships with stakeholders that matter most. The
trust and value of these relationships can serve as money in the
bank that can be drawn upon in times of crisis or brand shocks.
That goodwill can enable leaders to navigate these situations with
confidence because they have built the resilience necessary to not
just emerge—but to emerge stronger—from potential setbacks.
A key is to not just protect the reputation, but also to deploy
strategies to enhance it. Often the most successful companies take
a proactive approach to managing, nurturing, and monitoring their
reputations. Many approach it not just as a byproduct of other risks,
but as a critical asset that can fuel the business.
A programmatic, enterprise-wide approach to reputation
management commonly includes four key elements:
Strategy: A clear and consistently applied vision for reputation
management, aligned to business objectives, can help to amplify
brand and reputation and differentiate the organization in
the marketplace.
Advocacy: Engaging and empowering internal and external
stakeholders in purposeful ways can enable these diverse groups to
champion the brand and protect the organization’s reputation.
Resilience: Sensing, assessing, and managing risks and proactively
planning to protect reputation from crises can enable an
organization to respond to and recover from reputational jolts
more effectively.
Governance: A cohesive program can help ensure that the above
components work together in concert and includes means for
measurement, monitoring, and continuous improvement.
NextPrevious
About Deloitte Risk

When done well, this approach can connect capabilities and
resources throughout the organization to effectively manage
internal and external threats to reputation. It’s not about creating a
new function or additional work, but about connecting reputation
management to the things a company may already be doing in the
area of risk management and business resilience.
The Return on Risk Sensing
Successful reputation management often involves sensing, assessing,
mitigating, managing, and responding to threats. Those companies
that build such capabilities into their risk governance structures can
identify potential risks and opportunities early, evaluate their impact,
and make better decisions about how to act on them.
At one time, risk sensing and response was largely a matter of hiring
a public relations firm to advise on what was happening to the
company from an outside perspective. However, the state of the art
has advanced. With today’s technology, reputation risk sensing can
be done in a more cost-effective—and near-real-time—manner.
Many leading risk management programs incorporate 24/7
monitoring of traditional and social media sources, along with
other internal and third-party data sources. Top-notch teams of
analysts, enabled by analytics and risk intelligence tools, scan the
environment for trends, high-impact events, and other changes
in the ecosystem. They continuously monitor those topics across
a variety of data sources and generate regular reports that can
enable their company to act on risk factors before it’s too late. This
can be helpful in deciding how best to navigate reputational threats
and manage communications and relationships with important
stakeholders. Such risk-sensing capabilities can be applied across
the enterprise, including talent in the workplace, high-impact events,
financial risk, digital assets, socio-economic and geopolitical risk, and
competitive trends. It can help organizations accelerate the discovery
of reputational risk and, in the best cases, preempt them. Just as
powerfully, it can inform strategic choices and drive the corporate
agenda forward.
In fact, there can be a huge opportunity in considering reputation in
the full business context and linking it to strategy and planning. In so
doing, reputation becomes more than just a risk to manage, but a
critical asset that can be leveraged to help enable the organization’s
overall success.
01. Dr. Nir Kossovsky and Peter J. Gerken, CPCU, Steel City Re, “The Looming Reputation
Risk Explosion: Massive Financial Impact Possible in 2018 from Corporate Reputational
Crises,” December 2017
02. ICM Annual Crisis Report, April 2018
03. AON, Global Risk Management Survey, 2017
04. Peter Dent, Deloitte global crisis management leader, “A crisis of confidence”
NextPrevious
About Deloitte Risk

Strong reputations help companies withstand crises
—by Keri Calagna, principal, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on January 16, 2018.
Prioritizing reputational resilience can help organizations prepare for
the worst while laying the groundwork for creating long-term value in
brand equity, strategic positioning, and future growth.
The increased prevalence of crisis events, such as product recalls,
cyber breaches, and executive misconduct, have had a significant
impact on many organizations’ reputations. At the same time, the
value of reputation has increased considerably. According to the 2016
US Reputation Dividend Report, “corporate reputations accounted
for $3.98 billion of market capitalization across the S&P in March
of 2016,” which was “20.7 percent of all shareholder value and 2.5
percentage points more than a year before.”
It’s no surprise, then, that reputation risk has jumped to the top of
executives’ priority lists. Nonetheless, many organizations still find
managing this risk problematic. In a recent Deloitte study, “A crisis
of confidence,” 73 percent of board members identified reputation
risk as the area about which they felt most vulnerable, but only 39
percent had a plan to address it.
The good news: There are many ways organizations can manage
their reputations to protect, preserve, and enhance enterprise value.
It’s not only about preparing for a crisis; it’s also about creating value
by purposefully managing reputation. By implementing a proactive
approach to reputation management, an organization can sense
threats, seize opportunities, and shape behaviors to achieve desired
outcomes. The following key steps can help companies start thinking
about and building reputational resilience:
Set a clear strategy. A successful reputation strategy includes the
development of a well-defined master narrative that is consistently
used to help an organization amplify its brand, differentiate itself in
the marketplace, and achieve business goals.
Cultivate advocacy. Advocacy is about empowering stakeholders,
both internal and external, to actively champion and protect the
organization’s reputation, especially during times of crisis or brand
shocks. Organizations can provide leaders and employees with:
•• A compelling brand narrative
•• Tools and processes to identify, report, and respond to
brand risks
NextPrevious
About Deloitte Risk

•• Resources, training, and incentives to build resiliency and enable
them to act as brand ambassadors.
The organizations that cultivate advocacy well focus relentlessly on
strengthening relationships—via targeted campaigns and meaningful
engagement strategies—to transform external stakeholders into
advocates. Purposeful stakeholder engagement helps both parties
achieve what they need and expect out of a relationship.
Build reputation resilience. Resilience is about proactively taking
steps to protect an organization’s reputation from a crisis. This
includes developing capabilities to sense threats early, evaluating and
assessing risk impact, and preparing for and responding to threats.
Examples of building resilience include monitoring traditional and
social media outlets 24/7 and embedding a risk-sensing team in the
risk governance structure to help inform decision-making. These
practices can be used to spot potential risks while also creating
strategic value for an organization by monitoring and acting on
industry trends.
Another important practice is the implementation of a crisis
response program that continually adapts. Leading programs have
a crisis playbook, conduct scenario planning and rehearsals, train
response leaders, and establish mitigation strategies to elevate
preparedness for reputational crises.
Provide strong governance. These steps cannot truly work without
strong governance to establish a cohesive platform and approach
for managing reputation. An effective governance model includes
measurement, monitoring, and aspects of continual improvement.
It is not necessarily about creating a new function or new jobs,
but rather about connecting existing capabilities to a consistent
and unified model that helps protect, preserve, and enhance an
organization’s brand and reputation.
Questions for Leaders to Consider
The following questions can help leaders begin to understand
their organizations’ reputation risks, as well as opportunities for
value enhancement:
•• Which brand strategy will drive the greatest value for
the organization?
•• Is management doing enough to engage key stakeholders?
•• Do leaders and employees understand brand and
reputation risk?
•• Is the organization prepared to handle a reputational crisis?
•• Do employees understand their roles in building and protecting
brand and reputation?
•• What can the organization do to better protect, preserve, and
enhance its brand and reputation?
Reputation is the foundation on which an organization is built. It is
the basis for customer loyalty. It’s the culmination of every aspect
of the organization—from product quality to employee behavior
and everything in between. Effectively promoting, protecting,
and preserving an organization requires leaders to prioritize
reputation as a key strategy and manage it programmatically. By
taking a forward-thinking approach, companies can use reputation
not only as a defense against crisis but also as an asset to fuel
their businesses. NextPrevious
About Deloitte Risk

Assessing brand health risk
—by Tony DeVincentis, partner; Rob Rush, managing director; and Zach Conen, senior manager, Deloitte Risk and Financial Advisory,
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on January 11, 2018.
To gauge the strength of their brands, organizations increasingly are
looking at the business operations behind the customer experience.
Branding is no longer limited to what consumers experience when
they encounter a company’s advertising, marketing, communications,
or customer service representatives. As revenue models and
customer expectations continue to evolve rapidly, every aspect
of a business can affect the brand—from logistics and inventory
management to the in-store experience. As a result, organizations
increasingly are considering the connection between their brands
and their underlying business operations, with a focus on how
performance can affect brand health.
“With stronger links to operational performance, brand health has
become—in many cases—a component of an organization’s risk
profile,” says Tony DeVincentis, a Deloitte Risk and Financial Advisory
partner, Deloitte & Touche LLP. “As a result, brand health is of
interest not just to CMOs but also to chief risk officers and the rest of
the C-suite.”
Brand health can be defined as a measure of how well a company
or brand delivers on certain attributes of a product or service
that it promises its customers, especially how those attributes
are perceived by customers in terms of quality and delight. “A
healthy brand delivers consistent, memorable, and differentiated
experiences for the customer, while less satisfactory brand health
is often associated with customer experiences that are inconsistent
and delivered with little emotional connection to the customer,” says
Rob Rush, a Deloitte Risk and Financial Advisory managing director,
Deloitte & Touche LLP. “The closer a customer experience is to the
brand promise, the healthier the brand.”
Brand Health Risks
Across many industries—from health care and hospitality to
retail—today’s consumers have a growing number of choices
and, as a result, higher expectations for brand experiences.
Many organizations, meanwhile, are still adjusting to the more
basic challenges of a digital world, such as managing negative
buzz on social media or providing a consistent omnichannel
brand experience.
NextPrevious
About Deloitte Risk

Employees can also can present a brand health challenge. “Not all
employees may get on board with the vision a company has for its
consumer experience,” Rush says. “That can create a misalignment
with the company’s brand and damage brand health.”
Most leading hospitality organizations, for example, invest a
significant amount of time in identifying, hiring, training, and
nurturing their employees so they can deliver a specific customer
experience. “Hiring the right employees takes significantly more
time, effort, and capital,” Rush says. “Ultimately, however, it makes
a difference. Turnover rates often are lower for those employees,
and when they interact with customers, managers can sleep better
knowing they have an effective brand ambassador.”
A Plan for Brand Health
To improve brand health, organizations can begin by defining the
optimal customer experience, based on feedback from customer
research and focus groups as well as input from management and
branding agencies. The next step is to develop a playbook that
organizes and codifies brand service standards for customer-facing
associates. The playbook defines the unique brand experience
the company seeks to deliver and explains how employees can
create that experience. For example, the playbook might detail
how to maintain a store’s appearance, and what infrastructure and
processes support the desired behavior.
To make the playbook more effective, organizations can identify
metrics to benchmark and measure customer interactions against
the desired experience. “Standard metrics could include, for
example, customer and franchisee satisfaction ratings, economic
performance, and employee turnover,” says Zach Conen, a Deloitte
Risk and Financial Advisory senior manager, Deloitte & Touche LLP.
Some organizations may also want to define customized metrics that
give an overall indication of brand health, such as how effectively
customer relationships are renewed, which typically is a function of
customer loyalty, he says.
After determining relevant metrics and measuring against them,
companies can begin to identify gaps and develop a strategy to
address any shortcomings. Addressing gaps might require, for
example, more effective training, additional capital for facility updates
and staff rewards, or improved operational oversight.
Weighing Tradeoffs
It’s important for organizations to understand their level of tolerance
for brand health tradeoffs. For example, when is it appropriate
to preserve or improve brand health at the expense of revenue
generation? The franchise industry offers a relevant example:
Consider an acquisition in which a leading brand acquires a chain
with a lower level of brand health. To improve customer experiences,
the acquirer imposes its training and operational rigor on the target
company as well as its compliance expectations for brand standards.
Licensees unwilling to adhere to the new operating model, or to take
on the associated costs, exit the franchise relationship.
NextPrevious
About Deloitte Risk

The decision to let licensees leave the franchise generally impacts
franchise fee revenue, but this self-selection process often
strengthens the acquirer’s brand by weeding out underperforming
franchisees, Rush says. “However, not every management team and
board are willing to walk away from underperforming licensees and
revenue to bolster their brand,” he notes.
Although that’s just one example, many organizations may find
themselves making such tradeoff decisions as they seek to
strengthen brand health. “Every interaction with a customer is a
moment of truth that either strengthens or weakens the customer’s
perception of an organization’s brand,” DeVincentis says. “Identifying
and measuring these moments can help build sustained customer
loyalty and manage the risks to brand health for long-term
competitive advantage.”
NextPrevious
About Deloitte Risk

Taking the pulse of brand health risk
—by Tony DeVincentis, partner; Rob Rush, managing director; and Zach Conen, senior manager, Deloitte Risk and Financial Advisory,
This story originally appeared in the Deloitte module of the Risk & Compliance Journal from The Wall Street Journal on December 12, 2017.
The traditional view of brand is that it is strengthened or harmed
by what consumers experience through advertising, marketing,
communications, and interactions with representatives of the brand.
More recently, however, organizations are considering the connection
between brand and their underlying business operations, with a
focus on how effective performance can impact brand health.
“With stronger links to operational performance, brand health has
become — in many cases — a component of an organization’s risk
profile,” says Tony DeVincentis, a Deloitte Risk and Financial Advisory
partner, Deloitte & Touche LLP. “As a result, brand health has risen to
the level of the C-suite.”
Brand health can be defined as a measure of how well a company
or brand delivers on certain attributes of a product or service
that it promises to its customers, especially how those attributes
are perceived by the customer in terms of quality and delight. “A
healthy brand delivers consistent, memorable, and differentiated
experiences for the customer, while less satisfactory brand health
is often associated with customer experiences that are inconsistent
and delivered with little emotional connection to the customer,” says
Rob Rush, a Deloitte Risk and Financial Advisory managing director,
Deloitte & Touche LLP. “In short, the closer a customer experience is
to the brand promise, the healthier the brand,” he adds.
Brand Health Risks
Fundamental changes in sectors from health care and hospitality
to retail and government are giving consumers more choices, and
requiring organizations to deliver exceptional experiences to capture
and retain customers and maintain brand health. At the same time,
organizations are challenged by new, disruptive forces that were not
a significant factor as recently as five years ago. These forces include
negative word-of-mouth comments on social media, efforts to
provide a consistent brand experience in an omnichannel world, and
significant variation in survey scores among locations, which usually
indicate an issue with the operator rather than with an underlying
process or infrastructure issue.
NextPrevious
About Deloitte Risk

Another brand health challenge organizations face is not having the
right players on the field. That can happen when rigor in identifying
and recruiting the “right” employees is missing and the organization
instead is just hiring to fill open positions. “Oftentimes in service
industries, delivering the intended experience is not something that
just any employee can deliver, and not all employees may get on
board with the vision a company has for its consumer experience.
That can create a misalignment with the company’s brand and
damage brand health,” observes Rush.
Most leading hospitality organizations, for example, invest a
significant amount of time into identifying, hiring, training, and
nurturing their employees who in turn deliver a specific customer
experience. “It probably takes 10 times as much time, effort and
capital in terms of the recruitment, identification, and interview
processes to hire the ‘right’ employee than it does just to hire
anyone,” says Rush. “But, ultimately it makes a difference because
the more touches that employee has with the customer the better,
turnover rates often are lower, and when those employees interact
with customers, management sleeps better knowing they have an
effective brand ambassador.”
Developing a Playbook for Brand Health
Improving brand health typically begins with the organization’s view
of the optimal customer experience informed by management’s
expertise, customer research, focus groups, branding agencies, and
other inputs. The next step is developing a playbook that organizes
and codifies brand service standards for customer-facing associates.
The playbook defines the one, unique brand experience that should
be delivered to customers and how employees should behave to
promote the experience. For example, the playbook might focus
on when to open a store and how to maintain it, as well as what
infrastructure and processes need to be in place to support the
desired behavior.
For a playbook to be effective, organizations should develop metrics
to benchmark and measure customer interactions to understand
how close they come to the optimal experience, and then identify
gaps and a strategy to address any shortcomings. Addressing gaps
could include more effective training, additional capital for facility
updates and staff rewards, or improved operational oversight.
Organizations may find that measuring brand health prompts
adjustments to the playbook which could require going through
the assessment cycle between regularly scheduled evaluations.
“To understand if the playbook is effective, organizations can look
at standard metrics, such as customer and franchisee satisfaction
ratings, economic performance, and employee turnover,” says
Zach Conen, a Deloitte Risk and Financial Advisory senior manager,
Deloitte & Touche LLP.
Some organizations may want to define customized metrics that
give an overall indication of brand health, such as how effectively
customer relationships are renewed, which typically is a function
of customer loyalty. “If a loyalty metric is used as a proxy for brand
health, then the aim is to design the metric so it is based on what
NextPrevious
About Deloitte Risk

goes into a consumer’s decision-making process to renew the
relationship on an ongoing basis,” says Conen. In the sports industry,
for example, research indicates that a season ticket renewal is driven
less by team performance and more by the relationship the ticket
holder has with their personal ticket sales representative. That
insight led more teams to invest in that interpersonal relationship
and created metrics to gauge how effectively their service staff was
engaging their portfolio of ticket holders.
Pitfalls and Tradeoffs
An effective brand health playbook generally includes a social media
monitoring component. However, avoiding pitfalls inherent in the
monitoring process is just as important. DeVincentis notes that
social media feedback tends to be skewed, reflecting the opinions
of outliers rather than a typical customer experience. Feedback
usually is posted by consumers who are either fully engaged
or disengaged from a business because of positive or negative
experiences, respectively. “Often, the feedback is situational, and
not representative of whether the average customer experience is
consistent and on-brand. That’s why it is important for organizations
to capture and measure average experiences rather than outlier
experiences,” notes DeVincentis.
He emphasizes that what drives customer experiences on a
regular basis “are the operational processes that occur every day, a
thousand times a day,” and explains that “taking steps to ensure that
customers receive an on-brand experience consistently across all
geographies can require added capital and resources. The effort may
strengthen brand health and provide an effective defense against
negative, situational social media comments,” adds DeVincentis.
Also important is understanding the organization’s tolerance
for brand health tradeoffs. For example, when is it appropriate
to preserve or improve brand health at the expense of revenue
generation? The franchise industry offers a relevant example:
Consider an acquisition in which a leading brand acquires a chain
with a lower level of brand health. To improve customer experiences,
the acquirer imposes its training and operational rigor on the target
company as well as its compliance expectations for brand standards.
Licensees unwilling to adhere to the new operating model, or to take
on the associated costs, exit the franchise relationship.
The decision to let licensees leave the franchise generally impacts
franchise fee revenue, but ultimately this self-selection process often
strengthens the acquirer’s brand by weeding out underperforming
franchisees, says Rush. “But not every management team and
board are willing to walk away from under-performing licensees and
revenue to bolster their brand,” he notes.
Effective brand health strategies consider both the way a brand
touches customers, as well as the way a brand operates behind
the scenes to deliver on its promise. Further, the strategic nature of
decisions about brand health, including those involving operational
models, reputation, and revenue, has turned it into a C-suite issue,
weighed along with other factors when assessing an organization’s
long-term viability. “There even seems to be a willingness today
NextPrevious
About Deloitte Risk

The risk executive agenda -- A compendium of Deloitte insights

The risk executive agenda -- A compendium of Deloitte insights

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a The risk executive agenda -- A compendium of Deloitte insights

Semelhante a The risk executive agenda -- A compendium of Deloitte insights (20)

Mais de Deloitte United States

Mais de Deloitte United States (20)

Último

Último (20)

The risk executive agenda -- A compendium of Deloitte insights