Company reputation and the fallout from reputational damage are the No. 1 strategic risk for large companies, according to a global survey released by Deloitte. Overall, progress on strategic risk management is evident, though most executives admit that their programs do not support their business strategy well enough.
Reputational risk was ranked third among strategic risk concerns three years ago, according to companies surveyed. Also back in 2010, brand and economic trends were identified by senior executives as the key strategic risks, though both have fallen since. In some industry sectors, reputation has risen from outside the top five strategic risk concerns to the top of the list. In the energy and resources sector, for example, reputation ranked only 11th on the list of strategic risks in 2010, though three years later has risen to the top spot.
The rise of reputation risk as the key strategic risk is mirrored by executives listing social media, which has transformed reputation management as the biggest technology disrupter and threat to their business model. Nearly 50 percent listed this above other technologies such as analytics, mobile applications, and cyber-attacks.
“The rise of reputation as the prime strategic risk is a natural reaction to recent high profile reputational crises, as well as the speed of digital and social media and the potential loss of control that accompanies it,” explained Henry Ristuccia, Deloitte Global Leader, Governance, Risk and Compliance. “The time it takes for damaging news to spread is quicker, it goes to a wider audience more easily, and the record of it is stored digitally for longer. Even in an environment where economic conditions remain tough and technology threatens business models, this is why companies place reputation at the top of their strategic risk agenda.”
“Several reputational episodes in the past three years have really brought this issue into focus for every industry. Indeed, the only sector where reputation hasn’t risen as a strategic risk factor is financial services where it was already No. 1 following the financial crisis and subsequent fallout.”
Strategic risk now firmly on the boardroom agenda
Strategic risk now firmly on the boardroom agenda
Attention and investment in strategic risk management at senior management levels continues to grow according to the Deloitte report. More than 80 percent of companies say they explicitly manage strategic risk rather than just limiting their focus to traditional risk areas such as operational, financial, and compliance risk. However, there remains work to be done to tie strategic risk management to strategy, with only 13 percent of executives surveyed stating that their risk management program supports their business strategy “very well.”
Boards and senior executives are increasingly involved in strategic risk management also. Two-thirds of companies surveyed stated that their CEO, board or board risk committee now has oversight when it comes to managing strategic risk.
However, the ultimate owner of strategic risk management varies significantly geographically and across industry sectors. In Europe, only 9 percent of companies state that their CEO primarily determines the company’s approach to strategic risk, compared to 23 percent globally. Likewise, in the energy sector, only 10 percent of CEOs are responsible, while in the technology sector CEOs are more hands-on with 33 percent determining the strategic risk approach.
“No single preferred approach to owning strategic risk management is evident at present, except that it is now being handled at the CEO and board-level,” continued Ristuccia. “Across two-thirds of companies there is an almost even split between the CEO, board or board-level risk committee on ultimate responsibility for this. What really matters though is the fact that strategic risk is being owned by the CEO and the board in the first place – the idea of strategic risk is now firmly established at the highest level.”
“The large variation in approach across regions and sectors suggests company culture and external events may well influence how companies manage strategic risk. The dominant founder/CEO model often prevalent in the technology sector is reflected by the higher number of CEOs holding ultimate responsibility for strategic risk in this sector, for example. In contrast, risk committees dominate in the energy sector – perhaps a result of several high profile risk and reputation issues for companies in that sector.”
Overall, 61 percent of companies believe their strategic risk programs are performing at least adequately in supporting business strategy development and execution. However, only 13 percent of companies rate their risk management programs as being five out of five in terms of supporting the development and execution of business strategy. Confidence in this aspect is also lower in Europe, the Middle East and Africa.
Companies view technology as both an opportunity and a strategic risk
After reputation, companies identified their business model as the second highest strategic risk in 2013, and forecast this to remain the case in 2016. The role of technology looks to play a large part in this concern, with 53 percent of companies surveyed believing that technology enablers and disrupters are emerging that could threaten their established business models.
Perhaps surprisingly, companies identified data mining and analytics, normally seen as beneficial to a business, as the second most concerning technology threat. Together, the top five technology threats to the business were social media (47 percent), data mining and analytics (44 percent), mobile applications (40 percent), cloud computing (38 percent), and cyber-attacks (36 percent).
“The risks of social media are well-known, but concern about how new technologies affect the core business model is also top-of-mind,” explained Ristuccia. “Cyber-attacks and the transformative power of apps and cloud computing present obvious risks, though some may find it surprising to see analytics and ‘Big Data’ in this list. Companies recognize the potential of this data, but appear concerned about how to grasp it properly. The key question is how to examine the data to find meaningful and relevant takeaways for business strategy.”
Other key findings from the survey include:
- Many companies are working to hone their definition of strategic risk: At present, 66 percent have established a common definition of strategic risk. More companies in Asia-Pacific, and the technology, energy and financial services sectors have done so than elsewhere.
- Investments to counter strategic risks: When asked which strategic assets they are investing in to counter perceived strategic risks, companies identified human capital (47 percent), brand name and reputation (32 percent), and customer capital (26 percent) as key items. Three years from now, innovation pipeline takes the second slot at (24 percent). “One of the most critical strategic risks is the ability to keep pace with innovation,” said Ristuccia. “Companies that fail to keep pace may soon discover that a competitor’s innovation has become a major disruption to their business model.”
- Strategic risk management is constantly evolving: Nearly all companies surveyed (94 percent) have changed their approach to strategic risk management over the past three years.
The findings in the Strategic Risk report are based on a global survey conducted by Forbes Insights, on behalf of Deloitte Touche Tohmatsu Limited (DTTL), of over 300 respondents from the Americas (33 percent), Europe/Middle East/Africa (33 percent), and Asia/Pacific (34 percent). Nearly all respondents were C-level executives (263), board members (22), or specialized risk executives (21). Surveyed companies came from all five major industry sectors: consumer/industrial products, life sciences/healthcare, technology/media/telecommunications, energy/resources, and financial services; and all had annual revenues in excess of $1 billion (or equivalent).
Additional detailed insights were obtained from personal interviews with executives from eight leading companies, with a balanced mix of representation from major industries and global regions.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence.
Logos, product and company names mentioned are the property of their respective owners.