Revamping Risk Culture in the Digital Age

Revamping Risk Culture in the Digital Age
Revamping Risk Culture in the Digital Age

How many directors can name a chief risk officer who has advised them and the executive team that the organization is too risk-averse? In the digital age, not enough.

It has always been understood that one must take risks to grow. And typically, the more risk one takes, the higher the potential return.

Conversely, a risk-averse mindset leads to a lower return. Given the pace of change in the digital age, the reality is such that it’s not just a matter of taking risk to grow or generate greater returns — it’s also a matter of survival. That’s why organizations might have to undertake more risk than they may be accustomed to taking if they are to survive.

Key Considerations

Taking risk means more than introducing new products and entering new markets. It entails becoming more innovative in reimagining processes, disrupting business models, and even reinventing the organization itself. In the digital age, the board has an important role to play in strengthening and nurturing the risk culture that facilitates the initiative, creativity, and digital thinking so critical to success.

Over three decades, best-of-class risk management has evolved from a fragmented, siloed model focused narrowly on myriad risks to an enterprisewide approach focused on the most critical business risks and integrated with strategy-setting and performance management. The chart below lists 10 cultural attributes illustrating this transition.

To make an impact in the digital age, risk management should be framed around strategy. Traditional risk management applies an analytical framework to assess risks and opportunities with different characteristics and time horizon considerations, all in the same way and without contemplating multiple views of the future. Past experience and subjective assessments often influence this approach, fostering groupthink, pre-empting out-of-the-box thinking and offering little insight as to what to do about exposure to disruptive events. It also does not account for the increased velocity of change in the digital economy and ignores the reality of the uncertainties that organizations face.

Many risks and opportunities unique to the digital age are “compensated,” meaning they present enormous potential for an upside that compensates for the downside exposure. If all foreseeable future outcomes of undertaking a given risk or group of interrelated risks were listed, along with the expected net cash flows relating to each possible outcome and their respective probability of occurrence, a distribution of possible outcomes arises depicting both net positive and net negative cash flows, giving rise to performance variability. Therefore, compensated risks are inseparable from setting and executing an organization’s strategy.

This is why traditional risk management often does not influence strategy, as it typically focuses on mitigating and avoiding uncompensated risks. Such risks are often one-sided because they offer the potential for downside with little or no upside potential (i.e., every foreseeable outcome results in net negative cash outflows, creating a loss exposure). That said, when managing such risks, care should be taken not to ignore interrelationships with other risks that offer upside potential, for they represent compensated risks. 

For example, there is no upside if a cyber or privacy incident were to occur. However, an overly cautious approach that eliminates too much risk might limit or delay innovation opportunities offering significant upside. Therefore, managing cyber and privacy risk in isolation may not be in the best interests of the business. If a company is evaluating whether to apply digital technologies to enhance its processes, launch a new product or service, or differentiate customer experiences, it also needs to consider how much exposure to cyber and privacy risk it is willing to accept. With today’s optics, this question requires careful consideration.

In the digital age, risk management cannot only be about avoiding bad bets. It should also position leaders to make the best bets, from a risk/reward standpoint, that have the greatest potential for creating enterprise value. That means that the creation and protection of enterprise value in the digital age depends on the organization’s ability to pursue compensated risks and opportunities successfully and either avoid or transfer uncompensated risks or reduce them to an acceptable level.

A risk-informed approach fit for the digital age is one that is strategic in considering the impact of risk on strategy and performance; balanced in evaluating both opportunity and risk; integrated with strategy-setting, planning and business execution; and customized reflecting organizational business needs, expectations and cultural attributes.

Risk culture is the keystone that balances the inevitable tension between (a) creating enterprise value through innovative strategy and driving performance on the one hand and (b) protecting enterprise value through risk appetite and managing risk on the other hand. In essence, it balances the push and pull — the yin and yang — between strategy and risk appetite — an essential goal in the digital age.

Digital leaders proactively take risk, whereas digital skeptics do not. An additional seven aspects of risk culture relevant to the digital age are illustrated below.

In the digital economy, risk management should contribute to reshaping strategy in advance of disruptive change. Integrating more sophisticated quantification and monitoring capabilities into day-to-day activities of the business in executing the strategy and focusing on the risks and opportunities that matter can help management frame a composite risk profile that is fit for the digital age. It also provides more granular information on key aspects of the strategy as well as costs and benefits expected from relevant alternative scenarios. 

Market-changing organizations are built differently. It is our view that a digital leader has a very different approach to risk management than a digital skeptic. In the digital age, leaders maximize the upside while managing the downside, thus fitting the profile of companies best positioned to compete and win with an obsessive focus on growth and improving the customer experience. But if an organization does not advance its digital maturity, another risk arises. We call it “digital risk” — or the risk of embracing the status quo and choosing not to get uncomfortable in the digital age. Accordingly, a traditional approach to risk management might be the biggest risk that an organization faces when it seeks to grow and defend its share against new entrants, particularly those that are born digital from the bottom up. 

In the digital age, becoming a leader entails revisiting risk mitigation strategies with an eye toward accepting more risk and exploiting the upside potential of market opportunities. For example, rather than merely mitigating risks to the execution of the strategy, companies should also use scenario analysis (Monte Carlo and/or “what if” analysis) to assess the desired corporate risk profile of alternative scenarios and the potential impact on the achievement of strategic objectives. This analysis contributes to a more robust strategic decision-making process.

Our advice to boards: It is time to change the corporate risk culture — and digital-savvy directors should lead the way.

Questions for Boards

Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:

  • Is the organization’s risk culture enabling its advancement in digital maturity? Or is it a barrier requiring the board’s attention from a change management standpoint? Does the board possess the digital savviness to provide the leadership the company needs and support the CEO?
  • Has the board determined that management understands the digital economy and is embracing the appropriate market differentiation possibilities in the company’s strategic thinking?
  • Does the board receive risk-informed insights, competitive intelligence and opportunities to secure early-mover positioning in the marketplace, fostering more effective dialogue in decision-making processes and improved anticipation of future opportunities, exposures and vulnerabilities?

How Protiviti Can Help

Protiviti assists companies with assessing the enterprise’s opportunities and risks, either across the entity or at various operating units, and the capabilities for managing them. We work closely with companies to ascertain the most effective ways to integrate risk within their core management processes. Our proprietary risk-informed methodology helps companies reinvent their enterprise risk management so that executive management and the board are armed with relevant risk and opportunity information to support decision-making during strategy-setting and performance management.

Our risk-informed approach considers the impact of risk on strategy and performance, measures both risks and opportunities, and is integrated with strategy-setting, planning and business execution. As we adapt our approach to the needs, expectations and cultural attributes of the organization, we recognize that forward-thinking organizations are looking for tools that help them anticipate, adapt and respond to change and focus resources on the right risks and opportunities to advance execution of the strategy and improve performance. To that end, our use of Monte Carlo capabilities and The Protiviti Risk IndexTM are examples of how we assist companies with reinventing their risk reporting.


(Board Perspectives: Risk Oversight - Issue 121)

Click here to access all series

Ready to work with us?

James DeLoach
James W. DeLoach
Managing Director