Topics:   Risk Management,Strategy,Technology

Topics:   Risk Management,Strategy,Technology

November 7, 2019

Revamping Risk Culture In the Digital Age

November 7, 2019

How many directors can name a chief risk officer who has advised them and their executive team that their organization is too risk-averse? In the digital age, not enough.

It has always been understood that one must take risks to grow. And typically, the more risk one takes, the higher the potential return. Conversely, a risk-averse mindset leads to a lower return. Given the pace of change in the digital age, the reality is such that it’s not just a matter of taking risk to grow or generate greater returns—it’s also a matter of survival. That’s why organizations might have to undertake more risk than they may be accustomed to taking if they are to survive.

Taking risk means more than introducing new products and entering new markets. It entails becoming more innovative in reimagining processes, disrupting business models, and even reinventing the organization itself. In the digital age, the board has an important role to play in strengthening and nurturing the risk culture that facilitates the initiative, creativity, and digital thinking so critical to success.

Over three decades, best-of-class risk management has evolved from a fragmented, siloed model focused narrowly on myriad risks, to an enterprise-wide approach focused on the most critical business risks and integrated with strategy-setting and performance management. The chart below lists cultural attributes illustrating this transition:

To make an impact in the digital age, risk management should be framed around strategy. Traditional risk management applies an analytical framework to assess risks and opportunities with different characteristics and time horizon considerations, all in the same way and without contemplating multiple views of the future. Past experience and subjective assessments often influence the traditional approach to risk management. This old approach fosters groupthink rather than out-of-the-box thinking, which offers little insight as to what to do about exposure to disruptive events. It also does not account for the increased velocity of change in the digital economy and ignores the reality of the uncertainties that organizations face.

Many risks and opportunities unique to the digital age are “compensated,” meaning they present potential for an upside that compensates for the downside exposure. If all foreseeable future outcomes of undertaking a given risk or group of interrelated risks were listed, along with the expected net cash flows relating to each possible outcome and their respective probability of occurrence, a distribution of possible outcomes arises depicting both net positive and net negative cash flows, giving rise to performance variability. Therefore, compensated risks are inseparable from setting and executing an organization’s strategy.

This is why traditional risk management often does not influence strategy, as it typically focuses on mitigating and avoiding uncompensated risks. Uncompensated risks are primarily one-sided because they offer the potential for downside performance with little or no upside potential (i.e., every foreseeable outcome results in net negative cash outflows, creating a loss exposure). That said, when managing such risks, care should be taken not to ignore interrelationships with other risks that offer upside potential, for they represent compensated risks.

In the digital age, risk management cannot only be about avoiding bad bets. It should also position leaders to make the best bets, from a risk/reward standpoint, that have the greatest potential for creating enterprise value. That means that the creation and protection of enterprise value in the digital age depends on the organization’s ability to pursue compensated risks and opportunities successfully and either avoid or transfer uncompensated risks or reduce them to an acceptable level.

Thus, risk culture is the keystone that balances the inevitable tension between

  1. creating enterprise value through innovative strategy and driving performance on the one hand, and
  2. protecting enterprise value through risk appetite and managing risk on the other hand.

In essence, it balances the push and pull between strategy and risk appetite—an essential goal in the digital age.

Digital leaders proactively take risk, whereas digital skeptics do not. Additional aspects of risk culture relevant to the digital age are illustrated below:

Market-changing organizations are built differently, and a digital skeptic has a very different approach to risk management than a digital leader, whose company will often be best positioned to compete and win with an obsessive focus on growth and improving the customer experience. But if an organization does not advance its digital maturity, another risk arises—we call it “digital risk,” or the risk of embracing the status quo and choosing not to get uncomfortable in the digital age. Accordingly, a traditional approach to risk management might be the biggest risk that an organization faces when it seeks to grow and defend its share against new entrants, particularly those that are born digital from the bottom up.

In the digital age, risk management should contribute to reshaping strategy in advance of disruptive change. Becoming a leader entails revisiting risk mitigation strategies with an eye toward accepting more risk and exploiting the upside potential of market opportunities. For example, rather than merely mitigating risks to the execution of the strategy, companies should also use scenario analysis (Monte Carlo and/or “what if” analysis) to assess the desired corporate risk profile of alternative scenarios and the potential impact of risks on the achievement of strategic objectives. This analysis contributes to a more robust strategy.

Our advice to boards: It is time to change the corporate risk culture—and digital-savvy directors should lead the way.

Jim DeLoach is a managing director at Protiviti.


Jim DeLoachDecember 23, 2019

Thank you, Andrew. I agree completely these skills are needed in the boardroom, either as sitting directors or external advisers or both. Yes, I am aware of the DDN's efforts in this regard. I am a fan — great concept and focus.


Andrew ChrostowskiNovember 11, 2019

Great article, Jim. Enabling your vision of digitally savvy boards requires progress on two fronts: educating current board leaders and developing a new pipeline of directors who are board ready from the ranks of technologists, CIOs, and CISOs to increase digital diversity. NACD and the Digital Directors Network (DDN) are working on both areas to make that a reality.