Tag Archive: risk appetite

How to Oversee the Essential Risks of Innovation

Published by

Corey E. Thomas

When it comes to innovation, boards are notorious for sending conflicting messages. They want to hear assurances of innovation and predictability from management in the same breath. Unfortunately, innovation and predictability don’t go hand-in-hand. Simply put, innovation can’t exist without risk. In fact, the two are easily understood as a marriage—they show up together and work in unison.

Those of us who work in cybersecurity—where staying ahead of adversaries can mean life or death for a company—know that better than most. We have to invest in new ideas, technologies, and processes to adapt to an ever-changing threat landscape. Such investment, like any investment, entails some risk.

We can apply lessons learned about cybersecurity innovation to just about any industry. That’s because every company needs to innovate to remain competitive, which inherently means taking risks. How much risk is enough? How much is too much? And what’s the best way to foster innovation while balancing the need to take risks with the need for predictability?

The best way to answer these questions is to develop clear processes around innovation. It all starts with good communication and diversity of viewpoints.

Talk It Through

Effective communication is key between senior leadership and the engineers and others responsible for innovation. Communication reveals ideas worth taking chances on. There are two structural processes that can work well for this that the board could suggest.

  1. Encourage management and engineers to engage in ad-hoc sharing of observations. This means forming groups to share candid observations about what’s working and what’s not working within an organization.
    At Rapid7, we pull in team members across the organization to bring a variety of perspectives to the table. I recommend creating small cross-functional teams and getting them in the habit of observing and sharing ideas to generate more innovation. This continuous dialogue pushes people to think more broadly and differently while sharing learnings that can then be reported to the board when discussing innovation.
  2. Facilitate thought-provoking discussions. Encourage management to create thought experiments designed to spark new ideas and challenge conventional thinking. Those facilitating the conversation might start by asking, “If I gave you an unlimited amount of money to double our efficiency, what would you do?” Or, “If we were going to build a business plan to destroy our business and at the same time gain twice the profits and twice the customer loyalty, what would we do right now?”

These processes can be quite powerful in uncovering places to innovate. But in order for a leadership team and those responsible for innovation to maintain a firm grounding in the reality of the industry while also allowing room for creativity, they need a source of external truth. That means urging management to get outside of the company bubble.

Learn from the Field
To gather new ideas, people across functions should spend unmanaged time outside of the organization, bringing observations back to leadership and to their work. Spending time with customers and partners, engaging with peer groups, observing and engaging with competitors, reading, and attending conferences are all ways to gather the insights that are crucial for effective innovation. The board should challenge management to build a culture of curiosity within the company.

That said, directors should beware of herd mentality taking over the minds of management. Emulating companies that have non-sustainable positions or those in which you have too little insight into the success they are having often doesn’t play out well. Instead, encourage management to pay attention to well-performing companies in their quest for ideas that will improve your company’s position.

At Rapid7, I frame these jobs as learning. I don’t need my teams to come back with concrete action steps or specific outcomes but instead with a learning plan and details on what they saw that has the potential to transform the business over the next year.

Anything a team learns that can potentially create an advantage opens the doors to innovation. Therefore, this culture of learning should not focus only on technology, but instead on the combination of process, technology, market, and customer needs.

Create an Innovation Culture

To flourish, innovation also must be nurtured in the culture of the organization as expressed in the attitudes, beliefs, and behaviors of its people. Cultures that punish failure, demand certainty, or reward short term results kill innovation before it can even be expressed as an idea. On the other hand, cultures that emphasize learning, encourage experimentation, and focus on rewarding long-term growth behaviors tend be much better at innovation. One of the keys to this is encouraging transparency and reinforcing that it’s okay to discuss possibilities even when the path to delivery is unclear. Lastly, innovation demands an environment built on trust. When people don’t trust each other, they can’t be vulnerable and share their ideas, hopes, and aspirations. Directors should cultivate a culture of open conversation with their management team, and then encourage the same candor between management and employees across the company.

Embrace the Right Level of Risk

Many organizations pursue the minimal amount of innovation because they fear taking too big a leap and risking too much. Others may aggressively pursue transformational innovation that comes with a high degree of risk. What’s the right balance?

To make that assessment, directors and management can consider the three main levels of innovation, in order of increasing risk.

  • Incremental improvement innovation. You will generally have a high degree confidence about this level of innovation because others in your industry are already doing it and you have real-world observations to back up planning for those innovations.
  • Outside-in innovation. Somewhat riskier, this level of innovation involves implementing ideas that you are confident could be successful based on outside observation—perhaps from beyond your industry—and adapting them for your organization.
  • Moon shot innovation. The ultimate risk, with a potentially high-reward payoff. Think SpaceX’s success at launching a sports car to Mars in its quest to ultimately get settlers there.

For a company that’s doing well inside a stable industry, it’s most likely not wise to take a huge risk. Incremental innovation in this case may be enough, always with an oversight-focused eye on what others in the industry are doing.

A company in a more volatile industry, however, may need to get more aggressive in pursuit of game-changing innovations, with ideas borrowed from other industries. A moon shot in this case, appropriately managed and nurtured over time, may be just what’s needed. Directors should ask management to develop plans and evidence for these innovations that are clear, concise, and geared toward oversight of the project’s successful execution and value creation.

Manage the Learning Cycle
Innovation takes time, starting with the learning cycle.

In our experience, the learning cycle takes about a year, and is crucial for properly managing the risk involved in investing further. For implementation, two to four years is a good rule of thumb to start to see a return on investment. Here’s the typical timeline from idea to implementation.

Year 1: Learn a concept.

Year 2: Decide to learn more or kill it.

Year 3: Learn a few more things and try some ideas. Refine the concept.

Year 4: Get traction.

A successful organization prepares for innovation in the same way a runner prepares for a marathon. Innovations and marathons both take time, conditioning and learning the course. That includes understanding the role that risk plays in innovation. Starting with that foundation will put boards and the companies they serve on the right track for success now and into the future.

Corey E. Thomas is CEO of Rapid7. Read more of his insights here. 

Help Your Company to Face Its Future Confidently

Published by
Jim DeLoach

Jim DeLoach

The uncertainty of looking to the future presses boards to consider how confident their senior executives and supporting teams are in executing strategy. How can the board help the companies they oversee to face the future with a greater sense of confidence?

Confidence is neither a cliché nor an assertion of mere optimism. Rather, it is a quality that drives leaders and their companies forward. The Oxford English Dictionary defines confidence as “the state of feeling certain about the truth of something” and “a feeling of self-assurance arising from one’s appreciation of one’s own abilities or qualities.” This definition focuses on the board and management’s appreciation of the collective capabilities of the enterprise, including the ability to carry out a company’s vision. It raises three fundamental questions:

  • Do we know where we’re going directionally and why? Are our people committed to achieving a common vision that is clearly articulated, meaningful, and aspirational?
  • Are we prepared for the journey? Does our staff have the capabilities to execute our strategy? Do we have a great team, a strong roadmap, and the required processes, systems and alliances, and sufficient resources to sustain our journey?
  • Do we possess the ability, will, and discipline to cope with change along the way, no matter what happens? Does our board have the mental toughness to stay on course? Is our management team agile and adaptive enough to recognize market opportunities and emerging risks, and capitalize on, endure, or overcome them by making timely adjustments to strategy and capabilities?

Definitive, positive responses to these questions from the board will enable confidence across the organization.

Looking back on experiences working with successful companies, seven attributes were identified that organizations must have when facing the uncertainty of future markets.

How to Build the Foundation for Confidence

  1. Confident organizations share commitment to a vision. Commitment to a vision provides a shared “future pull” that is both inspiring and motivating. This perspective fuels enterprise-wide focus and energy to learn, which encourages participation and altruistic camaraderie. An effective vision crafted by the board and executive team leads people at all levels of a company to recognize that the enterprise’s success and their personal success are inextricably linked.
  2. Confident organizations have a heightened awareness of the environment. A confident organization constantly reality tests its market understanding by facilitating effective listening to customers, suppliers, employees, and other stakeholders. Boards should encourage companies to generate sources of new learning, encouraging systemic thinking in distilling and acting on the environment feedback received, with the objective of driving continuous improvement. The confident organization fosters a culture of sharing and supports formal and informal continuous feedback loops to flatten the organization, get closer to the customer, and promote a preparedness mindset.
  3. Confident organizations align their required capabilities. It is a never-ending priority of the board to ensure that the right talent and capabilities are in place to achieve differentiation in the marketplace and execute strategies successfully. Capabilities include an enterprise’s superior know-how, innovative processes, proprietary systems, distinctive brands, collaborative cultures, and a unique set of supplier and customer relationships.

How to Sustain Confidence

Achieving a foundation of confidence is necessary, but alone is not enough without concerted efforts to sustain confidence. Astute directors and executives know that the ability, will, and discipline to cope with change are also needed to sustain their journey. Those winning traits are enabled by the attributes below.

  1. Confident organizations are risk-savvy. The confident organization is secure in the knowledge that it has considered all plausible risk scenarios, knows its breakpoint in the event of extreme scenarios, and has effective response plans in place (including plans to exit the strategy if circumstances warrant). Most importantly, the confident organization should have an effective early-warning capability in place to alert decision-makers of changes in the marketplace that affect the validity of critical strategic assumptions. In a truly confident organization, no idea or person is above challenge and contrarian views are welcomed.
  2. Confident organizations learn aggressively. Confident organizations improve their learning by: creating centers of excellence; embracing cutting-edge technology to drive the vision forward; fostering an open, transparent environment of ongoing knowledge sharing, networking, collaboration, and team learning; perceiving admission of errors as a strength and requiring learning from the missteps; and converting lessons learned into process improvements. Aggressive learning stimulates the collective genius of the entire enterprise.
  3. Confident organizations place a premium on creativity. Innovation should be an integral part of the corporate DNA of the confident company, and should be evidenced by setting accountability for results with innovation-focused metrics at the organizational, process, and individual levels to encourage and reward creativity. Companies committed to innovation have the creative capacity to take advantage of market opportunities and respond to emerging risks. When innovation is a strategic imperative, companies empower and reward their employees to take the appropriate risks to realize new ideas without encumbering them with the fear of repercussions if they aren’t successful.
  4. Confident organizations are resilient. Confident organizations have adaptive processes supported by disciplined decision-making, and are committed to adapt early to continuous and disruptive change. They have the will to stay the course when the going gets tough, and are prepared to act decisively to revise strategic plans in response to changing market realities. They do not allow competitors to gain advantage by building large capital reserves, having great relationships with their lenders, and by cultivating trusting relationships with their customers, vendors and shareholders. The strategies that their boards approve include triggers for contingency plans that directors and management will implement if certain predetermined events occur or conditions arise.

In summary, the speed of change continues to escalate, creating more uncertainty about future developments and outcomes. If there was ever a time for a board to assess an organization’s confidence, we believe it is now. It’s one thing to have a confident CEO, but if the people within the entity lack confidence, the organization itself may not have the creativity and resiliency needed to sustain a winning strategy.


Jim DeLoach is managing director with Protiviti, a global consulting firm. 

Six Principles for Improving Board Risk Reporting

Published by
Jim DeLoach

Jim DeLoach

Board risk reporting is a subject of debate within many organizations as directors often consider reports to be too detailed or not actionable. Simply stated, risk reporting should enable the board and its respective committees to understand and govern the organization’s risks. To that end, here are six interrelated “board risk reporting principles” intended to foster reporting that focuses directors on the risks that matter and enables them to bring to bear their knowledge and expertise in ways that add and preserve enterprise value:

  1. Focus on critical enterprise risks and emerging risks. The critical enterprise risks represent the top risks that can threaten the company’s strategy, business model or viability and consequently warrant the most attention from the board’s risk oversight process. The board also needs to be mindful of emerging risks triggered by unanticipated and potentially disruptive events of varying velocity, ranging from catastrophic events—for example, a pandemic or hurricane—to existing risks accelerated by external and/or internal factors in unexpected ways, such as the impact of deteriorating underwriting standards or the demand for an endless supply of mortgage-backed securities on the subprime market that led up to the 2008 financial crisis.
  2. Address ongoing business management risks on an outlier basis. Every business has myriad operational, financial and compliance risks. For those risks that are not critical enterprise risks, risk reporting should be integrated with periodic status reports on line-of-business, product, geographic, functional, or program performance. Reports on these risks should also be triggered by the escalation of unusual matters that immediate board attention, such as exceptions against established limits (i.e., limit breaches). The point is that reporting on the day-to-day risks should not be as frequent as the critical enterprise and emerging risks.
  3. Ensure risk reporting is linked to key business objectives. Realistic and measurable objectives support the organization’s overall strategy and business plan. Risks related to those objectives may impact the organization’s ability to achieve those objectives and execute the strategy and plan. The relevancy of risk reporting is more firmly established with directors when it is closely tied to strategic business plans and the critical objectives and initiatives management has communicated to them.
  4. Use risk reporting to advance dialogues around risk appetite. A winning strategy exploits the areas in which the organization excels relative to its competitors. The risk appetite statement serves as a guidepost for when a new market opportunity or significant risk emerges. Although dialogue around risk appetite has advanced at the board level over recent years, there is still plenty of room for improvement. Once executive management and the board agree on the drivers of—and strategic, operational, and financial parameters around—opportunity-seeking behavior, the resulting risk appetite statement is a reminder of the core risk strategy arising from the strategy-setting process. Risk reporting should call attention to the level of risk the organization is undertaking in the pursuit of value creation and disclose when conditions change and the agreed-upon parameters are approached or breached.
  5. Integrate risk reporting with performance reporting. When stakeholders (e.g., owners of corporate, line-of-business, product, geographic, functional or program performance goals) report on performance to the board, they should also disclose the related key risks. Linking opportunity seeking behavior and the related risks is important as it enables each stakeholder reporting to the board to engage in a dialogue with directors on: the underlying risks and assumptions inherent in executing the strategy and achieving performance targets; the “hard spots” (i.e., the aspects of the plan that are well within reach to be achieved) and “soft spots,” (i.e., the riskier parts of the plan) inherent in the performance plan; the implications of changes in the business environment on the core assumptions and desired risk levels underlying the strategy; and the effectiveness of risk management capabilities. The effectiveness with which risk reporting is integrated with performance reporting is a powerful indicator of the enterprise’s risk culture. If risk reporting is an appendage to performance reporting, risk is more likely to receive limited board agenda time.
  6. Report on whether changes in the external environment affect the critical assumptions underlying the strategy. Risk reporting should provide insights as to whether executive management’s assumptions about markets, customers, competition, technology, regulations, commodity prices and other external factors remain valid. Reporting should focus on whether changes in these environmental factors have occurred, which could alter the fundamentals underlying the business model. Boards place high value on “early warning” capability.

The above principles are not intended to prescribe specific reporting practices, but rather offer sound direction for the board and management to pursue in improving the substance and content of the reporting.

Questions for Boards

The following are suggested questions that boards may consider, based on the risks inherent in the entity’s operations:

  • Does the board periodically evaluate the nature and frequency of management’s risk reporting?
  • Do directors work with management to agree on risk information the board and its committees require?
  • Is the board satisfied that both full board and board committee agendas allocate sufficient time to risk?

Do directors think they receive sufficient information on changing risks to avoid surprises?


Jim DeLoach is a managing director with Protiviti, a global consulting firm.