When it comes to CEOs and risk management, the numbers paint a bleak picture.
62 percent of CEOs and 77 percent of board members are not “highly engaged” in addressing cyberthreats1
96 percent of CEOs and board members surveyed said their organizations foresee serious threats and disruptions to their growth prospects in the next two to three years
62 percent of CEOs viewed the risk management policies of their third parties as weaker than their own
Cyber attacks are the Number 1 concern among executives in advanced economies2
In other words: CEOs recognize that risk management is a problem. It’s just that they aren’t always sure what to do about it—or if they are, they often aren’t effective at implementing solutions.
CEOs are in a tough spot, of course. Chief Executives have a separate—some would say primary—mission traditionally considered to be at cross-purposes with risk management (though it shouldn’t be). That mission, of course, is to deliver growth and value for shareholders and employees.
Grappling with challenging circumstances such as these is why CEOs make the big bucks. But the figures above are illustrative of broader risk concerns, offering a glimpse inside the sleep-deprived minds of those in the corner office.
The billion dollar question then becomes: how can leaders navigate today’s complex risk environment while accelerating performance and growth?
How CEOs Should Think About Risk Management
CEOs should conceptualize risks the same way their companies should: by tying them to their strategic initiatives.
“With organizations enhancing their risk-management programs, they should view such programs as strategic enablers of innovation and connect risk management to their business vision,” according to Dan Kinsella, a partner with Deloitte Risk and Financial Advisory at Deloitte & Touche LLP.
CEOs, meanwhile, should connect risk management to their vision for themselves as effective executives.
The initiatives for CEOs will differ slightly from that of the overall company, but they’re bound to be similar. While a company might tie its risks to competitive advantages, a CEO should opt for a mental model that aligns risks to his or her top duties as an executive and how they affect the company’s direction.
Let’s break it down further. A key task of any executive is to understand the impact of daily routines and priorities. They can then, in turn, use those findings to align risk strategy accordingly.
The top three priorities of every CEO are listed below, followed by some questions the CEO can reflect upon to assess risks.
Set the vision for the company’s direction.
How can risk management keep the company on the right track strategically?
What are the emerging threats to strategy, business model, and operations?
Where are my blind spots?
How is the company’s reputation tied up with its risks?
What tools and technologies should I be investing in to keep the company safe?
How can I think about the ROI of investing in risk management—whether people, processes, or technologies?
Are we protected in the event of major business disruptions?
Recruit and retain talent.
Have I put the right people in place (CISO, CRO, etc.) to keep tabs on our risk stature?
Have I empowered these people to make the right decisions on the company’s behalf?
Am I keeping them accountable?
Have I helped them communicate the importance of risk management throughout the organization?
Putting Thought Into Action
Unfortunately many leaders are still relying on traditional tools and approaches to detect and manage threats. Today’s environment demands that CEOs anticipate and proactively mitigate risks before they emerge.
This sounds like tricky feat, and it is. CEOs can start by understanding where they have the most control and oversight, and address that risk first. As an example, many executives and boards are underinvesting in brand, reputation, and culture risk—key areas where they have the most control and oversight. They can earn victories here and use them as momentum for addressing other strategic risks.
Remember that reputation and culture are key company assets: not just because they are valuable on their own, but because they influence every other facet of the business as well. For example, the CEO can shape and demonstrate a culture of cybersecurity from the very top of the company, which produces salutary effects that ripple throughout the rest of the company’s activities. Unfortunately CEOs tend to think it’s the other way around, that cybersecurity comes first and culture is the byproduct.
LogicGate: Giving CEOs the Upper Hand
Once a CEO has identified key areas of focus, he or she can start to invest in technology that aligns those areas with risks to the company.
“This survey echoes what I’m hearing in my conversations with executives,” one of the report's authors notes. “They simply aren’t aware of the cutting-edge products and services now available to tackle strategic risk. Many are not appreciating the severity these complex threats pose and are not aligned on levels of engagement.”
A first step in the right direction is to abandon the traditional tools and approaches that have left CEOs struggling to stay one step ahead of their risks. They need technology that helps them view and manage their risks, as well as see how all their risks are interconnected.
LogicGate’s ERM software solution is an agile and robust platform specifically tailored to help businesses do just that. Through its powerful data mapping capabilities, it helps CEOs see a holistic view of all the company's risks and how they relate to the key business objectives and drivers. Based on the organization’s unique risk appetite, LogicGate’s flexible app builder empowers executives to customize risk scoring models and drive risk-response protocols based on conditional logic and dynamic reporting. Armed with this data, CEOs can make decisions concerning risk and innovation with confidence.
1Source for 1–3: Deloitte’s Risk and Financial Advisory Survey, which included 200 CEOs and 200 board members at U.S. companies with more than $1 billion in annual revenue. Industries include technology, media and telecommunications, consumer, energy and industrials, financial services, life sciences/health care, and government.
2According to a survey by the World Economic Forum.
For more on ERM, check out LogicGate's eBook, Assessing the Costs and Benefits of ERM: An Inquisition