spark glitter

Analysis

Orchestrating enterprise risk management (ERM)

How successful CROs bring art to the science of risk management

Chief risk officers (CROs) have always recognized the value of science to help them manage risk. Now, they are seeing the need to develop their communication, facilitation, and other soft skills to bring an artful approach to effective risk management. To succeed today, CROs are striking a balance between the art and the science of risk management.

Explore content

It’s mostly been about science

If art and science constitute two tenets within effective risk management, in recent years science—that is to say, the quantitative and technological side of risk—has arguably become the dominant one. Technologies for capturing, monitoring, and analyzing data now generate a rich base of information. Data visualization and real-time communication provide timely tracking of many risks. Site-specific and risk-specific tools have multiplied to the point where many risks can be quantified and monitored.

Yet risks have become more numerous, interrelated, complex, and damaging. Strategic and reputational risks have proliferated. Conduct risks continue to morph in unpredictable ways, constantly outpacing organizations’ abilities to anticipate them. New cyber risks emerge as rapidly as organizations adopt new technologies. Every innovation in areas ranging from business models to operating systems, from supply chains to compensation plans, poses new risks to the organization and its stakeholders, as well as new competitive and regulatory considerations.

Orchestrating enterprise risk management (ERM)

Why art, and why now?

Successful CROs recognize the value of the science of risk, but also intentionally develop their soft skills and deploy them to drive an effective culture. They see their role as one of orchestrating the diverse and often siloed elements of risk management to create an integrated whole. They help people to grasp the parts they play in risk management and guide them to work in concert by speaking the broader language of business. And they consciously develop their communication, facilitation, and other such skills to bring art to the science of risk management.

Today’s CROs take their role in the orchestration very seriously, and realize organizations now face challenges that the science of risk management can’t address on its own, such as:

  • Risks are now too varied and dynamic to understand without ongoing human insight, which can be obscured by purely technical solutions.
  • Site- and risk-specific tools tend to reinforce siloed approaches at a time when risks are interrelated and more prone to generate knock-on effects.
  • Myriad risk-related processes and tools demand coordination and integration to provide visibility into the organization’s true risk profile.
  • Lack of coordination among risk management functions and the business obscures risks, increases costs, creates gaps and overlaps and generates risk.
  • Lack of effective risk culture results from failure to promulgate risk consciousness through practical policies and procedures, adequate job training, and robust decision support.
  • Risk management often lacks a seat at the table when decisions are made, technologies are considered, and initiatives are implemented.

Addressing these challenges demands a harmony of art and science. It’s up to the CRO, or the executive accountable for enterprise-wide risk management, to strike that balance. CROs can begin this effort by deepening their understanding of themselves and of those in the risk management and business functions.

Back to top

abstract art

2019 highlights

Our perspective on the art of risk management emerged from both Deloitte’s 2019 survey of CROs and the St. John’s University Center for Excellence in ERM Spring Summit at Carnegie Hall.1

  • Deloitte’s 2019 risk management survey found organizations that invest in risk management and link it to strategic goals typically achieve higher growth. Yet our survey also found many organizations struggle to realize the value and desired outcomes from their risk management programs—often due to failure to coordinate and integrate risk management.
  • The St. John’s University Center for Excellence in ERM Spring Summit focused on risk culture, the role of risk management in organizational transformation, and how companies have artfully embedded risk considerations into decisions, plans, and initiatives over the past 10 years.

In both instances, successful risk managers revealed themselves as working to balance the art and the science of risk management.

1 Reimagine risk: Thrive in your evolving ecosystem, Deloitte’s 2019 survey of risk management, Deloitte, 2019

A new program

The CRO works with people in every part of the organization: operations, technology, finance, accounting, marketing, sales, purchasing, human resources, legal, and facilities management. Managers in each of these functions have different concerns, priorities, and points of view, which means that the CRO needs a wide repertoire of communication and facilitation skills.

Given this and the evolving challenges that organizations face, CROs now need to:

  • Position risk management as an insight-driven, business-focused resource rather than a compliance-driven, policing function
  • Enable senior executives, the board, and business managers to look beyond risk indicators and reports to see the total risk landscape and enhance readiness and resilience accordingly
  • Assist the organization in adopting new technologies with a true understanding of their risks as well as their possibilities
  • Facilitate proactive communication about risk at all levels to strengthen the organization’s risk culture and responsiveness to change
  • Coordinate approaches to risk to promulgate successful methods and ensure that all elements of the risk management and governance infrastructure work together
  • Foster teamwork around responses to risks and risk events, often among people with diverse goals, priorities, specialties, and points of view
  • Secure a seat at the table when senior leaders make key decisions and formulate major initiatives, to ensure that all risks are identified, considered, and mitigated

These tasks demand people skills and the emotional intelligence that informs effective communication, facilitation, and coordination. These fall under the art of risk management and they’re essential.

Back to top

green blue

Working in concert

The Carnegie Hall event, which was attended by more than 100 risk executives, placed a spotlight on the findings of Deloitte field experience and research, which point to six specific approaches that bring about connection, coordination, and change. Successful senior-level risk managers work to:

Risk executives aim to help people at all levels and in all functions to manage the business better. They focus on the goals people are trying to reach and what could prevent them from reaching them. That’s the chief concern of business people, which is why they see other things as distractions.

Successful CROs don’t make it about risk. They focus their conversations on business decisions and initiatives and what could go wrong, and work to understand those things from their audience’s perspective.

Some businesspeople prefer data, charts, and numerical information while others prefer narratives or verbal explanations. Still, others prefer a mix. None of them enjoy being buried in details they see as irrelevant.

Successful CROs try to understand—or simply ask—how people prefer to consume risk information. Then they gear their communications to those preferences.

Every organization is already managing risks, such as cyber, credit, operational, financial, or health and safety. Often these risks are intrinsic to the business or subject to regulatory expectations, but they are not always the greatest threats.

Successful CROs target major threats and strategic risks, reputational risks, and interconnected risks, none of which can be managed in silos. In this way, they reframe risk management as being a business priority rather than a compliance issue.

Organizations try to invest for the greatest return but often fail. Similarly, they work to execute on strategies, but success varies wildly. While rarely seen as "risk issues", the forces that undermine sound investment decisions and successful execution of strategies are exactly that.

Successful CROs realize that an investment that can be shown to mitigate a strategic risk will usually rise in priority. They also focus on risks that lead to implementation failures. In these ways, they shed new light on the role of risk management.

When an organization has a CRO or equivalent, and they have a seat at the table for key decisions and plans, their views on risk are taken seriously by the senior leadership. In addition, a solid risk management program calls for robust funding and enthusiastic senior-level support.

Successful CROs avoid compliance roles and check-the-box reporting by helping the business to address key risks to drivers of value. By delivering on a strong value proposition, they ensure they are viewed as contributors rather than a cost.

Just as an organization can't create a culture of quality by talking about statistical process control, it can't create a culture of risk management by talking about inherent risk and risk limits. Science can easily overwhelm non-scientists.

Successful CROs ask good questions, listen actively, meet others where they are, and speak their language. They also understand their own styles of thinking and behavior and those of the people they work with, so they can adjust their style for maximum effectiveness.

In sum, successful CROs respect both the art and the science of risk management—the art because people need coordination, direction, and inspiration; the science because the business needs facts, data, and tools to operate effectively.

Keep your balance

It’s no accident that some of the most effective CROs don’t have risk management backgrounds, but do understand strategy and risk, people and priorities, art and science. CROs need data and information and the tools that provide them. They also need to build relationships, prioritize needs, and deploy communications in ways that connect with the audience, optimize resources, and create a culture with an awareness of risk and of the importance of risk management.

In practice, a balance of art and science can enable CROs to succeed on the multiple fronts on which they must address risks.

sparkle color

Explore content

Future of risk in the digital era

Transformative change. Disruptive risk.

The future of risk: Ten trends

New game, new rules