Aim to become a risk intelligent enterprise

In some business sectors, notably financial services and energy, most industry-specific risks are managed with a high level of finesse, using complex probability modelling and sophisticated analyses. Other companies, such as some in the services and consumer business sectors, may have a less refined approach to risk management, and the need for more systematic practices is just now emerging.

But it is the rare company that intelligently manages the full spectrum of risk; that adequately assesses and addresses risk from all perspectives and quarters; that breaks through the organisational barriers that obscure a view of the entirety of risks facing a company; and that systematically anticipates and prepares an integrated response to potentially significant risks. We believe that when ERM is done right, it deserves special designation. As such, we call such model companies "risk intelligent enterprises" (RIE).

Organisations that attain RIE status will find that they share similar characteristics, including the following:

Risk management practices that encompass the entire business, creating connections between the so-called "silos" that often arise within large, mature, and/or diverse corporations

Risk management strategies that address the full spectrum of risks, including industry-specific, compliance, competitive, environmental, security, privacy, business continuity, strategic, reporting and operational risks.

Risk assessment processes that augment the conventional emphasis on probability by placing significant weight on vulnerability.

Risk management approaches that do not solely consider single events, but also take into account risk scenarios and the interaction of multiple risks.

Risk management practices that are infused into the corporate culture, so that strategy and decision-making evolve out of a risk-informed process, instead of having risk considerations imposed after the fact (if at all).

Risk management philosophy that focuses not solely on risk avoidance, but also on risk-taking as a means to value creation.

Part of an executive's responsibility involves understanding the nature of risk. Unlike the proverbial rose, a risk is not a risk is not a risk. Critical distinctions must be made between various types of risk: unrewarded versus rewarded, and inherent versus residual.

In enterprises where risk management capabilities are not fully developed, unrewarded risk often represents the full extent of their risk management activities. Unrewarded risk gets its name from the fact that there is no premium to be gained for taking certain kinds of risks (for example, risks affecting operations, integrity of financial statements, and compliance with laws and regulations). Conversely, rewarded risk focuses on value creation; it involves managing risks to future growth, including putting capital at risk and making profitable bets. In rewarded risk-taking, a company receives a premium for taking and managing risks - and receiving approval in the marketplace - associated with new products, markets, business models, alliances and acquisitions.

As noted previously, every company is unique, and intelligent risk management practices must be tailored to specific circumstances and needs. Therefore, there are keys to creating the sustainable RIE.

1. Establish an overall framework, policy and process for assessing and managing risk.

2. Identify key risks and vulnerabilities and the plans to address them. Assess value and determine where risks could affect value.

3. Establish your risk appetite. Determine how much risk you have taken on. Decide whether you can take on more or should take on less.

4. Decide who has responsibility and authority to take risk on behalf of the company.

5. Determine your capability to manage risk on an integrated and sustainable basis.

RIEs come in all sizes and industries, and each organisation tailors its risk management practices to its particular circumstances and needs. Organisations that are most effective and efficient in managing risks to both existing assets and to future growth will, in the long run, outperform those that are less so. Simply put, companies make money by taking risks and lose money by failing to manage them.

Apichai Phongphotakul is director of risk consulting services, Deloitte Touche Tohmatsu Jaiyos Advisory Co.