​​Deloitte Takes a Highly Intelligent Approach to Risk Management

Comments Views

​Deloitte’s Risk Intelligence White Papers are a set of thought leadership that I have strongly recommended in the past — and continue to do so today.

They get an A- from me for their latest addition, The board’s role in cultivating a risk-intelligent enterprise (PDF). They get the A- for some truly excellent guidance, but a small “mistake” (in my opinion) prevents their receiving a top grade.

Let’s review the great before discussing their "mistake":

  • Cultivating a risk-intelligent culture is more than establishing a code of ethics and completing a risk assessment.
  • There has been progress in revamping governance practices and establishing infrastructures, but there is still a considerable need for cultivating risk-intelligent cultures.
  • Risk intelligence is “The organizational ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities, and creating lasting value.” Risk intelligence is essential to the survival, success, and relevance of companies and investors.
  • A risk-intelligent enterprise is one where leaders understand that every action that can create value also carries the potential for risk. These leaders recognize that discussions of risk and value cannot be separated, and they view risk as a decision-driver rather than a consequence of decisions that were already made. They endeavor to make risk-intelligent choices that expose the enterprise to just the right amount of risk needed to create value. Risk is considered on the front end of every decision, both to identify potential threats and to strategically select the risks needed to pursue value.
  • A risk culture encompasses the general awareness, attitudes, and behaviors of an organization’s employees toward risk and how it is managed; a risk-intelligent culture recognizes the people aspect of risk management but also includes the notion that organizations must accept sufficient risk to create value.
  • A robust and pervasive risk culture is essential. This risk-intelligent approach should be embedded in the way the organization operates and should cover all activities and areas. Risk management should not be limited to specific business areas or operate only as a control function or audit. Developing a risk-intelligent culture can be challenging, but the benefits are significant. Effective boards help cultivate a risk-intelligent culture.

All of this is not only great, but clearly and concisely explained. The "mistake" comes when the piece starts discussing a Deloitte webcast on this topic. Unfortunately, the conversation diverts from the emphasis discussed in the first part of the paper, namely that risk management enables risk-intelligent decisions every day in the pursuit of value. The conversation reverts to the older notion that risk management is all about avoiding/mitigating the effects of bad stuff.

For example, the paper talks about a Deloitte model in which “The bottom level comprises the business-unit and supporting functions, which are essential because they identify and continually assess risks.” The error is right here, because these are not just the units and people who “identify and assess risks,” but the people who make operating decisions every day and take risks — hopefully, the right risks.

The mistake is extended in the advice for boards. The first bullet item is “Build risk competence.” Deloitte talks about “understanding the risks the organization is taking,” instead of urging organizations to help every decision-maker make risk-intelligent decisions.

I believe this is a serious mistake, one that many if not most organizations have taken: Failing to continually and persistently preach and practice the concept that risk management adds value by enabling risk-intelligent decisions that help optimize the creation of value.

However, Deloitte stills merits a high grade for the excellent advice and its clear presentation in the first part of the piece.

I welcome your views and commentary.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • IAF-PGS-Assessing-IA-Practices-August-2021-Blog-1
  • IT-General-Controls-Certificate-August-2021-Blog-2
  • CRMA-August-2021-Blog-3