Most Americans know they should eat better and exercise regularly. Few of us put such knowledge into practice, though. Similarly, a survey shows an overwhelming majority (96 percent) of CEOs and board members understand their companies likely will face significant threats to growth. Yet few have done much to counter risks or approached them strategically.
Deloitte commissioned "Illuminating a path forward on strategic risk" to gauge attitudes about threats that pose the most risk to growth. The 400 executives (200 CEOs, 200 board members) surveyed “are risk-aware but not adequately risk-prepared," says Chuck Saia. He is CEO of Deloitte’s risk and financial advisory unit.
The survey finds the top risk to growth is disruptive technologies and innovations (35 percent). Cyber incidents and events follow at 27 percent. Third is risk related to working with third-party vendors and key business partners (26 percent). Risk from an erosion in brand trust or reputation (24 percent) is next. Risks from weak or unhealthy organizational culture (20 percent) brings up the rear.
Technology and Cyber Dominate
More than half the CEOs and board members believe disruptive technology and cyber are the major risks to growth. This concentration on technology and cyber, Deloitte says, may be overshadowing cultural and brand reputation risks on leadership agendas. It is striking, of course, that this is so despite at least 19 U.S. CEOs and 22 board members having had to resign/step down amid scandals and ethical issues this year.
Moreover, there's an interconnectedness between risks that organizations may be missing, says Deloitte. For example, a cyberattack is not only a cyber issue, but can lead to erosion in brand trust and reputation.
Speaking of cyber—despite its high spot on the risk list, it's faring poorly in terms of strategic preparation. Just 30 percent of CEOs and board members say they are "highly engaged" in developing a cyber response strategy and governance. In addition, the study finds just 30 percent of CEOs and 21 percent of board members are conducting scenario planning for cyber incidents.
Reputation Getting Short Shrift?
While risk in general is something the executives think about and discuss, brand reputation seems to be in need of specific attention.
Fewer than half of CEOs (42 percent) and roughly 50 percent of board members discussed reputation risks during the past year, Deloitte says. Roughly the same percentage (53 percent of CEOs and 46 percent of board members) are unable to identify things that can damage brand reputation. Not surprisingly, more than 50 percent of organizations lack a plan to develop or acquire tools to manage reputational risks, including crisis-response capabilities.
This last finding tracks with an earlier PR News-Nasdaq PR Services survey. That survey found roughly half of companies plan for PR crises. Even fewer (roughly 40%) conduct meaningful and regular crisis communication exercises.
In addition to brand reputation, corporate culture also seems to be lacking for attention, the Deloitte survey finds. Fewer than 33 percent of organizations provide regular reports at the CEO and board level on culture.
The survey also examines a company's risk in working with partners or vendors. You might recall the brand reputation hit that Walmart absorbed in July 2017. That's when a vendor posted a wig on the retailer's site with a racial slur attached to it. Walmart is far from alone. The Deloitte survey indicates more than 50 percent of organizations lack a plan to establish formal risk-monitoring standards for the third parties they work with. Most of the CEOs (62 percent) acknowledge that third parties have weaker risk policies than their own, though.
In conclusion, Deloitte urges companies to be strategic about managing strategic risks. "Our survey results demonstrated that many organizations are not truly embracing this approach," it says. "An enterprise-wide strategic approach to risk management recognizes the danger these risks pose to the execution of strategy and achievement of goals." A strategic plan to counter risks, meanwhile, includes applying technology correctly, monitoring and measuring risks, planning for crises and incidents and keeping risk awareness on the leadership agenda.
Seth Arenstein is editor of PR News. Follow him: @skarenstein