Deloitte Takes a Highly Intelligent Approach to Risk Management

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Deloitte’s Risk Intelligence White Papers are a set of thought leadership that I have strongly recommended in the past — and continue to do so today.

They get an A- from me for their latest addition, The board’s role in cultivating a risk-intelligent enterprise (PDF). They get the A- for some truly excellent guidance, but a small “mistake” (in my opinion) prevents their receiving a top grade.

Let’s review the great before discussing their "mistake":

  • Cultivating a risk-intelligent culture is more than establishing a code of ethics and completing a risk assessment.
  • There has been progress in revamping governance practices and establishing infrastructures, but there is still a considerable need for cultivating risk-intelligent cultures.
  • Risk intelligence is “The organizational ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities, and creating lasting value.” Risk intelligence is essential to the survival, success, and relevance of companies and investors.
  • A risk-intelligent enterprise is one where leaders understand that every action that can create value also carries the potential for risk. These leaders recognize that discussions of risk and value cannot be separated, and they view risk as a decision-driver rather than a consequence of decisions that were already made. They endeavor to make risk-intelligent choices that expose the enterprise to just the right amount of risk needed to create value. Risk is considered on the front end of every decision, both to identify potential threats and to strategically select the risks needed to pursue value.
  • A risk culture encompasses the general awareness, attitudes, and behaviors of an organization’s employees toward risk and how it is managed; a risk-intelligent culture recognizes the people aspect of risk management but also includes the notion that organizations must accept sufficient risk to create value.
  • A robust and pervasive risk culture is essential. This risk-intelligent approach should be embedded in the way the organization operates and should cover all activities and areas. Risk management should not be limited to specific business areas or operate only as a control function or audit. Developing a risk-intelligent culture can be challenging, but the benefits are significant. Effective boards help cultivate a risk-intelligent culture.

All of this is not only great, but clearly and concisely explained. The "mistake" comes when the piece starts discussing a Deloitte webcast on this topic. Unfortunately, the conversation diverts from the emphasis discussed in the first part of the paper, namely that risk management enables risk-intelligent decisions every day in the pursuit of value. The conversation reverts to the older notion that risk management is all about avoiding/mitigating the effects of bad stuff.

For example, the paper talks about a Deloitte model in which “The bottom level comprises the business-unit and supporting functions, which are essential because they identify and continually assess risks.” The error is right here, because these are not just the units and people who “identify and assess risks,” but the people who make operating decisions every day and take risks — hopefully, the right risks.

The mistake is extended in the advice for boards. The first bullet item is “Build risk competence.” Deloitte talks about “understanding the risks the organization is taking,” instead of urging organizations to help every decision-maker make risk-intelligent decisions.

I believe this is a serious mistake, one that many if not most organizations have taken: Failing to continually and persistently preach and practice the concept that risk management adds value by enabling risk-intelligent decisions that help optimize the creation of value.

However, Deloitte stills merits a high grade for the excellent advice and its clear presentation in the first part of the piece.

I welcome your views and commentary.

Posted on May 3, 2013 by Norman Marks

Share This Article:    

  1. Norman;

    Thanks for the reference to the Deloitte white paper.  I think as a general statement it makes many excellent points. I don't share your concerns noted above regarding "mistakes", but do see another area where the white paper is silent and could/should be improved.

    What I find interesting is the report sees very little role for internal audit helping boards discharge the responsibilities they list in the guidance,  including the ability of traditional direct report internal audit methods that provide subjective opinions on control "effectiveness" to help boards oversee risk appetite and tolerance.  Deloitte, like all of the major public accounting firms is still required by U.S. SEC regulation as external auditors to provide subjective opinions on whether they believe controls over financial reporting are, or are not, "effective" in accordance with COSO 1992.  Soon they will have to form views whether the company manifests enough of the control criteria in COSO 2013 to get a binary "effective" rating.  In cases where Deloitte provides contact Internal Audit services I suspect they still take a fairly traditional approach and opine whether they think controls are "effective".  They certainly took this approach in a client I am currently working for.   This doesn't provide what it could to help boards better understand the areas of the financial disclosures that have the highest composite uncertainty and the other areas, including key strategic objectives, that have high residual/retained risk positions.

  1. Norman - Good, astute points. "Risk" carries overwhelmingly negative connotations - it's something to be avoided at all costs. However, the Wright Brothers took a risk. So did Columbus, Rosa Parks, and Steve Jobs. Without taking risks, the world would be a dull place. An organization with a well-developed risk culture, people have a sense of what/ where/ how much risk to take. And there are governance mechanisms to check in if you're not sure. As for the downsides, there can (should?) be different risk tolerance for different aspects of a company's footprint. The risk management practices a utility uses to keep the power on shouldn't be the same as stocking office supplies. It's OK if someone runs out of staples at their desk - there are more elsewhere in the building.
  1.  That's one small step for man, one giant leap for mankind." N.Armstrong.

    I believe Deloitte took a step forward even it is difficult to leave the old habbits (their own culture). I find it very valuable because, it is quite difficult for a company such as Deloitte to come to this point. Thank you ISO 31000  helping to achieve this much.

    I am sure others will follow also, I am expecting especially from KPMG and PWC soon.

Leave a Reply