​Feeling a Little Uncertain Myself

Comments Views

(First, in the spirit of full disclosure: I work for Farmers Insurance which is owned by Zurich Financial Services. I don’t have a dog in this hunt, but wanted to start by getting that one on the table. Okay, moving on…) Something a little different today as I swerve dangerously close to covering a subject that might be considered real audit work. (No comments from my various co-workers who, right now, are indicating surprise that anything I do would swerve anywhere near audit work.) But a recent study caught my attention.

Zurich Financial Services has conducted a survey, in collaboration with Harvard Business Review Analytical Services, on what the C-Suite thinks about risk management within their organizations. The results have been published in a paper titled “Risk Management in a Time of Global Uncertainty.” (It’s got a real Love in the Time of Cholera feel to it, doesn’t it? Sorry. Where was I?) You should spend some time checking it out — 32 pages of perspective on where companies are, where they need to go, and where some of the interesting gaps still exist related to risk management.

Here are just a few quick notes from the study:

  • Over two-thirds of those surveyed say risk management has become somewhat or significantly more important over the last three years. (Seems self-evident, but at least the message is getting through.)
  • One in ten respondents said their executive management was “highly effective” at creating a “strong risk-aware culture”. (Not a particularly overwhelming mandate.)
  • >40% of respondents considered their approach to ERM to be “proactive.” (An interestingly undefined word.)
  • 42% of companies with 10,000 or more employees have a “Chief Risk Officer.”
  • Companies with best practices in ERM continue to be concentrated in a few sectors that have been traditionally strong in this area: financial services, health care, energy.
  • Only one-third of respondents felt they were doing well at any of the six risk management capabilities they most often cited as critical to organizational performance.

To recap — some you win and some you lose.

Yes, everyone is becoming more aware and thinks risk management is “darned important”; no, not enough appears to be getting done. My own personal interpretation of this (a cynical interpretation, I will quickly admit) is that business continues to respond the way it always has when we try to tell them the building’s on fire. A crisis occurs, people pay lip service to the new fear, there is much angst/gnashing of teeth/Brownian motion on the surface, and beneath it all is the consistent plodding of business as usual.

And now let me throw out what I consider to be the single scariest stat I found in this report. Question: “How closely does the individual in your organization most responsible for risk management work with the audit function?” Answer: “Very Closely – 32%; Somewhat closely – 39%; Not at all closely – 15%; Don’t Know – 13%.”

I know you glass half-full types are pointing to the two-thirds of the audit shops who are, at the very least, “somewhat closely” involved and declaring victory. (To which I then point to the phrase “somewhat closely” and wonder exactly what is meant by such a wishy-washy phrase.) For us glass half-empty/risk mostly-unidentified types, we point to the one-quarter who don’t involve internal audit or, to view it as a dry-as-desert, completely empty glass, we point to the 13% who don’t know what audit does (okay, maybe they know what it does, but you get my point) and say we’re losing.

As I mentioned, there are a lot of different messages that can be read into this report. I suggest you take a look and discover what you think the current state is. I suggest you take the information and compare it with your organization to see how it fares. And I suggest you dig deep into this report and take a good, hard, long look at the role internal audit has in your organization when it comes to risk management — whether that be education, a seat at the table, or joining the ostriches with their heads buried deep in the basement — and, from that, determine what role your internal audit department must take to ensure your organization has a robust, effective risk management approach.

The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • SCCE 2018 June 19-30_Blog 1
  • IIA_Symposium_June2018_Blog 2
  • IIA_QAL_June 2018_Blog 3