(First, in the spirit of full disclosure: I work for Farmers Insurance which is owned by Zurich Financial Services. I don’t have a dog in this hunt, but wanted to start by getting that one on the table. Okay, moving on…) Something a little different today as I swerve dangerously close to covering a subject that might be considered real audit work. (No comments from my various co-workers who, right now, are indicating surprise that anything I do would swerve anywhere near audit work.) But a recent study caught my attention.
Zurich Financial Services has conducted a survey, in collaboration with Harvard Business Review Analytical Services, on what the C-Suite thinks about risk management within their organizations. The results have been published in a paper titled “Risk Management in a Time of Global Uncertainty.” (It’s got a real Love in the Time of Cholera feel to it, doesn’t it? Sorry. Where was I?) You should spend some time checking it out — 32 pages of perspective on where companies are, where they need to go, and where some of the interesting gaps still exist related to risk management.
Here are just a few quick notes from the study:
- Over two-thirds of those surveyed say risk management has become somewhat or significantly more important over the last three years. (Seems self-evident, but at least the message is getting through.)
- One in ten respondents said their executive management was “highly effective” at creating a “strong risk-aware culture”. (Not a particularly overwhelming mandate.)
- >40% of respondents considered their approach to ERM to be “proactive.” (An interestingly undefined word.)
- 42% of companies with 10,000 or more employees have a “Chief Risk Officer.”
- Companies with best practices in ERM continue to be concentrated in a few sectors that have been traditionally strong in this area: financial services, health care, energy.
- Only one-third of respondents felt they were doing well at any of the six risk management capabilities they most often cited as critical to organizational performance.
To recap — some you win and some you lose.
Yes, everyone is becoming more aware and thinks risk management is “darned important”; no, not enough appears to be getting done. My own personal interpretation of this (a cynical interpretation, I will quickly admit) is that business continues to respond the way it always has when we try to tell them the building’s on fire. A crisis occurs, people pay lip service to the new fear, there is much angst/gnashing of teeth/Brownian motion on the surface, and beneath it all is the consistent plodding of business as usual.
And now let me throw out what I consider to be the single scariest stat I found in this report. Question: “How closely does the individual in your organization most responsible for risk management work with the audit function?” Answer: “Very Closely – 32%; Somewhat closely – 39%; Not at all closely – 15%; Don’t Know – 13%.”
I know you glass half-full types are pointing to the two-thirds of the audit shops who are, at the very least, “somewhat closely” involved and declaring victory. (To which I then point to the phrase “somewhat closely” and wonder exactly what is meant by such a wishy-washy phrase.) For us glass half-empty/risk mostly-unidentified types, we point to the one-quarter who don’t involve internal audit or, to view it as a dry-as-desert, completely empty glass, we point to the 13% who don’t know what audit does (okay, maybe they know what it does, but you get my point) and say we’re losing.
As I mentioned, there are a lot of different messages that can be read into this report. I suggest you take a look and discover what you think the current state is. I suggest you take the information and compare it with your organization to see how it fares. And I suggest you dig deep into this report and take a good, hard, long look at the role internal audit has in your organization when it comes to risk management — whether that be education, a seat at the table, or joining the ostriches with their heads buried deep in the basement — and, from that, determine what role your internal audit department must take to ensure your organization has a robust, effective risk management approach.