2013 Global Risk Management Study (PDF) starts with a great subtitle: "Risk management for an era of greater uncertainty." I love this play on words: we live in uncertain times, and risk management is all about addressing the uncertainty between us and our objectives (as the esteemed Felix Kloman says, risk management helps us "pierce the fog of uncertainty"). As ISO 31000 tells us, risk is the effect of uncertainty on objectives.
While the results of the Accenture study should be taken with at least a grain of salt because 25% of the respondents were CROs (22% were Compliance Officers, 25% CFOs, and just 20% CEOs), they are encouraging.
Let me share the good news before moving to the key point they missed:
- "The vast majority (98%) of surveyed respondents report an increase in the perceived importance of risk management at their organization. One phrase that resonated with us was 'Action is not optional.' That is seen as true both for the broader organization and for the risk management function."
- "At one time, risk management in many organizations could be described by some as 'the department that says no.' Today we would characterize risk management more as 'the department that enables execution.'"
- "We see risk management as being much more integrated and connected, playing a much larger role in decision-making across the organization — particularly in budgeting, investment/disinvestment, and strategy."
- "Survey respondents see risk management as enabling growth and innovation. In order to survive — and certainly to grow — every company should strive to innovate and move its business forward. Simply pushing forward without understanding and mitigating the risks ahead could ultimately lead to disaster in some form. To enable growth and innovation, effective and integrated risk management capabilities should be implemented early and throughout the process. And these capabilities are scarce — both within the companies we talked to in this research and also in the market at large. So risk management capabilities should be prioritized and focused on the things that matter to move the needle for the organization."
In addition, Accenture reports that "High-performance risk management organizations are taking a focused approach to embed analytics into their management processes." I see this as essential, that risk management functions use analytics to understand changes in the internal and external environment reflecting current and potential changes in risk levels.
I will leave you to read the report in full, paying special attention to the section on "What sets Risk Masters apart?"
So what did they miss?
Whether you like the COSO ERM Framework or, like me, the ISO 31000:2009 global risk management standard, both say that risk management is part of decision-making and that a mature organization has the management of risk as an integral part of organizational processes.
A continuing focus on what is essentially the building of a silo of risk management, which is what Accenture advocates when they trumpet the existence of a senior executive as CRO, is not going to make the management of risk an integral part of organizational processes.
A continuing focus on risk management as a separate activity with staff and leadership is failing to recognize that every manager, executive, and board member needs to be a practicing manager of risk.
It's not enough to say that the CEO owns the organization's risks when she is not encouraged to act as risk owner. Instead, she is repeatedly encouraged to delegate the management of risk to a CRO.
What I believe is necessary, and is missing from the report, is for the expert in risk management to teach the rest of the organization how to include risk and uncertainty as an integral and essential part of the strategy-setting, decision-making, and performance management processes.
The Chief Risk Officer should become the Chief Risk Learning Officer, training, coaching, and mentoring all the decision-makers to be the risk officers.
But, how many have taken on that task? How many hold classes in risk management essentials? How many coach strategy officers and CFOs on how to embed the consideration of risk into their activities?
How many measure their effectiveness by the number of executives who no longer need their help?
I welcome your comments and perspectives.