​​Excellence in Risk Management Is More Dream Than Reality

Comments Views

Marsh is one of the leading insurance brokers and risk management consulting organizations. In partnership with the Risk Management Society (RIMS), they have published a Special Report: Excellence in Risk Management XI – Risk Management and Organizational Alignment: A Strategic Focus (registration required).

Their summary of the report says:

“While risk management is playing a more strategic role within organizations than ever before, many are not using the full potential of the function, according to the 11th annual Excellence in Risk Management survey, published by Marsh and RIMS.

“Ninety-three percent of C-suite respondents to the survey indicated that risk management carries either some or significant impact on setting their organization’s business strategy with 76% confirming that their organizations treat risk management as a key strategic function. However, when asked whether their organization uses the risk management function to its fullest abilities, only 20% of C-suite respondents answered affirmatively.

“Among the findings from the report:

  • More than 90% of C-suite respondents said risk management impacts business strategy.
  • Only 25% of risk professionals feel their companies use risk management to its fullest ability.
  • There is a gap between risk professionals’ and the C-suite’s prioritization of cyber risk.
  • The C-suite views risk mitigation and risk identification as key areas in which the use of data and analytics can be improved.”

Marsh seems somewhat optimistic about the progress that has been made. Clearly, some demonstrable improvement has been achieved, with boards and the C-suite executives making the risk function a more important part of their organization.

In particular, I am encouraged that some organizations are moving rising stars into the risk function as part of their path to the top.

However, there continue to be signals that boards and executive management don’t understand risk. There continues to be an emphasis on insurance, reflected in the desire to hire individuals into risk management who have experience as brokers.

Three aspects of the report disappointed me.

First, the authors seem to believe that recognition that risk management and strategy is the responsibility of the risk officer is a good thing. I beg to disagree. While the report bemoans the fact that many look to the CFO to own risk management strategy and execution, there is no mention that risk management strategy and execution should be the collective responsibility of management — executive, senior, and operating management. Recently, I read a consultant say that risk belongs to the person who owns the loss. That is such a pessimistic view! I would have much preferred him to say that risk belongs to the person who owns performance — the goal!

The continuing focus on the negative, instead of recognizing that effective risk management enables better decisions and drives performance, is a drag on achieving excellence in risk management.

Another disappointment is the failure to say that effective risk management means that risk is considered as an integral part of day-to-day management of the organization. Instead of being (as the report says) an “omniscient” source of knowledge about risk, risk officers should teach managers across the organization to fish (instead of giving them fish). Risk officers should be mentors and guides, together with reporters of cross-functional issues, rather than owners of risk management, strategy, and execution.

Excellence in risk management is achieved when every decision-maker is a risk practitioner.

Finally, I am disappointed with the reported preference of risk practitioners to improve their technical capabilities for such issues as modelling (including the use of Big Data Analytics) and risk quantification. While there is some emphasis on understanding the business, there is insufficient recognition of the need to improve practitioners’ communication skills. How are they to teach managers to fish when they have communication issues — and many do, using technobabble instead of the language of the business?

Risk practitioners should become more like business managers than technicians. They need to understand how they can help the organization succeed, rather than trying to put a statistically accurate value on a particular risk.

IBM has separately published Next Generation Risk Management (downloadable, with registration, here). While it announces that it describes “a framework for successfully managing business and supplier risk in the new global operating environment,” it is focused in a siloed fashion on supplier risk. I say “siloed fashion” because there is no reference to managing risks to enterprise objectives.

How can you manage supplier risk without understand the effect on enterprise goals and strategies.

While there are useful pieces of information in these reports from Marsh and IBM, they fall short of my standard for excellence in risk guidance.

I welcome your comments.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • CRMA-Launch-October-2021-Blog-1
  • All-Star-Conference-October-2021-Blog-2
  • IT-General-Controls-October-2021-Blog-3





A Risk Assessment Tool for Auditors and Risk Officershttps://iaonline.theiia.org/blogs/marks/archive/Pages/A-Risk-Assessment-Tool-for-Auditors-and-Risk-Officers.aspxA Risk Assessment Tool for Auditors and Risk Officers
Audit Committee Priorities Remain Risk, Compliance, and Technologyhttps://iaonline.theiia.org/blogs/marks/archive/Pages/Audit-Committee-Priorities-Remain-Risk,-Compliance,-and-Technology.aspxAudit Committee Priorities Remain Risk, Compliance, and Technology
Building the Audit Plan Around Assurance on Governance, Risk Management, and Related Controlshttps://iaonline.theiia.org/blogs/marks/archive/Pages/Building-the-Audit-Plan-Around-Assurance-on-Governance,-Risk-Management,-and-Related-Controls.aspxBuilding the Audit Plan Around Assurance on Governance, Risk Management, and Related Controls
Data at Riskhttps://iaonline.theiia.org/2018/Pages/Data-at-Risk.aspxData at Risk