Two articles came to my attention recently.
They had similar things to say about risk management.
The BusinessDay (BD) piece is interesting because the corporate governance in South Africa is (in my opinion) a model, especially when it comes to risk management and internal audit. To quote from a KPMG piece on the King Code:
"The board is responsible for the governance of risk (to be specified in the board charter). The board responsibilities include the following: [I have included just three items from their list.]
- Comment in the integrated report on the effectiveness of the risk management system and process
- Receive assurance on the effectiveness of risk management from management as well as a written assessment of the effectiveness of the system of internal controls and risk management from internal audit
- Disclose in the integrated report its view on the effectiveness of the risk management process and any unusual risks."
"King 3 requires companies to establish an internal audit function which provides assurance over the company's governance, risk management and internal controls. Internal audit will be required to provide a written assessment of the system of internal controls and risk management to the board, as well as a written assessment of the internal financial controls to the audit committee."
The BD article makes a number of interesting points as it reviews the IIA report.
- Only 17% of 221 internal auditors surveyed felt their organisations were identifying and managing risks sufficiently. [I assume that these auditors know how to assess risk management – not a common capability, unfortunately]
- 37% of the respondents considered their leaders to be competent
- 19% felt their companies were using human capital resources optimally
- Only 38% strongly agreed that their leadership had a good understanding of the internal audit, compared with 54% last year
Before commenting, let me add this from the IIA report:
- Where comparisons are made between 2013 and 2014, there is a perception that corporate governance in South Africa has worsened. (The index is down from 3.2 to 2.9 out of 4)
- The greatest challenge for South African organizations lies in the area of risk management, and the management of external risks in particular
- Overall organizational performance was also disappointing, as it attained the lowest score on the index (2.5)
- Only 30% believed that Information (and) Communications Technology (a.k.a. IT) was well aligned to the strategic objectives of the organization
This is disappointing news from IIA South Africa. I am not surprised by the lack of confidence in the management of risk…..
But I am shocked at the lack of confidence in leadership! I wonder whether CAEs are sharing these insights with their boards!
Steve Minsky similarly has interesting observations:
- Despite reports that more than 65% of organizations have adopted Enterprise Risk Management, executives remain unimpressed and skeptical of the value their ERM programs are providing versus what is needed
- …. fewer than 1 in 5 executives say their companies are effectively managing emerging risk, and the report's authors worry that "Companies may be 'checking the boxes' that say they have processes to monitor strategic risks"
- …. two in three companies said they did not have a method of ensuring that strategic risks are incorporated into the organization's strategic planning process, and 43% do not have confidence in their method of reporting to the board
Adding comments directly from the AQPC report:
- …. only 19 percent of organizations say that their ERM processes are effective at identifying new risks. Additionally, 61 percent of organizations do not systematically ensure that strategic plans properly account for risks that have been identified in the risk review cycle
- …. when asked how many times a year their organization formally reviewed progress on action items that were generated to mitigate strategic risk, the organizations that review these action items continuously, quarterly, or even biannually largely find their ERM processes to be more effective—compared to those who do not review or do so only once a year, the majority of which find their ERM processes barely or not effective
- …. many MBAs have not been taught enterprise risk management and have difficulty incorporating it into the fold of everyday considerations and operations
- ERM leaders must help board members and decision makers gain clarity on the nature and extent of the risks that are acceptable—indeed, desirable—in the pursuit of strategic objectives. It's key to drive productive conversations about strategic risks—not only risks in a strategy, but also risks that could throw obstacles in the way of strategy execution. As ERM leaders tend to say, "We want to play offense as well as defense"
I want to emphasize one key point: when the management of risk is part of the continuing management of the organization, not just a periodic review of a list of top risks, there is a far greater likelihood that it will be effective.
What is effective risk management?
It is when decisions and performance are optimized because decision makers are basing their actions, in part, on reliable processes and information around risk.
I do have to say that I smiled when I saw the phrase "We want to play offense as well as defense." So much for the three lines of defense model!
I welcome your comments and observations.
Are you surprised by the results of these surveys?