​​The State of Risk Management

Comments Views

​A new survey, Leadership in Risk Management, provides some insights into the state of risk management among European companies. Sponsored by Zurich, FERMA, and PRIMO and published by Harvard Business Review Analytic Services, it shares the results of a survey of 217 companies based in Europe. The results are predictably biased because the feedback is predominantly from risk managers or officers (60%). However, we can look past that as we consider the more interesting findings.

Some of the results are encouraging. Others indicate that we continue to have significant obstacles establishing the management of risk as central to the setting of objectives and strategy, and then to the optimization of performance, achievement of objectives, and the delivery of value.

Key points include:

  • The C-suite is taking a stronger role in leading the risk management effort at major primarily European companies... Congruently, companies are underscoring the need for strong board involvement to facilitate decision-making regarding strategic and enterprisewide risks and to encourage acceptance of a culture of risk management further down in the organization. [Note: this finding has to be viewed with care, as while the survey indicates that top executives are paying more attention to risk, the survey seems to consider chief risk officers (CROs) as C-suite executives — which they rarely are — ndm.]
  • Increasingly, top management and the board are setting direction and taking tighter control of risk management, integrating with overall company strategy, and inculcating it deeper into the corporate culture. At the same time, they are intensifying their focus on such areas as reputation and IT risk and are acquiring new tools for forecasting and mitigating threats.
  • Companies are struggling… to create a wider role for the risk function as a participant in strategic planning and transformational initiatives [such as mergers]… 41% said the risk function has a seat during strategy setting, project launches, investment, and other business decisions, while 42% said it has a seat occasionally.
  • Only 20% described the risk function as a tool for making more effective strategic decisions and investments, and only 17% described it as a business tool to help drive profitability by facilitating achievement of objectives.
  • More than one in four (27%) said that risk management should help the company leverage upside growth opportunities along with mitigating downside exposures.
  • European executives express concern about the robustness of their risk management processes and channels of communication.
  • The challenge is still to make sure that risk is "owned" at appropriate levels of the organization and that risks are communicated efficiently, such that top management and the board can make timely, fact-based decisions about how to address them… More than one-third of respondents expressed concern that proactive communication, potentially preventing or lessening the impact of a crisis, does not take place in a timely manner during daily operations... Only 17% of respondents described communication between the C-suite and the CRO as being comprehensive or nearly so.
  • Key risks are communicated to the C-suite regularly at 70% of organizations... At almost three out of four (72%), it reviews top risk exposures and treatment actions at least biannually. [Note: this is terrible. Top executives should be not only aware of but ensuring key risks are addressed on a continuing basis — ndm]
  • Processes to define risk appetite are now in place at nearly half of companies. Systemic risk management tools and analytics that enable them to track and analyze risk, and can then inform risk committee discussions, are in more common use.

The document includes wisdom from Prof. Walker, Zurich Chair in Enterprise Risk Management at St. John's University, on defects in the state of risk management.

Board members have said to me, "We've got to get better in doing that." Some of the complaints I get from boards are that they don't get strategy risk information on a timely basis. So they can't really help the executive team make the right decision, because they feel rushed in some of these situations. Or they see ERM leaders who talk about ERM, but they don't seem to think broadly enough and they don't do deep dives, and they don't connect the dots. Or I've heard board members say to me, "You say you're doing ERM, but from our perspective, it looks a lot like silo risk management." So they want organizations to try to connect the dots a little bit more, because there's a lot of value in doing that."

Walker goes on to say, "The CRO must dispel a common image as a person who says no to ideas, and must demonstrate the value of the metrics and other tools at their disposal, often to skeptical officials." Walker cited a recent conversation with a chief strategy officer whose "biggest criticism of ERM was, 'I need something that's actionable. You tell me what the risk is, but how do I act upon that?' So we've got to be ready for those difficult questions and have the solutions as well."

Is this consistent with the state of risk management where you are?

Is risk management the department of "no," or does it help management make better decisions and drive performance, the achievement of objectives, and the creation of value?

I welcome your comments.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • IIA AEC_August 2019_Blog 1_CX
  • IIA Quality_August 2019_Blog 2
  • IIA Group Training_August 2019_Blog 3