The Zurich Insurance Group has published “Risk Management in a Time of Uncertainty” based on a survey of business executives by Harvard Business Review Analytic Services.
The overall message is that while the focus on ERM has increased, companies still have a long way to go. The authors reference the lack of a strong “risk-aware culture” at 90% of companies.
Some interesting bits:
- Most executives still feel their companies have a long way to go in extending a proactive risk management culture deep into the organization.
- Almost 40% consider their companies to be proactive. But only one in 10 consider their executive management to be highly effective in creating a strong, risk-aware culture, and 35% feel their executive efforts are ineffective.
- Nearly two-thirds of executives still describe their company’s risk culture as basic or reactive, with the proportion edging higher for the smallest enterprises — under 100 employees — and nonprofit organizations.
- And while 34% of survey respondents cited linking risk information to strategic decision making and embedding a risk-aware culture as two of the most important capabilities for successful risk management in their businesses, only 14% felt they were doing extremely well at the first and only 11% rated themselves highly at the second.
- Follow-up interviews reinforced the conclusion that most companies still have a long way to go to embed a truly successful risk management culture — a culture focused on driving sustainable and profitable growth rather than simply protecting against downside losses and operational risks.
- Only a quarter of executives rate their board’s involvement [in risk management] as high, and 30% describe it as static or declining.
- The presence of a CRO or other individual with overall responsibility for risk management is a key indicator of success at building an enterprise-wide risk management process. Besides taking a more proactive approach, the Harvard Business Review Analytic Services study found that organizations with a CRO did more extensive advance planning than other companies in almost every major risk area — notably, information security, new regulations, scarcity and/or cost of capital, and the prospect of another asset bubble developing.
- Risk managers should have a separately constructed compensation package that helps to maintain their independence and does not deter them from “blowing the whistle” when necessary.
- Despite the need for support at the top, however, executives repeatedly describe ERM as a collaborative process, emphasizing the need for business leaders — and not the CRO or the C-suite — to “own” the risks that touch their operations. Nearly three out of five companies report that they decentralize risk management responsibilities. This brings them closer to best practice, which calls for organizing ERM around three “lines of defense”: Line Management; Risk Management (including Legal and Compliance); and Audit.
- While risk management reporting today is increasingly an independent operation, internal audit continues to play a role examining and evaluating the ERM process. Almost three-quarters of executives reported that the person responsible for risk management at their company works closely with the audit function.
- Companies also express, although more tentatively, a desire to incorporate a better understanding of the way risks can build on each other to produce more serious problems than might be expected individually.
- If companies are at widely different stages of development in the adoption of formal risk measurement tools and models, they agree generally about the benefits of implementing an ERM process, some of these relating directly to risk management and others helping to make the company itself more competitive.
These are only some of the information insights in the report. I encourage a full review. For example, there are extended discussions on how organizations are measuring risk and addressing the issue of risk-aware culture.
On the negative side, I was struck by the number of cited companies who only perform risk assessment annually!
What do you think?