Skip to Content

When I first read the Accenture 2011 Global Risk Management StudyI was shocked. It seemed to say what nobody else, nor my personal experiences talking to hundreds of companies around the world, was indicating: that there had been a tectonic, positive shift in risk management practices and philosophy.

All of a sudden, risk management was broadly perceived as critical to optimizing and sustaining performance. A massive increase in acceptance and implementation of risk management had occurred since the last Accenture study in 2009.

But, a careful read shows that Accenture surveyed companies that either had an official Chief Risk Officer (64%), a senior executive who performed that role without the title (14%), or a manager who performs that role without the CRO title (6%). Only 16% of the respondents were at companies without a risk office. In addition, about half of the companies were large enterprises with revenues in excess of $5bn.

Even with this caution, the results of the study are important and interesting. After all, even risk officers have been talking about protecting value rather than enhancing performance. They have also not been so positive about continued investment in risk management as this study shows.

Here are some of the highlights for me, but there is a wealth of information, especially if you access their referenced Risk Management Thought Leadership Library.

  • Executives understand that the challenges facing their organizations have never been greater. They are increasingly looking to risk management leaders to provide guidance on the path ahead, mitigating critical risks and enabling long-term sustainable growth.
  • What we are witnessing, especially as we compare the 2011 results with the findings from our last  survey in 2009, is a clear maturation of risk management capabilities across all industries—a rapid march up the business value chain and the development of governance and organizational structures that give risk a voice at the executive table.
  • Risk management capabilities are more critical, more connected, more strategic and overall more valuable to enterprises as they execute their business plans. As a result, companies are spending more time and effort advancing their risk management capabilities as a business priority.
  • The executive mindset is broadening, and risk management is becoming both more comprehensive and more integrated—whether in decision making or in formalizing enterprise risk management programs or in the restructuring of the risk management organization and its leadership.
  • Companies have increasingly initiated comprehensive enterprise risk management programs and are more likely to have in place C-level executive oversight to ensure that risk is being managed at a more strategic level. In short, risk management capabilities are not only prevalent and a target of investments—they are also more strategic and aligned with growth strategies, and they are helping companies achieve their most important business priorities.
  • Beyond the immediate pressures of global markets, more demanding customers and dramatic industry change is a growing recognition that companies have an opportunity to drive competitive advantage from their risk management capabilities, enabling long-term profitable growth and sustained future profitability.
  • This means that risk management at the top-performing companies is now more closely integrated with strategic planning and is conducted proactively, with an eye on how such capabilities might help a company move into new markets faster or pursue other evolving growth strategies. At its best, risk management is a matter of balance—the balance between a company’s appetite for risks and its ability to manage them.
  • “Key risk performance indicators and specific, focused risk analyses are now more often included in investment and strategic decisions.”
  • Companies are increasingly concerned about the spectrum of risks—from supply chain to operations to regulation to reputation. Financial fraud and crime are on the rise.
  • Risk management needs to support positive business growth, not only protect against negative occurrences.
  • Organizational silos and outdated information systems prevent many enterprises from adequately sharing information that could mitigate risks more effectively.
  • Executives want risk management to be a driver for sustained future profitability, and they understand the importance of infusing a risk culture throughout their organization, but too few companies are achieving those goals.
  • The risk management organization needs to be included in activities such as strategic planning, objective setting and incentives, financing decisions and performance management processes.
  • It is vital to have in place mechanisms to create and distribute more broadly across the organization an awareness of risk exposure, detailed training and the means to mitigate risks.
  • Failure to link risk management to growth and value means leaving money on the table, and, consequently, the failure to achieve high performance.
  • “Risk is a higher priority for us than two years ago because business and risk complexity are changing—driven by regulation, competition, customer expectations, technology, processes, environmental issues and new products, as well as macroeconomic and market factors. Business and risk complexity are rising faster than the current risk management function can keep up. Hence, we are now enhancing our risk management capabilities to enable our organization to keep pace with those complexities.”
  • “A high-quality and efficient risk management function is among the top strategic goals of the company, ranking second only to growth and profitability.”
  • Almost all respondents felt that their risk management capabilities provide at least some source of competitive advantage, a finding consistent across industries.
  • Interesting geographical differences were apparent from the survey results. Companies in Latin America, for example, are especially likely to have ERM programs—an almost unanimous 99 percent of those surveyed. European companies were the least likely to have an ERM program at 52 percent; North America was also below the survey average at 60 percent.
  • Eighty-three percent of respondents see risk management investments (which includes salary and benefits for risk employees, professional services, technology costs, facilities and travel) increasing in the next two years.
  • Geographically, Latin American companies foresee larger risk management investments than other parts of the world: 90 percent foresee significant or moderate investment increases, compared to the survey average of 83 percent. Asia Pacific and North America are slightly under the average, at 82 percent and 81 percent, respectively.

                                       

I will close with this quote, just to please my masters at SAP (they have risk management solutions):

  • The effective use of technology in areas such as analytics is increasingly an important differentiator enabling leading organizations to stay ahead of the competition, helping them to focus their time and attention on the issues that matter most. 
To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Julius von dem Bussche
    Hi Norman,

    Thanks for sharing this, the stats “smoothing” and your insights.

    From my experiences companies with official risk offices make a rather academic excersize out of it and hence the access which consultants have to the officers and data. What is an officer without a fleet of consulants around them?

    Down here on the technology shopfloor these .ppt consultants are one of the biggest risks to the organization and when they bring their semi-expert colleagues in to implement the “tools” to throw at the risks, then they destroy value beyond imaginable boundaries.

    I like the idea of customers partnering with vendors and sharing some of the risk. Actually I am waiting for the day when customers are smart enough to not only blacklist some consultancies, but start taking level action against them.

    That risk should IMO be introduced to the industry…

    Cheers and thanks again for the interesting SDN blog!

    Cheers,
    Julius

    (0) 
    1. Clinton Jones
      Unfortunately I don’t think we will see blacklisting of consulting groups anytime soon. The reason being that bad implementations can often be attributed to either poor customer requirements definitions; poor project governance; failures by individuals and the cosy relationship between consultancy groups and technology vendors.

      No CIO or IT VP or Director is going to go with a small consulting group if they feel there is the slightest risk that the engagement will go South. They tend to be reassured when using Big Gun consulting firms because they misguidedly think that a bad situation can be easily turned around by a larger consultancy. In reality most projects still come down to individuals and the experience of those individuals and not the project implementation methodology.

      If methodology was a pivot point using industry agreed best practices (another sticking point) then you could get by with mediocre resources which is often what big consultancies throw at projects to do the grunt work. case in point : County of Marin and their recent SAP implementation.  

      (0) 
      1. Julius von dem Bussche
        Hi Clinton,

        There are many blacklists, but I am not aware of a public one. The SDN users with the name “Guest” from having been “guestified” for cheating the system is about as close as it gets.

        I fully agree that customer side must also bring a strong project management and consultant management (as well as good specs).

        When you notice that consultants are using workarounds in the blueprint phase or latest to be able to go-live, then it is a bad omen.

        The thing about workarounds is that they lead to more workarounds, and in the end you can forget about the holistic risk management.

        9 times out of 10 you can forget about GRC graphics for management as well if that happens and start over with the next “major release”, because they are well trained to get the hell out of the project shortly after go-live and move on to the next one… No one from the support org. reads their .ppt slides anymore nor has access to their Excel sheets with myriad mappings.

        I would like to see a GRC holistic consulant stick around for long enough to do Post-implementation support and survive a release upgrade – for me that is the “acid test”.

        Cheers,
        Julius

        (0) 
  2. Kumud Singh
    Hi,
    Throughout the blog I could perceive that there’s gonna be huge demand for good Risk analysts.

    However,would like to ask that we have been reading about risk management even in our courses.Then why do we still have so many discrepancies around?

    Regards,
    Kumud

    (0) 
  3. Norman Marks Post author
    I am a big believer that when managers have reliable, current, complete, and timely information about risks they will make better decisions. Those better decisions will lead to better performance.

    So, yes, as people realize what risk management can do the demand for people to help bring those skills to bear will grow.

    (0) 

Leave a Reply