Risk Management is failing to meet expectations - The time to act is now
Wednesday, 3 July 2013 00:00
-
- {{hitsCtrl.values.hits}}
A recent global survey of more than 1,000 C-level executives, across multiple industries, has revealed a widening gap between stakeholder expectations for sophisticated and effective risk management and corporate capabilities to execute. The survey by KPMG International, Expectations of Risk Management Outpacing Capabilities - It’s Time For Action, was conducted by the Economist Intelligence Unit.
The survey focuses on priority areas for assessing the evolution of governance, risk & compliance (GRC) and identifies the challenges facing the enterprise. Key areas include:
noperationalizing risk management and linking it to organizational strategy
nensuring accuracy of the risk profile
nclarity of roles and responsibilities through the “three lines of defense” structure
nconverging the risk and control functions across the organization
nenhancing the aggregation and analysis of data to create an enterprise-wide view of risk
nincreasing transparency with enhanced reporting and communication tools
nadapting to an evolving regulatory environment
naligning incentives with risk management objectives.
Consequently, the top risk perceived by C-level executives is the growing regulatory pressure. A global economic crisis and geopolitical instability are seen as the most threatening risk scenario across almost all industries.
Despite their awareness of the risk environment, most companies surveyed do not have a consistent way of assessing risk across the enterprise. A significant minority of respondents (20 percent) say there is no process at their company to develop and aggregate a risk profile and a further 38 percent rely on a self-assessment by the business units. Almost half profess difficulties in understanding their enterprise-wide risk exposure.
Survey results consistently demonstrate that companies struggle to build an enterprise-wide view of threats, making it difficult to plan strategically.
Many do not perform effective bottom or middle-up risk assessments, or develop and implement risk appetite statements.
Self-assessments by the business units are lacking. Companies are increasing their investment in risk management and believe that technology can help, especially in breaking down the barriers between the risk and control oversight functions. But measuring the value of those investments remains a persistent challenge.
“What we are seeing is a case of outdated thinking being applied to a new world economy. And while best practices in GRC can serve as guidelines, corporations seeking to capitalize on emerging opportunities will have to rethink their approach to risk from every aspect of their business,” commented KPMG International’s Global Leader for Risk Consulting, Michael J. Nolan.
He further stated, “Understanding risk appetite is critical to calibrating the risks of pursuing a given strategy, each organization must be able to respond to whether it is taking too much or too little risk for a given level of return.”
By ensuring that risk management is everybody’s business and not simply that of a single department, companies have a chance to rise to the challenge. Within the key areas covered by the survey, KPMG has outlined opportunities for savvy leaders to foster a risk-resilient culture within their organizations.
“I think we can all agree that increased regulation and uncertainty in global markets is posing some credible challenges for most companies. But within those challenges lies tremendous opportunity to take a leadership role and become more competitive. Companies that can manage risk in an integrated and holistic way while being agile and flexible in their approach will gain a clear competitive advantage,” continued Nolan.
Define, operationalize and articulate risk management
With today’s complex and changing risk environment, it is essential that companies clearly define and articulate their appetite for risk. Only then, can they begin to integrate risk management into the overall corporate strategy, making it an essential part of collaborative decision making, discussion, debate and learning.
Improve communication across the enterprise
By clearly defining roles across the three lines of defense, companies can close gaps in managing priority risks and eliminate duplication of effort. Also, by improving the quality and visibility of risk information through greater sharing, companies can create a seamless flow of information that will benefit all lines. Effective communication to stakeholders will enhance their understanding of the risk program and positively impact value in the minds of the Board, investors and regulators.
Develop and reward your people
Technology is an enabler of the convergence of risk and control functions, but human skills are essential if companies are going to manage the complexity of this kind of convergence. The setting of common goals for risk and compliance can only be done with sufficient numbers of people with the right skills. Furthermore, by including risk management as an important attribute for leadership with the ability to manage risk as part of regular performance reviews, companies can reward employees for prudent decision making, not just for aggressively hitting financial targets.
Clearly define Return on Investment
One clear trend in the survey is that companies are spending more to strengthen risk management despite their struggle to estimate its ROI. By understanding the link between risk management and corporate strategy and how identified risks threaten the achievement of business objectives, executives can move risk management from a theoretical exercise to a business tool.
“While the global financial crisis has created significant challenges for businesses, one positive outcome is Boards’ desire for greater understanding of integrated risk management,” said Nolan.
“As trusted advisors, handling strategic risk is not about compliance and box-ticking, it is a critical investment companies make that can underpin an organization’s long–term growth, value and sustainability. It is all about risk optimization, aligning an organizations’ risk appetite with desired returns.”