A recent publication, Global Risk Oversight, by North Carolina ERM Initiative, in partnership with the Chartered Global Management Accountant ( CGMA ) provides insights on the current state of enterprise – wide risk oversight, including identified similarities and differences in different parts of the world.
Here are some key findings, with emphasis added:
- Organizations all around the world perceive an increasingly complex risk environment.
- Risk management practices appear to be relatively immature cross the globe. Around 30% or less of organizations indicate they have ‘complete’ enterprise risk management ( ERM ) processes in place. Only about 25% of the survey respondents describe their organization’s risk maturity as “mature” or “robust”.
- Most organizations struggle to integrate their risk management processes with strategic panning. Despite the fact that most strategies maybe impacted by a number of risks, only about 50% of organizations around the world “mostly” or “extensively” consider risk exposures when evaluating new strategic initiatives.
- There is a lack of detailed risk oversight infrastructure in most organizations. Only a few organizations have formal risk management policy statements and frequently update risk reports.
- Around 80% of organizations have not conducted any formal training risk management training for their executives.
- There is increased pressure on management to strengthen risk oversight. Depending on the geographical location of the organization, this pressure is coming from either the board of directors, the CEO or the audit committee.
- Lack of sufficient resources to invest in ERM and the perception that there are more pressing competing priorities have been identified as the biggest barriers impeding the progress of maturing the organization’s risk management processes.
In light of these findings, the authors of the report recommend that:
- Senior executives and boards of directors honestly and regularly assess their organization’s current approach to risk oversight in the today’s changing risk environment.
- Management genuinely consider whether the process used to understand and evaluate risks associated with the organization’s strategies actually delivers any unique capabilities to manage and execute their strategies.
- Organizations appoint a risk champion such as a Chief Risk Officer (CRO) or create a management-level risk committee in order to help strengthen the risk management function and ensure all risk management processes are appropriately designed and implemented.
- Organizations spend time analyzing the vast amounts of data they have to generate insights about emerging risks that may impact their organizations’ strategic success.
Overall, the report is a good read and a great starting point for improving enterprise-wide risk oversight.
It helps senior executives ask important questions when evaluating their organizations’ overall approach to risk oversight. However:
- Although the authors mention regular updating of the risk register. I would add risk management is not about list compilation, otherwise organizations might find themselves building risk lists that lack any insight for effective decision making. It is about identifying and evaluating those key risks with the potential of derailing the organization’s strategic success and finding effective ways of mitigating any losses. Furthermore, intelligent risk decision-making does not look only at the downside of risks but also at the opportunities found in taking calculated risks.
- There is no mention in the report about offering risk management training to middle-level and lower-level employees, only to senior executives. The tone at the top and culture will determine if the organization succeeds at maturing risk management processes. Identifying and managing enterprise risks should be everybody’s responsibility within the organization. Thus, I believe there should be a common risk language throughout the organization.
- Appointing a risk champion to strengthen risk oversight is critical. However, the individual appointed must have a deeper understanding of the business, its critical performance drivers and the ability to partner with the rest of the business. He or she must also be able to deliver the necessary risk training required.
- Clear communication channels should be established to enable free flow of risk communication from top-down and bottom-up. People should not be scared to raise red flags or emerging risk issues to senior executives. Although the board of directors ultimately holds the risk oversight responsibilities to shareholders and other stakeholders of the business, if they receive inappropriate risk reporting from the bottom, the information they will feed to these interested parties will also be inadequate.
- Risk management should be ingrained in the DNA of the business. Risk conversations should be about supporting strategic objectives achievement and enhancing business performance, as opposed to being a box-ticking exercise all the time.
Do the survey findings reflect the situation at your organization? If so, what are you doing to improve this situation?
I welcome your comments and views.