Risk Management: Increasingly Important and Vastly Underused
As the economy becomes more complex, organizations find themselves confronting an increasing array of risks that can significantly—and negatively—affect their businesses. To understand how organizations around the world manage emerging risks, the AICPA and CIMA, in conjunction with NC State University, surveyed more than 1,300 executives worldwide and released the CGMA report, Global State of Enterprise Risk Oversight: Similarities and Differences in Opportunities for Improvement.
Some of the key findings from the report highlight the need for the development of risk management leadership—particularly in light of the many types of risk an organization might face. Sixty percent of organizations acknowledge that they face an increasing number of risk issues, yet less than 35 percent have a formal enterprise risk management (ERM) program in place. In this same vein, 70 percent would not describe their risk management oversight as mature, and 40 percent or less are satisfied with risk exposure reporting to senior management.
In its report, A Practical Guide to Risk Assessment, PricewaterhouseCoopers maintains that the risk assessment process represents the cornerstone of an effective ERM program and details 14 types of risk assessment. Not every organization will face all of these risks, but the list includes:
- Credit—evaluating risk from borrowers who fail to meet obligations in accordance with agreed terms
- Compliance—evaluating risk from compliance obligations, as well as laws and regulations, policies and procedures, business conduct and other standards
- Customer—evaluating the risk profiles of customers who could potentially impact the organization’s reputation or financial position
- Financial Statement—evaluating risk related to a material misstatement of the organization’s financial statements
- Fraud—evaluating potential instances of fraud that could affect ethics and compliance standards, business practice requirements, financial reporting integrity and other objectives
- Information Technology—evaluating the potential for technology system failures and such factors as processing capacity, access control, data protection and cybercrime
- Internal Audit—evaluating risk to the value drivers of the organization, including strategic, financial, operational and compliance objectives, as well as possible impact on shareholder and customer value
- Market—evaluating risk from market movements that may impact the organization’s performance or risk exposure
- Operational—evaluating the risk of loss from inadequate or failed internal processes, people and systems, or from external events
- Product—evaluating risks from every aspect of an organization’s product, from design and development through use and disposal
- Project—evaluating risk factors associated with the delivery or implementation of a project, and how it would affect stakeholders, timelines, cost and other considerations
- Security—evaluating potential breaches in physical assets and information protection and security
- Strategic—evaluating risks relating to an organization’s missions and strategic objectives
- Supply Chain—evaluating risks concerning the inputs and logistics necessary to create products and services
While the concept of risk assessment may seem daunting, especially to an organization without a formal ERM program in place, the report points out that the process has many positives. It not only allows a business to recognize potential adverse events, become more proactive and establish appropriate responses, but also to discover new opportunities for the organization.
Risk assessment and oversight continues to be lacking, particularly in the U.S.
The Chartered Global Management Accountant® (CGMA®) report points out that most firms have not designated an individual to serve as the chief risk officer (CRO) or senior risk executive. This is especially true in the U.S., where less than a third have someone in an equivalent position. Non-U.S. organizations are slightly more proactive in this regard, closer to 50 percent.
What are the hallmarks of an effective CRO? According to the Enterprise Risk Management Initiative at NC State University, there are six keys to success. Its article titled, Strengthening the Role of the Chief Risk Officer in an Organization,says that the CRO role must at times be adversarial to enrich discussions, provide diversity and avoid tunnel vision within the organization. But above all the CRO:
- Must be viewed as a peer with business line leaders
- Needs free access to the board for reporting and conveyance
- Should not be the only person “responsible” for risk management—it needs to be an organizationally accepted concern
- Has to ensure that managing risk and pursuing opportunity are not mutually exclusive endeavors
- Must broaden the focus of the company to look beyond issues of compliance only
- Needs to be clearly defined within the organization
The CGMA report also notes that while management committees are more likely to exist than the official position of CRO, these committees are found in less than 50 percent of U.S. organizations. Compounding the problem for both committees and CROs is the fact that compensation is seldom a factor in determining risk management performance. Additionally, 80 percent of organizations have not invested in any risk management training for their executives over the past two years.
What the business world needs now is a renewed focus on leadership and accountability. With the rapid changes in the global economy, not strengthening risk management will inevitably lead to failure and significant missed opportunities. Finding the individual(s) who can lead and affect change within an organization’s risk portfolio is not only necessary, it might very well provide further strategic advantages.
Do certain aspects of risk in our global economy keep you awake at night? Can you think of additional risks that others have not even imagined? Post your response below.
Chrissy Jones, MBA, Manager- International Communications and Management Accounting
Tightrope walker courtesy of Shutterstock