Corporate approaches to risk management are not keeping pace with the velocity and complexity of risk in today’s business environment, suggesting it’s time for a refresh to traditional methods.
Nearly three-fourths of leaders at public companies, large organizations, and financial institutions say they’ve seen a marked increase in the volume and complexity of risk in the past five years, according to a new study out of North Carolina State University and the American Institute of Certified Public Accountants. Yet, only one-fourth believe their risk management processes are mature or robust enough to keep pace. The majority said they do not believe their handling of risk could be described as complete or formal approaches to enterprise risk management.
That suggests there’s a big gap between the risk landscape and companies’ ability to navigate it. “There’s still a lack of clarity in how risk management should help me strategically,” says Mark Beasley, a professor at NC State who led the study. “In so many entities, if you ask people ‘tell me about risk management,’ you hear ‘that’s the group that tells me I can’t do X’ or ‘that’s internal audit.’ They don’t see the value of risk management.”
Deon Minnaar, a partner at KPMG who leads the global practice around ERM and GRC, says he sees a lot of companies struggling with ERM. “Some ERM programs have become stale over time,” he says. “It’s become a little too much like a paper exercise to keep up.”
Ash Noah, a vice president at the AICPA and a former CFO with global experience, says the interconnectedness of markets makes keeping up with emerging risks a particular challenge. “It’s getting more difficult to look out and see what’s coming at you,” he says. “That’s why it’s getting more difficult to identify and manage risk, but it’s all the more reason you need a systematized way to look at it.”
Experts agree the time has come for companies to rethink their long-standing approaches to risk. For starters, it needs to be elevated in many cases. “In many organizations, risk has been relegated to middle level or upper middle level management,” says Chris Ruggeri, principal at Deloitte who leads the strategic risk and reputation management practice. “That misses the fact that there are interdependencies in risk factors. Traditional ERM approaches don’t consider the interdependencies across the risk spectrum. They look at each risk in isolation.”
Stephen Zawoyski, U.S. ERM leader at PwC, says ERM is too often seen as simply an exercise companies must endure. “It’s seen as an annual trip to the dentist,” he says. “Too many times it’s being done to comply with a request from the audit committee.” The key stakeholders in ERM—board, management, and internal audit—often have different expectations of ERM, he says, but many programs are not designed to satisfy the needs of all three groups.
“In so many entities, if you ask people ‘tell me about risk management’ you hear ‘that’s the group that tells me I can’t do X’ or ‘that’s internal audit.’ They don’t see the value of risk management.”
Mark Beasley, Professor, NC State
Another problem, says Zawoyski, is ERM is often run by the internal audit department, which puts a negative connotation on ERM. He says that internal audit is asking: “What are all the things that can happen?”
The NC State study suggests some companies are trying to move in that direction, establishing management-level risk committees and even appointing chief risk officers, but they are still in the minority. “It’s the start of a trend, but it’s definitely not the majority,” says Zawoyski. It’s more prevalent in highly regulated industries, like financial services.
In addition to elevating the risk function to higher levels in the organization, companies also need to tie more closely their discussion of risk with their strategy, experts say. “Whoever is in charge of ERM needs a true seat at the table when it comes to strategy,” says Minnaar. Certainly, boards and senior management are already thinking about risk when they make critical decisions, but having the ERM voice at the table would formalize it, he says.
Ruggeri agrees that’s a missing element for many companies. “The mindset about risk has been anything but strategic,” she says. “Risk is usually thought about in the context of something to be managed, mitigated, reduced, or eliminated. But it’s virtually impossible to eliminate all risk from business.”
Changing that mindset is another reason to elevate risk management, says Ruggeri. “It has to start at the top of the house,” she says. “It has to start in the C-suite at the board level.”
COMPLETE ERM IN PLACE?
The chart below from the AICPA and NC State shows an increase from 2009 through 2012 with a leveling off for the subsequent three years in the percentage of organizations that claim they have a “complete formal enterprise-wide risk management process in place.”
Jennifer Burke, a partner at Crowe Horwath in risk consulting, says she was surprised to see in the NC State study the extent to which ERM is still not tied to strategy-setting at the board level. She says boards should take a close look at risk right before their annual strategic planning gets started. “Having that conversation about risk management right before the strategic planning processes puts risk in mind,” she says.
COSO, the organization that gave capital markets a framework for internal control over financial reporting, is updating its separate framework on ERM. The board issued an exposure draft and is working through comment letters before finalizing the update. The new framework is expected to emphasize the importance of linking ERM to an organization’s strategy and performance.
That would be a useful tool for companies that recognize their risk approaches are in need of a reset, says Burke. “It will help organizations have a more tangible approach to ERM,” she says.
Zawoyski says the new framework will be useful both in elevating the risk discussion and in tying it to strategy and performance, but it won’t dictate the exact mechanics of an ERM program. “It’s principles-based,” he says. “It’s not an implementation guide. It’s not going to tell you what your governance structure should look like, but that you need one and here’s its role and here’s what it needs to accomplish. So, it’s very scalable.”
The new framework will be a useful too, says Ruggeri, but it won’t be a silver bullet. “It’s not a substitute for a holistic organization-wide mindset to risk management,” she said. “You can have the best processes in the world but if people follow them by rote and don’t gain the insights they are intended to provide, it fails to meet the mark.”