The global business risk environment is growing more complex, making it more important than ever that companies can effectively predict and respond to disruption. And yet, most companies’ risk oversight processes are not up to par.
Those are some of the key findings from a new report, the “2017 Global State of Enterprise Risk Oversight,” released jointly by North Carolina State’s Enterprise Risk Management (ERM Initiative) and the Association of International Certified Professional Accountants—a global accountancy body formed by members of the AICPA and the Chartered Institute of Management Accountants.
The report is based on a survey of 586 respondents in senior accounting and finance roles to gather insight on the current state of enterprise-wide risk oversight in four global regions: Europe and the United Kingdom; Africa and the Middle East; Asia and Australasia; and the United States.
One of the main findings from that study is that respondents around the globe overwhelmingly believe the volume and complexity of risks today has grown much over the past five years. An offshoot of this business environment are the unexpected risks that emerge.
“The increase in risks and the operational surprises are tied to the dynamic global business environment,” says Mark Beasley, director of the Enterprise Risk Management Initiative at North Carolina State University and co-author of the report. “For example, Europe and the U.K. have seen issues ranging from the Brexit vote to immigration challenges, while Africa and the Middle East have dealt with a wide variety of challenges, such as disruptions caused by the ongoing war in Syria and conflicts with ISIS.”
“The United States has been comparatively stable, but we seem to have entered a period of domestic political uncertainty, which is not reflected in the survey, and of course issues abroad can have significant effects on U.S. organizations,” Beasley adds.
Even as the risk environment grows more complex, most companies’ risk management practices still need significant improvement. “We’re seeing a major disconnect between how organizations perceive their challenges and how they are responding to them,” Beasley says.
Less than one-third of respondents in all four regions believing they have “complete” enterprise-wide risk management (ERM) processes in place. In all regions of the world, too, less than a quarter of respondents described their risk management oversight as “mature” or “robust.”
“We’re seeing a major disconnect between how organizations perceive their challenges and how they are responding to them.”
Mark Beasley, Director, Enterprise Risk Management Initiative, North Carolina State University
The survey also examined what techniques companies use to identify, assess, and monitor their key risk exposures. Roughly one-quarter of respondents in each region said they don’t maintain risk registers of their top risk exposures.
Furthermore, 57 percent of companies in Asia and Australasia and 47 percent in Africa and the Middle East have formal risk management policy statements, compared with 36 percent in Europe and the United Kingdom, and 39 percent in the United States.
The survey further found a disconnect between risk oversight and strategy execution. A higher percentage of respondents in two regions—Asia & Australasia (34 percent) and Africa & the Middle East (53 percent)—believe their risk oversight provides a competitive advantage, compared to a very small percentage in Europe and the United Kingdom (18 percent) and in the United States (19 percent).
About half the respondents believe that their senior executive teams consider existing risk exposures when evaluating possible new strategic initiatives. Higher percentages were reported by respondents in Europe & the United Kingdom (53 percent) and in Africa & the Middle East (also 53 percent). Only 44 percent of U.S. companies, however, hold a similar belief.
Another report, “The Strategic Financial Executive: Managing Risk in a Disruptive World,” conducted by the Financial Executives Research Foundation (FERF) in partnership with Grant Thornton revealed similar findings. In that report, just 25 percent of financial leaders said that they feel they’re able to execute a proper response to risk, and 57 percent admitted they were too late in recognizing changes.
“Organizations of all kinds face new risks from the fast rate of change in regulation, competition, technology, and other factors,” says Andrej Suskavcevic, CEO of Financial Executives International and FERF. “[F]inancial executives are integral to advising CEOs and boards of directors on these changes and partnering across their organizations to help identify and manage these risks.”
Risk management vs. strategy. The FERF and Grant Thornton report spoke about the need for a more sophisticated process in managing risk. “Leaders can help their organizations reduce risk by looking not only at financial indicators, but at other metrics that measure business health,” says Bailey Jordan, risk advisory services partner at Grant Thornton. “Risk can even drive opportunity.”
CALLS TO ACTION
The findings from the 2017 Global Risk Oversight report give rise to the following calls to action.
1. The increasing complexities in today’s business environment mean risk management is unlikely to get easier. Senior executives and boards of directors benefit from honest and regular assessments of the effectiveness of the current approach to risk oversight in the light of the rapidly changing risk environment.
2. Given the fundamental relationship between “risks” and “returns”, most business-unit leaders understand that taking risks is necessary to generate higher returns. The challenge for management is to genuinely consider whether the process used to understand and evaluate risks associated with the organization’s strategies actually delivers any unique capabilities to manage and execute their strategies.
3. Given the intricacies of managing risks across complex business enterprises, organizations may need to strengthen the leadership of their risk management function. Appointing a risk champion—for example, a chief risk officer—or creating a management-level risk committee may help to ensure that all risk management processes are appropriately designed and implemented.
4. Most organisations have tremendous amounts of data that might provide insights about emerging risks. Most of these, however, have not analysed that data with a risk perspective in mind. They may need to add key risk indicators (KRIs) to management’s dashboard systems and reports.
Source: Global Risk Oversight Report
Some companies, for example, are “now dedicating time to understanding change by monitoring macro factors, regulatory issues, cyber-risk, and other data to understand how these changes may affect their organizations,” the report stated. “These companies are building processes to identify disruption, black swan events, new competitors, and other emerging risks.”
The report also noted that financial executives are continually moving toward aligning risk with strategy and performance. “This shift begins with focusing more on business objectives and the risk surrounding the achievement of those goals, and on aligning with the overall execution in performance, with accountability structures and plans,” the report stated.
Integrating risk management processes with strategic planning is still an area in need of improvement, however. According to the ERM Initiative report, fewer than 20 percent of EU, U.K., and U.S. companies believe their risk management processes are providing a unique competitive advantage. Only half of respondents in all regions indicate that they “mostly” or “extensively” consider risk exposures when evaluating new strategic initiatives.
The overall gap between the complexity of today’s risk environment and the risk processes in place come at a time when boards are placing more pressure on management to enhance their risk oversight. In the United States, audit committees are the ones pushing most aggressively for senior executives to be more involved in risk oversight, which contrasts with the other regions of the world where the greatest amount of pressure is coming from boards or chief executives, the ERM Initiative report stated.
The ERM Initiative report also found that, among U.S. companies, boards are more likely to delegate risk oversight to the audit committee, whereas boards of non-U.S. companies are more likely to delegate it to a board risk committee. In addition to pressure coming from audit committees and boards, regulators around the world are also calling for enhanced risk oversight.
In most regions of the world, too, boards of directors formally direct risk oversight. This response was given by 71 percent of respondents in Asia and Australasia; 59 percent in Africa and the Middle East; and 53 percent in Europe and the United Kingdom, as well as the United States.
The ERM Initiative report also found that more companies have risk committees than chief risk officers. About one-third of companies have appointed a chief risk officer, whereas more than half—except respondents in Europe and the United Kingdom—have risk committees.
Numerous barriers appear to impede the progress of ERM practices. Outside the United States, most respondents feel that they don’t have sufficient resources to invest in ERM, whereas many respondents of U.S. companies feel that ERM takes a back seat to other priorities.
A lack of perceived value from enterprise risk oversight also impedes progress. This lack of value is most prominent in Africa and the Middle East (41 percent), followed by the United States (37 percent); Europe and the U.K. (34 percent); and Asia and Australasia (27 percent).
The ERM Initiative report concludes, “The more that executives recognize how robust risk insight increases the organization’s ability to be agile and resilient, the greater progress they can make in expanding their risk oversight infrastructure.”