Strategic risk is a big threat to companies compared with other risks, yet many executives say they fall short in effectively managing and mitigating such risks.
That’s the key finding of a new survey from Grant Thornton, which finds almost two-thirds of executives say strategic risk is a highly significant threat to their organizations relative to other risks around compliance, operations, and finance. At the same time, only 43 percent of executives in the survey said they effectively measure and monitor strategic risk, and only half said they effectively mitigate strategic risk.
Comprehensive risk planning needs to include a proactive view of strategic risk as a driver of business opportunity, says Warren Stippich, a partner at Grant Thornton and national leader of the GRC practice.
“Strategic risk is a high-level risk to focus on to help drive performance,” he says. “We need to make sure we are helping companies understand strategic risk drivers.”
Leaders who are successful in implementing prudent risk management approaches that add a strategic risk point of view can maintain and enhance their organization’s competitive advantage, says Stippich.
That’s consistent with the premise of a draft revised Enterprise Risk Management framework recently revealed by COSO, or the Committee of Sponsoring Organizations of the Treadway Commission, as well. COSO reworked its ERM framework, which Stippich says many companies follow, to put more focus on strategic risk.
The survey also suggests companies still have a distance to go to move toward higher level, more mature governance, risk, and compliance activities. Nearly half of executives in the survey said their compliance efforts are fragmented or siloed, operating on an ad hoc basis. “This suggests a fairly unorganized approach to GRC activity in some organizations,” says Stippich. “There’s still room for coordination and collaboration amongst the various groups in GRC.”
In addition, one in five executives said they don’t rate third parties according to the risks they pose, and two in five don’t audit any of their third parties. That's also concerning, says Stippich, suggesting some companies simply don't have their arms around risks posed by the various relationships they have with third parties.
Only 34 percent said they are implementing data analytics or other advanced technology to carry out their GRC activities, but the survey does suggest use of data analytics is growing. For example, a smaller percentage reported in the 2016 survey using no data analytics whatsoever compared with the 2015 survey, Grant Thornton says.
In its sixth annual survey, Grant Thornton heard from more than 500 executives with a mix of GRC titles, including CFOs, audit committee members, and those who serve as general counsel, says Stippich.