NU Online News Service, Jan. 20, 2:53 p.m. EST
Even though enterprise risk management is seen as a growing need for organizations globally, companies are still struggling to implement the practice enterprise-wide, according to an industry study.
A new survey by Zurich, “Risk Management in a Time of Global Uncertainty,” conducted in collaboration with Harvard Business Review Analytic Services (HBRAS), finds that while global companies are intensifying their focus on enterprise risk management (ERM) in the wake of the 2008 financial crisis and recession, most corporate leaders believe their companies have a long way to go in building an effective, risk-aware culture.
“We found that concern about risk management has been growing in organizations over the last three years,” Angelia Herrin, editor for special projects and research for Harvard Business Review says in a webinar.
The study found that more than two-thirds of 1,419 business executives say risk management has become somewhat or significantly more important over the past three years.
Natural disasters and recession fears were at the top of a list of concerns when the survey was taken, during June and July 2011.
Broken down, study results found that recovery from the recession was a greater concern in North America than in other parts of the world, says Herrin. In Europe, she adds, the top concern was diseases and pandemics.
When companies were asked how good they believe they are at managing their risks, “We were a little surprised at the results, to be honest,” she says. “We found that about 39 percent believed their companies were ‘really proactive’ in risk management.”
Thirty-seven percent say they were “reactive” and 24 percent described themselves as “basic,” she notes, adding that “only one in 10 told us they believe their executive management was highly effective in creating a strong, risk-aware culture.”
She points out that companies are, however, beginning to make changes. The study finds that to improve the process, companies are:
- Restructuring the lines of responsibility and reporting.
- Deepening and extending the links between risk management and overall company strategy.
- Deepening board involvement in risk management oversight.
When asked who owns risk management, she says a trend is the rise of the chief risk officer. “Clearly the responsibility still lies at the top with the chief executive officer, but there has been real growth in the CRO role.”
This was particularly true in those companies that considered themselves to be proactive, she says.
Herrin observes that board level commitment to risk management also is increasing. According to the survey, 36 percent report the level as “moderate but increasing,” 25 percent say it is “high.”
Board level responsibility is found to be higher in Europe, she says, at 41 percent; whereas in North American companies, only 17 percent say the board is responsible.
Asked about the payoff of their risk management programs, the “best practices” group mentioned improvement in their overall strategic abilities, which led to improved strategic decisions, improved governance and increased management accountability, she says.
An interesting quote pertaining to this, she says, was “You know when you’re really getting good at risk management, when the company does its risk assessment at the project kickoff rather than at the end.”
Mike Kerner, CEO of Zurich Global Corporate North America, says the study points out the “three lines of defense” in risk management: line management, risk management and audit. It also recognizes the need for tremendous support from the board and senior management “in order to have an effective ERM process.”
He adds, “There is an old adage that when multiple people are responsible for something, effectively no one is responsible.” The survey points out the need for “very clear roles and responsibilities by all the parties involved in the risk management process, to make sure that complex risks can be understood and be covered,” he adds.
The study found that only 1-in-10 respondents believe their executive management is “highly effective” at creating a “strong risk-aware culture.” Only 40 percent of respondents considered their approach to ERM to be “proactive,” with an integrated process that involves the board and business and functional leaders at all levels of the organization.
Over the past decade, and increasingly since the financial crisis, companies in many industries are either instituting ERM processes for the first time or improving existing processes.
Today, for example, 42 percent of companies with 10,000 or more employees report that they have a chief risk officer, compared with only 11 percent three years ago. Yet companies with best practices in ERM continue to be concentrated in a few sectors that have traditionally been strong in this area: financial services, health care, and energy.
Convincing business unit leaders that ERM is relevant to their business can be difficult if the process threatens to overcomplicate their jobs, an executive with risk management responsibility at a U.S. manufacturer warns in the report.
Balancing this concern is a more widespread consciousness of the benefits of ERM. Between one-third and one-half of respondents to the study cite five key business benefits:
- Increased risk mitigation
- Better ability to identify and manage risks
- Better strategic decision making
- Improved governance
- Increased management accountability
A successful ERM process breaks down barriers to communication and sharing of best practices across the organization, executives said in follow-up interviews.