Just how effective are risk management practices today?
Two recently-published reports shine contrasting lights on risk management practices and processes.
The first, “The RiskMinds 2009 Risk Managers’ Survey: The causes and implications of the 2008 banking crisis” from Moore, Carter, and Associates talks about failures in risk culture. The risk managers surveyed put the failures to see and avoid the adverse events that brought us the financial crisis blamed risk culture more than risk processes. In the Executive Summary, they say:
It is hard to read the results of this survey without concluding that the 2008 banking crisis – estimated by the IMF to have cost $10 trillion – was entirely avoidable.”
The most remarkable finding of the survey is that most risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics.
Most risk professionals saw the technical factors which might cause a crisis well in advance. The risks were reported but senior executives chose to prioritise sales. That they did so is put down to individual or collective greed, fuelled by remuneration practices that encouraged excessive risk taking. That they were allowed to do so is explained by inadequate oversight by non‐executives and regulators and organisational cultures which inhibited effective challenge to risk taking.
Internally, the most important area for improvement is the culture in which risk management takes place (including vision, values, management style and operating principles), starting with the adoption of remuneration policies which discourage short‐term risk taking and underpinned by the development of risk management capability among line managers and board members.
There needs to be more rigorous supervision of the effectiveness of internal risk management, including supervision of the risk management culture and ethics within firms.
Those responsible for overseeing and restraining the actions of the executive were not competent enough, not rigorous enough or not powerful enough to do so. The results of this survey identify where some of those weaknesses lie and it is clear that better and more rigorous oversight by nonexecutives and regulators is an urgent need. It is essential to ensure an adequate separation and balance of powers between the executive and the internal control functions (finance, risk, compliance, internal audit and non‐executive directors) and the authors recommend how this can be achieved.
.. nothing will really change without cultural change, because the effectiveness of risk management, governance and internal controls depends heavily on the climate in which they take place. Risk culture and ethics need to be at the top of the agenda, both of boards and regulators. Contrary to the belief of some, it is perfectly possible to assess and develop culture and ethics, and the tools and methodologies for doing so should be developed urgently, where they do not exist already.
The second is the “Report on the Current State of Enterprise Risk Oversight: 2nd Edition” from Mark Beasley, Bruce Branson, and Bonnie Hancock of North Carolina State. The results here are different, with gaps identified in risk processes and risk oversight. Here are excerpts from their Key Findings section:
- Organizations continue to experience significant operational surprises. Thirty-nine percent of respondents admit they were caught off guard by an operational surprise “Extensively” or “A Great Deal” in the last five years. Another 35% noted that they had been “Moderately” affected by an operational surprise. Together, these findings suggest that weaknesses in existing risk identification and monitoring processes may exist, given that unexpected risk events have significantly affected many organizations.
- Ironically, 48.7% of respondents describe the sophistication of their risk oversight processes as immature to minimally mature. Forty-seven percent do not have their business functions establishing or updating assessments of risk exposures on any formal basis. Almost 70% noted that management does not report the entity’s top risk exposures to the board of directors. These trends are relatively unchanged from those noted in the 2009 report.
- Almost 57% of our respondents have no formal enterprise-wide approach to risk oversight, as compared to 61.8% in our 2009 report with no formal ERM processes in place. Only a small number (11%) of respondents believe they have a complete formal enterprise-wide risk management process in place as compared to 9% in the 2009 report. Thus, there has been only a slight movement towards an ERM approach since our 2009 report.
- Almost half (48%) admit that they are “Not at All Satisfied” or are “Minimally” satisfied with the nature and extent of reporting to senior executives of key risk indicators.
- Very few (15.5%) organizations provide explicit guidelines or measures to business unit leaders on how to assess the probability or potential impact of a risk event. Despite this, 60.5% indicate that they believe risks are being effectively assessed and monitored in other ways besides ERM. This raises the potential for those organizations to have widely varying levels of risk acceptance across business units, and an increased potential for the acceptance of risks beyond an organization’s appetite for risk taking.
- Almost half (47.6%) have provided senior executives or key business unit leaders formal training or guidance on risk management in the past two years, with an additional 30.5% providing minimal training or guidance.
- There has been some movement towards delegating senior management leadership over risk oversight. Twenty-three percent have created a chief risk officer position, up from 17.8% in the 2009 report, and 30% have an internal risk committee that formally discusses enterprise level risks, up from 22% noted in the 2009 report.
- Just over half (53%) of organizations surveyed currently do no formal assessments of strategic, market, or industry risks, and 51% noted that they do not maintain any risk inventories on a formal basis. Thus, almost half have no processes for assessing strategic risks. Despite that, about 43% of our respondents believe that existing risk exposures are considered “Extensively” or “A Great Deal” when evaluating possible new strategic initiatives. This raises the question of whether some organizations may be overconfident of their informal processes.
- When boards of directors delegate risk oversight to a board level committee, most (65%) are assigning that task to the audit committee, which is somewhat higher than the 55% of boards assigning risk oversight to the audit committee noted in our 2009 report.
- When risk oversight is assigned to the audit committee, 64% of those audit committees are focusing on financial, operational, or compliance related risks. Only 36% indicate that they also track strategic and/or emerging risks; however, this is up from the 18% in the 2009 report who said the audit committee monitors all entity risks, including strategic risks.
- Expectations for improvements in risk oversight may be on the rise. For almost half (45%) of the organizations represented, the board of directors is asking senior executives to increase their involvement in risk oversight.
My read on these is that the practice remains highly immature. Even when organizations have invested in solid risk management processes (and these remain few), the absence of effective risk culture and risk oversight often undermine all the good work.
Both are critical to success. Do you agree?