KPMG reports major problems in how risk management is understood and practiced
At the end of April, KPMG released “Risk Management: A Driver of Enterprise Value in the Emerging Environment”. It is based on a survey of board members, executives, and risk officers in Europe, the Middle East, Africa, and India. 26% were CFOs, 18% CROs, and 17% CEOs.
Now while the title gives the impression that the report is about showing how ERM adds value, the summary on the web site instead says that boards, executives, and others simply don’t yet ‘get it’ when it comes to risk management.
For example, it says:
- “More than half of the respondents believe that the full board is not accountable for risk oversight, indicating unclear risk accountability.” In the report, only a third of the respondents said that risk oversight was being treated as a full board responsibility.
- “Information sharing with the board is weak, as only half of the respondents indicated definitive processes to share information on risk management.”
- “Risk management is not fully integrated into day-to-day management decision-making.”
- “The role of the Chief Risk Officer (CRO) is not fully utilized. The CRO is often focusing on operational and process-level risks, rather than serving as a strategic business advisor to the board and CEO.”
- “Currently, risk identification concentrates on internal factors instead of external considerations.”
The report itself is full of interesting information – but pretty damning, to be honest. We have a long way to go! I am including a lot of excerpts below, but encourage you to read the report in full.
- “Risks emanating from uncertainties in the global market place and growing complexity in the value chain are cited by most as the important factors contributing to increased risks. However, doubts still linger about the extent of commitment and sponsorship for good Risk Management practices at the CEO and Board-levels.”
- Both CEOs and Board members consider Risk Management to be equally important. CEOs/business leaders would like to see more focus on reputation risk, political risk and the impact of corporate restructuring and M & A on business performance. CEOs view Risk Management through an opportunity lens whereas others view it with a “keep us out of trouble” lens.”
- “[T]here is less confidence in the Board’s ability to monitor adherence to the established appetite.”
- “Inadequate sponsorship at the top, inability to commit adequate resources and lack of adequate training in the use of Risk Management tools and techniques are proving to be impediments.”
- “Driven by regulatory requirements and demands from Boards, Audit and Risk Committees, a majority of respondents re-visit their risk profiles once a quarter. However, risk identification and assessment processes are not geared to provide an early indicator of likely risks or potential loss events that organizations could face in the future.”
- “Organizations do not fully understand interdependencies between the various risks they face”
- “Risk Managers are spending a disproportionate amount of their time on controls, compliance and monitoring activities although their real priorities lie elsewhere.”
- “A majority (63 percent) of the respondents indicate that they do not utilize a software solution for streamlining their risk monitoring and reporting activities. Respondents who do utilize such a software solution utilize it for a whole host of monitoring and reporting activities.”
The most damning comment I leave for last:
“66 percent of the respondents indicate that their Board is unable to leverage the risk information it receives to improve strategy.”
I am not sure I understand. CEOs and CFOs are smart, and board members are concerned. Are these results consistent with what you see? Why do you think there is a problem?