Home > Risk > Just how effective are risk management practices today?

Just how effective are risk management practices today?

Two recently-published reports shine contrasting lights on risk management practices and processes.

The first, “The RiskMinds 2009 Risk Managers’ Survey: The causes and implications of the 2008 banking crisis” from Moore, Carter, and Associates talks about failures in risk culture. The risk managers surveyed put the failures to see and avoid the adverse events that brought us the financial crisis blamed risk culture more than risk processes. In the Executive Summary, they say:

 It is hard to read the results of this survey without concluding that the 2008 banking crisis – estimated by the IMF to have cost $10 trillion – was entirely avoidable.”

The most remarkable finding of the survey is that most risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics.

Most risk professionals saw the technical factors which might cause a crisis well in advance. The risks were reported but senior executives chose to prioritise sales. That they did so is put down to individual or collective greed, fuelled by remuneration practices that encouraged excessive risk taking. That they were allowed to do so is explained by inadequate oversight by non‐executives and regulators and organisational cultures which inhibited effective challenge to risk taking.

Internally, the most important area for improvement is the culture in which risk management takes place (including vision, values, management style and operating principles), starting with the adoption of remuneration policies which discourage short‐term risk taking and underpinned by the development of risk management capability among line managers and board members.

There needs to be more rigorous supervision of the effectiveness of internal risk management, including supervision of the risk management culture and ethics within firms.

Those responsible for overseeing and restraining the actions of the executive were not competent enough, not rigorous enough or not powerful enough to do so. The results of this survey identify where some of those weaknesses lie and it is clear that better and more rigorous oversight by nonexecutives and regulators is an urgent need. It is essential to ensure an adequate separation and balance of powers between the executive and the internal control functions (finance, risk, compliance, internal audit and non‐executive directors) and the authors recommend how this can be achieved.

.. nothing will really change without cultural change, because the effectiveness of risk management, governance and internal controls depends heavily on the climate in which they take place. Risk culture and ethics need to be at the top of the agenda, both of boards and regulators. Contrary to the belief of some, it is perfectly possible to assess and develop culture and ethics, and the tools and methodologies for doing so should be developed urgently, where they do not exist already.

The second is the “Report on the Current State of Enterprise Risk Oversight: 2nd Edition from Mark Beasley, Bruce Branson, and Bonnie Hancock of North Carolina State. The results here are different, with gaps identified in risk processes and risk oversight. Here are excerpts from their Key Findings section: 

  • Organizations continue to experience significant operational surprises. Thirty-nine percent of respondents admit they were caught off guard by an operational surprise “Extensively” or “A Great Deal” in the last five years. Another 35% noted that they had been “Moderately” affected by an operational surprise. Together, these findings suggest that weaknesses in existing risk identification and monitoring processes may exist, given that unexpected risk events have significantly affected many organizations.
  • Ironically, 48.7% of respondents describe the sophistication of their risk oversight processes as immature to minimally mature. Forty-seven percent do not have their business functions establishing or updating assessments of risk exposures on any formal basis. Almost 70% noted that management does not report the entity’s top risk exposures to the board of directors. These trends are relatively unchanged from those noted in the 2009 report.
  • Almost 57% of our respondents have no formal enterprise-wide approach to risk oversight, as compared to 61.8% in our 2009 report with no formal ERM processes in place. Only a small number (11%) of respondents believe they have a complete formal enterprise-wide risk management process in place as compared to 9% in the 2009 report. Thus, there has been only a slight movement towards an ERM approach since our 2009 report.
  • Almost half (48%) admit that they are “Not at All Satisfied” or are “Minimally” satisfied with the nature and extent of reporting to senior executives of key risk indicators.
  • Very few (15.5%) organizations provide explicit guidelines or measures to business unit leaders on how to assess the probability or potential impact of a risk event. Despite this, 60.5% indicate that they believe risks are being effectively assessed and monitored in other ways besides ERM. This raises the potential for those organizations to have widely varying levels of risk acceptance across business units, and an increased potential for the acceptance of risks beyond an organization’s appetite for risk taking.
  • Almost half (47.6%) have provided senior executives or key business unit leaders formal training or guidance on risk management in the past two years, with an additional 30.5% providing minimal training or guidance.
  • There has been some movement towards delegating senior management leadership over risk oversight. Twenty-three percent have created a chief risk officer position, up from 17.8% in the 2009 report, and 30% have an internal risk committee that formally discusses enterprise level risks, up from 22% noted in the 2009 report.
  • Just over half (53%) of organizations surveyed currently do no formal assessments of strategic, market, or industry risks, and 51% noted that they do not maintain any risk inventories on a formal basis. Thus, almost half have no processes for assessing strategic risks. Despite that, about 43% of our respondents believe that existing risk exposures are considered “Extensively” or “A Great Deal” when evaluating possible new strategic initiatives. This raises the question of whether some organizations may be overconfident of their informal processes.
  • When boards of directors delegate risk oversight to a board level committee, most (65%) are assigning that task to the audit committee, which is somewhat higher than the 55% of boards assigning risk oversight to the audit committee noted in our 2009 report.
  • When risk oversight is assigned to the audit committee, 64% of those audit committees are focusing on financial, operational, or compliance related risks. Only 36% indicate that they also track strategic and/or emerging risks; however, this is up from the 18% in the 2009 report who said the audit committee monitors all entity risks, including strategic risks.
  • Expectations for improvements in risk oversight may be on the rise. For almost half (45%) of the organizations represented, the board of directors is asking senior executives to increase their involvement in risk oversight.

My read on these is that the practice remains highly immature. Even when organizations have invested in solid risk management processes (and these remain few), the absence of effective risk culture and risk oversight often undermine all the good work.

Both are critical to success. Do you agree?

  1. Dan Barahona
    April 12, 2010 at 12:20 PM

    Norman, I couldn’t agree more. However, as long as there are immense profits to be made in the short term, only the most disciplined organizations will be able to stay true to their risk-based decisions. Reminds me of the early dotcom days when I heard many investors say the market is over-valued, the valuations “don’t make any sense”, etc. And yet, most were happily investing away (myself included) for fear of being left out of the profit-making. The most brilliant of us accepted the risks, got in the market, but knew when to get out…


  2. Manuel
    April 12, 2010 at 12:44 PM

    Norman, great!
    these are really interesting points.
    Especially the cultural thing is really intersting. Do you know any further insights, e.g. theories in that field?
    Thanks for sharing.

  3. David Doney
    April 12, 2010 at 2:04 PM

    Hello Norman, helpful links and summarization here.

    The big five investment banks had leverage ratios of about 21.3 in 2003 and these increased to 30.2 in 2007, before they all imploded. One would think that firms would develop scorecards for how much risk senior management is taking and discount that against their compensation.

    No matter how good the procedural controls are, if management has massive incentives to take huge risks, they will do so. Think of a typical CEO at a bank: “If my bets pay off, I get $200 million. If they don’t, I get a golden parachute for $100 million.” Gee, what do you do? The problem is that it was a RATIONAL move to take these risks for these individuals, and that risk-taking cascades down in the organization.

    Solutions: Risk-based compensation, long-term compensation, no golden parachutes or rewards for failure, leverage restrictions mandated by the board within a given range with extremely high hurdles for exceptions (if any). We’ll have to clean house in the boardroom and put in about every major reform idea (i.e., bringing back Glass-Steagall separations, leverage restrictions, elimination of “naked” credit default swaps that allow gambling on any liability, Volcker rule prohibiting depository banks from certain trading activity, Sarbanes-Oxley like procedures for risk management, such as risk management opinions similar to ICFR opinions) etc.

  4. nmarks
    April 13, 2010 at 4:57 AM

    Risk culture is very interesting and a major aspect of effective risk management. I don’t think it is well covered by ISO 31000:2009.

    People need guidance on what to look for and how to create an effective culture – especially when the CEO is not a disciple.

    I am presenting on it tomorrow and attending other presentations today. If they go well, I will write something later and share my slides.

  5. Girma Bersisa
    April 13, 2010 at 1:14 PM

    The organization risk culture affects the micro level. When it comes to the financial sector crisis it is the responsibility of the regulatory body to protect the system from this mess. Weak regulatory risk oversight is more to blame than the risk culture for the financial crisis as it is system failure than a bank failure, I think.

  6. Mike Pryal
    April 13, 2010 at 5:33 PM

    Another related perspective on risk culture deals with the generational differences between depression era Managers whose risk tolerance is much lower than Baby Boomers. Some believe the Baby Boomer era Mgrs have not lived in and felt the downside of taking too much risk, hence the aggressive speculation that took place in the finanical sector just fed on itself, all part of the organizational and generational culture.

    Hopefully a few lessons have been learned.

  7. james paterson
    April 16, 2010 at 1:44 PM

    Some great material, as usual, from Norman, and good highlights as well.
    Two comments might be usefully made:
    1) We do need to look more carefully at questions of culture/tone and behaviour; but if we abstract and generalise this too much we will miss important issues “under our noses” as risk and audit professionals – I have now been running some keynotes on “the psychology of risk” ad “the psychology of being audited” and its clear that there is a huge need to up-skill ourselves as professionals to be able to see issues around “conformity”, “obedience to authority”, “self-justification” and “organisational defence routines”. Further we need, I believe to step up our peer to peer practices of discussing these issues in a safe environment to understand practical action steps to take (action learning is an excellent technique I have been using with heads of audit).
    2) The gap between the theory of risk management and the reality of running a business, or even running our day to day lives is a telling reflection on the gap we will have to close to get real risk management working. Its telling to consider how many of us use risk registers at home, or how many audit and risk departments use them – I tried a conventional risk register for 2 years as head of audit and realised it needed to be (radically) changed to have real acceptance and impact by my team.
    Interested in others views and anyone interested in hearing more about these issues (without obligation) at: paterson-james3@sky.com

  8. April 20, 2010 at 2:30 AM

    nice info. we have to pay a lot attention to risk management practices

  9. April 23, 2010 at 7:45 AM

    The problem with ISO31000 is that it refers to a system. A Regulator, by its definition, is there to exercise external control to keep the system operating within defined parameters. The problem at the heart of the banking crisis was partly a failure of regulation by not devising & monitoring the correct KRIs but was primarily due to decision-makers at all levels of the banks (driven by the tone at the top) to focus on short term profits without due regard to the cumulative effect of these on the long-term objective of safeguarding the assets of the company.
    I devised the following definition of Risk Management that might drive better behaviours because ultimately it is the people with the authority to take the decisions who can choose to ignore or overly discount the risks and inflate the benefits.
    “The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects with the goal of achieving sustained benefit within each activity and across the portfolio of all activities.”

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: