Bits and pieces of GRC-related information
I have a few tidbits I want to share today. The first and last are from the Corporate Governance Alliance Digest.
But first, bits that paint an alarming picture for those of us who are enthusiasts (and evangelists) for risk management:
- The Digest quotes from the Bank for International Settlements: “As of October 2010, effective implementation by banks of principles ‘ensuring that remuneration is effectively aligned with risk and performance … an essential element for reducing incentives that may arise from the design of remuneration schemes and that can lead to excessive risk taking… has not been achieved.’”
This is astonishing. What will it take for banks to “get it”?
- I attended a conference in Seattle recently at which representatives from IBM discussed their recently completed ERM study. Two statistics are critical to understand:
- 70% of the companies responding failed to identify even half of the adverse risk events that affected their organization in 2009
- Even among those that did identify them, 70% failed to adequately assess the impact
- Only 57% of organizations are spending more time considering risk
This does not make a pretty picture.
- Bob Hirth, a good friend and an executive with Protiviti, was recently interviewed by BoardMember. While Bob shared some wisdom (and it’s worth a read), one question from the periodical is alarming. The interviewer started with this sentence: “The board’s responsibility to manage and oversee risks is often just too overwhelming for directors to get their arms around.”
My belief is that acceptance and understanding of the critical nature of risk management will be driven by boards. Maybe it will be slow. But, it is alarming if boards feel that oversight of risks is too much work, more than they can handle.
What do you make of these, when you consider them together? I am reminded of the steps alcoholics have to take (and some companies are addicted to risks) – they start with recognition that you have a problem.
Do companies and their boards recognize they have a problem? If not, what will it take?
Finally, a bit about BP:
- The Digest quotes from the October 18th issue of the Financial Times: “Bonuses for the fourth quarter for BP staff will be based solely on how employees perform in terms of safety and risk management, Bob Dudley, the UK oil group’s new chief executive, has told staff. The move will affect all of the company’s employees around the world … the fourth quarter’s performance would be measured “solely according to each business’s progress in reducing operational risks and achieving excellent safety and compliance standards’.”
Management is sending a clear message about the importance of safety. Are they going too far? What do you think? Will they focus on operational risks at the expense of strategic risks, compliance, and performance?