KPMG reports major problems in how risk management is understood and practiced
At the end of April, KPMG released “Risk Management: A Driver of Enterprise Value in the Emerging Environment”. It is based on a survey of board members, executives, and risk officers in Europe, the Middle East, Africa, and India. 26% were CFOs, 18% CROs, and 17% CEOs.
Now while the title gives the impression that the report is about showing how ERM adds value, the summary on the web site instead says that boards, executives, and others simply don’t yet ‘get it’ when it comes to risk management.
For example, it says:
- “More than half of the respondents believe that the full board is not accountable for risk oversight, indicating unclear risk accountability.” In the report, only a third of the respondents said that risk oversight was being treated as a full board responsibility.
- “Information sharing with the board is weak, as only half of the respondents indicated definitive processes to share information on risk management.”
- “Risk management is not fully integrated into day-to-day management decision-making.”
- “The role of the Chief Risk Officer (CRO) is not fully utilized. The CRO is often focusing on operational and process-level risks, rather than serving as a strategic business advisor to the board and CEO.”
- “Currently, risk identification concentrates on internal factors instead of external considerations.”
The report itself is full of interesting information – but pretty damning, to be honest. We have a long way to go! I am including a lot of excerpts below, but encourage you to read the report in full.
- “Risks emanating from uncertainties in the global market place and growing complexity in the value chain are cited by most as the important factors contributing to increased risks. However, doubts still linger about the extent of commitment and sponsorship for good Risk Management practices at the CEO and Board-levels.”
- Both CEOs and Board members consider Risk Management to be equally important. CEOs/business leaders would like to see more focus on reputation risk, political risk and the impact of corporate restructuring and M & A on business performance. CEOs view Risk Management through an opportunity lens whereas others view it with a “keep us out of trouble” lens.”
- “[T]here is less confidence in the Board’s ability to monitor adherence to the established appetite.”
- “Inadequate sponsorship at the top, inability to commit adequate resources and lack of adequate training in the use of Risk Management tools and techniques are proving to be impediments.”
- “Driven by regulatory requirements and demands from Boards, Audit and Risk Committees, a majority of respondents re-visit their risk profiles once a quarter. However, risk identification and assessment processes are not geared to provide an early indicator of likely risks or potential loss events that organizations could face in the future.”
- “Organizations do not fully understand interdependencies between the various risks they face”
- “Risk Managers are spending a disproportionate amount of their time on controls, compliance and monitoring activities although their real priorities lie elsewhere.”
- “A majority (63 percent) of the respondents indicate that they do not utilize a software solution for streamlining their risk monitoring and reporting activities. Respondents who do utilize such a software solution utilize it for a whole host of monitoring and reporting activities.”
The most damning comment I leave for last:
“66 percent of the respondents indicate that their Board is unable to leverage the risk information it receives to improve strategy.”
I am not sure I understand. CEOs and CFOs are smart, and board members are concerned. Are these results consistent with what you see? Why do you think there is a problem?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman – When I read that paper I thought the biggest problem was that it was too slanted towards trying to sell KPMG consulting services and not based enough in reality.
Keep up the good work!
Larry
Considering every report carries a certain level of bias and reading between lines, I had a different impresion than Larry.
My take is: Unless Cxx are staring to be measured and rewarded on total corporate risk, as well as they are on Quarterly financials, the subject will still down the tubes as many other risk-reward activities.
Confirmation of this thesis is the continuous corporate failures populating daily news (and the ones we don’t know)
I am confident on Reputation management as an awareness driver to Risk Management. Perhaps, it is something far “closer” to investors and Cxx, mostly financially savvy, professionals.
@NeiraSchliemann
Norman:
•“Risk Managers are spending a disproportionate amount of their time on controls, compliance and monitoring activities although their real priorities lie elsewhere.”
WHAT? Where else should their priorities be?
I can’t speak for the authors, but believe they are talking about the risk managers helping operating management understand and navigate their way through risk. In other words, helping to identify potential risks, assess and evaluate them, then select responses from the available alternatives.
Proactive, forward-looking instead of reactive.
Looking at where you are going instead of monitoring the tire tread.
I liked the paper and thank you very much to Norman for the advisory. I feel that just when risk ought to be top of the agenda for senior management that there may be a bit of a backlash coming – just a hunch. I attended a GRC conference recently with some top CROs and Compliance officers and there were equal measures of positivity; from those extolling the wins (and thankfully a lot of the same approaches as those advocated by Norman, Michael Rasmussen and OCEG, and negatives from those whose view was that regulation is strangling the recovery in the west and that their CXOs were not positive about the work and expense. Perhaps the latter group may not do so well in the future? I would like to ask about views on the take-up of GRC initiatives in developing nations as the recent OCEG survey didn’t have too much data on this important aspect.
Neil, while I appreciate the kind words I struggle with the concept of a “GRC initiative”. GRC is a collection of processes, functions, organizations, and systems that need to work together. While it is important to understand the need for and improve harmony, the key is to implement the pieces well and make sure they work together.
So, I ask where the priorities are. What are the business problems? Do people have poor risk management, ineffective compliance, bad performance management, inadequate information, or what?
GRC helps you understand the business problems, but there is no such thing as a single GRC ‘process’ or ‘thinkgamyjig’ that needs fixing.
Fix the pieces individually and as a combination, and you will fix what we refer to as GRC.
Does that make sense?
I think the closing question in Norm’s first posting is a very important question which should be carefully considered to evaluate ERM’s approach. Why don’t CEOs and CRO’s “get it”. Is there a different approach proponents of ERM could take? I’m interested in Basel III’s approach to implement a capital charge for operational risk. This reflects the real cost to risk, as refelcted in corpoate failures. To reduce their operational risk, what approach will the financial industry take – ERM, KRI, other? What in fact will be the most effective approach? What can the internal audit profession learn from risk managers in specific industries? Observations, anyone?