Economist Intelligence Unit report on the maturity of risk and compliance
Before saying too much about this report, Ascending the maturity curve: Effective management of enterprise risk and compliance, I have to make a couple of preliminary remarks:
- The report is sponsored by SAP (my employer) but the EIU has sole responsibility for the work
- I have contributed, as an interviewee, to other EIU research
I have major problems with the way that the report mixes up and thoroughly (IMHO) messes up the discussion of risk management, compliance, and GRC. But that is another blog, for another time. What I want to do here is highlight some of their findings which relate to risk management that I believe are interesting and worth thinking about. (The square brackets indicate text I would remove, and the underlining is my way of highlighting key sections.)
- Despite recognising the benefits of an integrated approach, few organisations manage risk [and compliance] activities consistently and efficiently. One reason is the apparent cost and complexity of an enterprise-wide risk [and compliance] implementation. In most organisations, risk responsibilities span a wide range of activities, from health and safety and IT security to financial reporting and credit risk exposure. This dispersal of risk responsibilities inevitably leads to a disconnected approach, with different departments setting their own policies and operating their own processes. Integrating these activities to permit an enterprise-wide view can seem like a Herculean task.
Comment: it may be Herculean, but organizations will be at high risk until they have effective, enterprise-wide risk management in place.
- Companies may be underestimating the extent of risk and compliance failures in their organisation. Just over one-third of respondents say that their organisation has suffered from one or more significant risk or compliance failures in the past three years. But this proportion is most likely owing to the fact that most respondents come from the finance function, where awareness of failures is relatively low. Among the four functions surveyed—finance, legal, risk and compliance—respondents from outside finance estimate significantly higher levels of risk and compliance failures. This suggests not only that the finance function is underestimating the level of failures, but that knowledge about risk failures is not being widely disseminated in order to improve practices and tighten policies.
Comment: this is pretty much inevitable when you have fragmented risk management, and it is ‘shaming’ for executives to admit adverse incidents.
- Risk and compliance management processes may appear to work well —until something goes wrong. Unsurprisingly, respondents who say that they have experienced failures are far less likely to consider that their risk and compliance are consistent with best practice in their industry. Respondents who have experienced failures are also more likely to admit that they do not have a consistent set of principles and policies governing business practices. In other words, companies may make the assumption that their approach is working well, until a major risk event reveals shortcomings that need to be addressed.
Comment: this is revealing. Internal audit can help through objective assessments of these processes.
- Companies may not be learning the broader lessons from risk failures. Almost three-quarters of respondents say that their organisation deals with risk failures by tightening up policies and procedures to reduce the chances of a similar mishap. But not all companies adopt this approach. The majority of risk failures take place at the business unit level, which can lead to a tendency to address issues in isolation. More than one-quarter of respondents say that they fix the problem within the unit, outside the oversight of the wider organisation and of superiors. This suggests that a significant proportion of companies are not doing enough to share risk information and learn the broader lessons from risk failures.
Comment: see earlier comments.
- High-performing companies are more likely to have a consistent risk appetite across the organisation. The survey reveals that most companies have a broad range of risk tolerances within the organisation. Sales and marketing functions have the greatest tolerance for risk, while finance and legal have the lowest. But what is more striking is the extent to which high-performing companies (those in the top 20% of their industry in terms of revenue growth) tend to be more consistent in their risk tolerance. Among that group, 48% say that their risk tolerance is consistent across functions, while just 29% of those in the lower-performing group (those in the bottom 60% of their industry) offer the same assessment.
Comment: this is a little facile. Obviously, people in some jobs have a greater desire to pursue risk than others, different risk tendencies, especially when there is greater upside (bonus) than downside (no bonus). They should not have different risk appetites, as those should be set by senior management, approved by the board, and communicated to all to observe. If that doesn’t happen, it would look like multiple risk appetites when, in truth, no risk appetite has been set and people are following their ‘best judgment’.
I will come back to the report another time to highlight sections that are more relevant to compliance or GRC, but I would appreciate your views on the relationship between risk and compliance.
For some time, I have been troubled when people talk about optimizing “risk and compliance” within an organization. I am not sure about the combination from a number of perspectives and would really appreciate your views:
- I have seen compliance officers adamantly assert that you can’t take a “risk” approach to compliance
- There is a danger of focusing on compliance risk at the expense of other forms of risk
- It seems to me that you need different experience and knowledge to be effective
- If you are talking systems, I think they are mostly different – a fair amount of overlap, especially in policy management and communication, maybe in monitoring
- Isn’t it more important to focus on each separately than together?
I am leaning towards the view that there is a problem with the phrase, but perhaps you can sway me one way or the other.
Question: on a scale of 0 – 10 (where 0 indicates this is wrong and 10 says it is brilliant), should we talk about managing risk and compliance?