Home > Risk > New Deloitte survey has mixed news about risk management effectiveness

New Deloitte survey has mixed news about risk management effectiveness

Deloitte continues to provide interesting information on risk management, the latest being Exploring Strategic Risk (the link is to a summary, which in turn includes links to an infographic with key results and the full report).

Before exploring their report, I find it interesting that people focus on so-called strategic risk – defined by Deloitte as “those that either affect or are created by business strategy decisions”. Both COSO and ISO refer to risk as the potential effect of uncertainty on objectives, so all risk – if it matters – is strategic!

My conclusion is that (a) people are not going through the necessary exercise of taking each of their strategies and objectives and identifying all risks that might affect their achievement, and (b) they are focusing instead on what might go wrong in their operations (including IT), or might create a loss in their financial portfolio.

This is supported by the principal Deloitte finding: “[only] 81% of surveyed companies now explicitly managing strategic risk – rather than limiting their focus to traditional risk areas such as operational, financial and compliance risk”.

I added “only” because while some may see this as encouraging, that 81% have upped their game, a large number, 19%, have not.

Another important finding is that only 67% say that “the CEO, board or board risk committee has oversight when it comes to managing strategic risk”. Either they are blind to risk that might derail the organization or have delegated it to somebody (such as a CRO) at a subordinate level.

This is a recipe for failure.

The third key finding is that only 13% believe their risk management processes support, at a high level, the ability to develop and execute business strategies. Another 48% believe their processes are adequate.

If this was my company, I would be very concerned!

I am encouraged that 43% are improving their ability to continuously monitor risks. I will close with this excerpt:

“It used to be that if certain risks were to happen, a company could have up to a news cycle to respond,” says Phil Maxwell, Director Enterprise Risk Management, The Coca-Cola Company. “The speed of risks is so much greater now, and as a result you have to be more prepared – faster to respond than you were in the past. That’s one of the biggest differences today versus even three or four years ago.”

I welcome your views and comments.

  1. BTech2009
    December 23, 2013 at 10:43 PM

    A professional colleague said in an accounting discussion that there should be a new type of auditor: the Internal Controls Auditor.

    I agreed with him about the substance of the function, but not about the designation title. Might it be possible for the “outsourced internal audit function” to develop to the point where a separate auditor designation is needed, perhaps now even? This would combine features of external audits and internal audits, much like public-sector comprehensive audits, but would have key differences.

    Firms employing professionals with this new auditor designation would perform compliance audits, process- and input-based financial audits (not statement audits), operational audits, IT and integrated audits, environmental audits, fraud audits, and and risk management assurance more broadly, but the auditors would report functionally to the board of directors and to annual meetings of stockholders. That is, these auditor reports would have the same wide readership as external auditor reports. By definition, these auditors cannot be employed by the audited companies.

    I’m asking this because I do believe such risk management audits add more value than external auditor recommendations on internal controls during an interim audit, much moreso if the audit engagements and readership are as broad as the above. I’m sure there would still be room for traditional, employee-performed internal audits, but public risk management audits for public companies might be the way to go. I also think this is another opportunity for the larger accounting firms to increase the value of their external audit services, focusing more on substantive tests of details while relying more on the control test results from the public risk management audits.

  1. October 7, 2013 at 1:57 PM
  2. October 10, 2013 at 6:49 PM
  3. June 29, 2014 at 11:29 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: