Home > Audit, Compliance, COSO, Cyber, Governance, GRC, IT, Risk > Two new reports show improvement in and value from risk management

Two new reports show improvement in and value from risk management

December 10, 2013 Leave a comment Go to comments

Accenture (Risk management for an era of greater uncertainty) and Aon (Risk maturity insight report) have published new and interesting reports on the practice of risk management.

The Aon report is based on a maturity model (see table below) that I think is interesting. It differs a little from the one I developed. It includes these key requirements for the top level: “process is dynamic and able to adapt to changing risk and varying business cycles; explicit consideration of risk and risk management in management decisions”. I prefer the language of the top level requirements in my model: “Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision-making. Early warning system to notify board and management to risks above established thresholds”.

Aon assesses maturity based on ten characteristics, broken down into 40 specific components. I think it would be useful for any organization to participate in the Aon study and assess where their risk management standards, especially compared to where they want it to be.

This is useful information for risk officers, senior executives, and the board. I think using a maturity model to assess and report on risk management is an excellent approach for internal auditors. It provides useful information without punishing risk officers who are still working to implement and upgrade the maturity of their program.

Maturity Level Initial/Lacking

 

Basic

 

Defined

 

Operational

 

Advanced

 

Description Component and associated activities are very limited in scope and may be implemented on an ad-hoc basis to address specific risks

 

Limited capabilities to identify, assess, manage and monitor risks

 

Sufficient capabilities to identify, measure, manage, report and monitor major risks; policies and techniques are defined and utilized (perhaps inconsistently) across the organization

 

Consistent ability to identify, measure, manage, report and monitor risks; consistent application of policies and techniques across the organization

 

Well-developed ability to identify, measure, manage and monitor risks across the organization; process is dynamic and able to adapt to changing risk and varying business cycles; explicit consideration of risk and risk management in management decisions

 

In their study of 361 publicly traded companies, Aon found that 3.3% were in Initial/Lacking, just 0.7% were in Advanced, and the majority (56%) were at or around Defined. 30.6% were above Defined and 50.6% were below.

Aon found a correlation between the maturity of risk management and the performance of their stock, based on an analysis of market data between March 2012 and March 2013. Comparing organizations with the highest (Advanced) maturity rating to those with the lowest (Initial/Lacking):

  • Share price grew 18% vs. a drop of 10%
  • Share price volatility was 38% lower
  • Return on equity was 37% compared to negative 11%

They also reported that “Our initial findings indicate a direct relationship between higher levels of Risk Maturity and the relative resilience of an organization’s stock price in response to significant risk events to the financial markets.”

This, I suggest, is useful information to share with executives and the board on the value of mature risk management.

You might reference an older report by Ernst & Young that had similar results, Managing Risk for Better Performance.

The Accenture report was based on a survey of 450 individuals, described in one place as “global risk professionals, and in another as “C-level executives involved in risk management decisions.” The breakdown shows that 25% are CROs, 20% CEOs, 25% CFOs, and 22% are Chief Compliance Officers.

Here are some excerpts:

“The vast majority (98%) of surveyed respondents report an increase in the perceived importance of risk management at their organization. One phrase that resonated with us was “Action is not optional”. That is seen as true both for the broader organization and for the risk management function.”

“At one time, risk management in many organizations could be described by some as “the department that says no”. Today we would characterize risk management more as “the department that enables execution”.”

“The proportion of surveyed organizations having a CRO, either with or without the formal title, has risen from 78% in 2011 to a near-universal 96% in 2013.”

“We see risk management as being much more integrated and connected, playing a much larger role in decision-making across the organization—particularly in budgeting, investment/disinvestment, and strategy.”

“Survey respondents see risk management as enabling growth and innovation. In order to survive—and certainly to grow—every company should strive to innovate and move its business forward. Simply pushing forward without understanding and mitigating the risks ahead could ultimately lead to disaster in some form. To enable growth and innovation, effective and integrated risk management capabilities should be implemented early and throughout the process. And these capabilities are scarce – both within the companies we talked to in this research and also in the market at large. So risk management capabilities should be prioritized and focused on the things that matter to move the needle for the organization.”

However, Accenture warns that risk management in practice is still falling short:

“There appear to be large gaps between expectations of the risk management function’s role in meeting broader goals and it’s perceived performance— for every organizational goal we surveyed.”

The authors include four recommendations and a detailed analysis to support their findings.

One interesting section is where they describe “Risk Masters” (they have a “Risk Mastery capability scale, like a maturity model) and what sets them apart.

“Risk Masters include risk considerations in the decision-making process across strategy, capital planning, and performance management. Masters also better integrate their risk organization into operations, establishing risk policies based on their organization’s appetite for risk. And they delineate processes for managing risks that are communicated across the enterprise. These activities are supported by robust analytic capabilities that reinforce efficient compliance processes and provide strategic insight.”

I encourage the reading and consideration of both reports, together with a discussion of where your risk management program falls.

Are you at the maturity level you want to be? Are you taking the steps to become more mature?

Can you achieve the benefits these studies report?

I welcome your views.

  1. Ehtisham Syed
    December 10, 2013 at 9:36 AM

    Hello Norman, risk management needs to be integrated into the overall governance of an organization. For that purpose, I have developed a three stage closed loop Global SPR Framework which is the integration of strategy and risk for optimized performance. Please visit http://bootstrapspr.wordpress.com/about/ and click through the slides (4 in total) to know about the end to end processes under each of three staged close loop cycle.

  1. December 10, 2013 at 9:17 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: