It’s the new green. Enterprise risk management is a great buzzword; you can’t go far without tripping over it in one context or another. It is what people say they want, and it is what they say they’re working on. Stakeholders are demanding increased action on this front: Standard & Poor’s, for instance, now evaluates an organization’s enterprise risk management process as a factor in their credit rating analysis and government bodies have instituted stricter regulations. Has this had an effect on how businesses look at risk? And what needs to happen to make enterprise risk management more than a buzzword?
The North Carolina University Report on the Current State of Enterprise Risk Oversight looked at over 700 different organizations to determine their positions on enterprise risk management. The findings clearly point to a need for a comprehensive strategy:
- Over 60 percent of respondents say that volume and complexity of risks have changed significantly in the last five years.
- 36 percent said they were “caught off guard” by an operational surprise.
- 50 percent say their companies have “strongly risk averse” or “risk averse” cultures.
- 44 percent had no enterprise-wide risk management process in place AND have no plans to implement one. Another 18 percent reported that they’re considering it.
- 75 percent say that key risks are discussed at management meetings on an “ad hoc basis” and about half say they are not satisfied with the “reporting of key risk indicators to senior executives” regarding top risks.
- Half say their boards of directors are calling for increased oversight from executives via audit committees. Of these committees, 19 percent monitor financial risks only, “63 percent monitor operational and compliance risks,” and only 18 percent monitor “all entity risks, including strategic risks.”
We can agree that the world has no shortage of risks for any of us. But despite this:
Forgive the deluge of numbers, but they are incredibly telling (and you can read more of the report here). Very few businesses have treated enterprise risk management as more than a trendy term, and fewer have created the position of Chief Risk Officer, a high-level executive position, to facilitate enterprise-wide processes.
Putting Enterprise Risk Management in Its Place
One fundamental shift has to happen to enable real enterprise risk management: the objectives and goals for the business, as well as the risks, enterprise wide (not just health and safety), need to drive business planning. That it most often does not is a huge stumbling block to success.
What usually happens is that business planning happens at a high level and is undertaken by people with strategic and/or financial backgrounds. Risk management does not get invited; it is a mid-level or operations mandate, and typically the enterprise risk management team is not comprised of planning people. But your agenda actually needs to be driven from risk information. For it to work, risk management needs to be done on a high level, as part of the planning process, and by individuals or teams that are able to influence key decision-makers (or are key decision-makers).