FINANCIAL REPORTING AND IR

Eight risk management imperatives for the C-Suite in 2013

Given the need to operate in complex regulatory and compliance environments, and navigate new markets, risk management remains at the top of the global corporate agenda.

Investors increasingly expect organizations to have sophisticated risk management practices, yet challenges are building faster than most  can manage. We are at an inflection point – warranting even stronger capabilities to master risk.

In December 2012, the Economist Intelligence Unit (EIU) conducted a global survey, sponsored by KPMG International, of more than 1,000 C-Suite executives to explore how effectively companies are integrating a holistic governance, risk and compliance framework throughout their enterprises[1].

This article explores the survey’s principal findings, which identified eight key themes:

• Return on investment
• Assessing risk exposures
• Articulating risk appetites
• Greatest threats
• Three lines of defense
• Barriers to convergence
• Weak incentive structures
• Investments in risk management

Return on investment

Risk management makes a key contribution to the business; however, organizations need to improve how they measure risk management’s return on investment, and how they communicate processes, value and effectiveness to key stakeholders.

Almost half (47%) of C-Suite executives indicated risk management is essential for adding value to the overall business. However, organizations employ varying methods of measuring return on investment from risk management – and 28% have no measure at all. Less than half (44%) believe their organization is effective at developing investors’ understanding of the risk program.

Organizations can establish greater shareholder value from their risk management efforts through more effective measurement and communication.

Assess risk exposures

Executives continue to struggle with assessing enterprise-wide risk exposures.

Since the onset of the financial crisis, most industries have improved their systems for aggregating risk data. Still, one in five organizations do not have a risk aggregation process.

Technology was identified as an important enabler of successful risk management integration across the organization. About three-quarters of executives surveyed view technology as a key risk management tool. Respondents see technology challenges as a smaller obstacle to risk management data collection and analysis compared to difficulties in understanding complex risk exposures.

Articulate risk appetite

The C-Suite regards risk management as critically important, but few organizations are articulating their risk appetite. An overwhelming majority (86%) of respondents said risk management considerations are to some degree factored into strategic planning decisions. More sophisticated organizations regularly include risk considerations when making strategic decisions.

Yet only one in five (19%) said their organizations has fully developed and implemented a risk appetite statement. Organizations must develop creative tools for making decisions around risk, such as building risk appetite measures and statements.

Greatest threats

Regulatory pressure and changes in the regulatory environment pose the greatest threat; global economic and political instability is seen as the highest risk scenario.

In the wake of the global economic meltdown, regulators were given a mandate to consider how the actions of companies affect markets worldwide. C-Suite executives are acutely aware that instability in one part of the world can have a profound impact on their businesses.

Regulatory pressure and changes in the regulatory environment ranked highest, with 46% of respondents indicating that the risk issue poses the greatest threat. The global economic crisis/geopolitical instability was cited as the top risk scenario confronting almost every industry.

Three lines of defense

Interestingly, respondents believe business units are more adept at assessing and managing risk than risk management departments, compliance and internal audit.

Survey respondents rate their organizations highly on their ability to identify, assess and manage risks in the context of the ‘three lines of defense’ of enterprise risk management.

The first line of defense (business units) is considered strongest in identifying, assessing and managing risk. The second line (risk management function and compliance) and third line (internal audit) should be equally adept, but were considered weaker.

Cross-training between the three lines of defense regarding risk management processes and methods can support the identification, prioritization, measurement and reporting of risks.

Barriers to convergence

Lack of human resources and expertise impedes convergence of risk and control functions. More than 50% of respondents said that the strongest reason for combining risk and control functions is to reduce exposure to risk.

Respondents identified barriers to the convergence of risk and control functions as a lack of human resources and expertise, complexity of the process, and the existence of more important priorities. Notably, lack of financial resources was cited as the least significant barrier.

Weak incentive structures

Weak incentive structures impede risk-based decision-making. Respondents admit they do a less-than-stellar job of motivating business line managers to adopt effective risk-based decision making.

The absence of a compensation structure that rewards a focus on risk management also is seen as an important weakness. Fewer than half of the executives rate the link between risk management and compensation for business-line employees as “strong,” and 22% say there is no link.

Investment in risk management

Spending to enhance risk management will continue to increase over the next three years. In today’s increasingly complex business environment, most companies are investing in risk management. Sixty-five percent of respondents indicated the share of revenues invested in risk management is higher today than three years ago, and a similar number of respondents (66%) expect an increase over the next three years.

Conclusion

Managing risk amid stagnating global economies and heightened regulatory pressure has created formidable challenges for the C-Suite.

Despite improvements driven by executives, investors will continue to expect a greater level of sophistication in risk management.

In order to meet this challenge, organizations must enhance their risk management capabilities to address the key issues identified in this survey. Responding to market demands in the areas of governance, risk, and compliance will require increased executive involvement and leadership.