Ernst & Young | 2009
Protecting and enabling performance: albeit painful, progress ultimately results from crisis. The current downturn is causing companies to challenge their risk management processes and ask how they can further improve their risk management efforts.
Against this backdrop, we conducted a survey to provide a snapshot of the current risk environment and to understand organizational attitudes toward enterprise risk management. We were also interested in understanding how recent events have impacted approaches to risk management and organizations’ abilities to identify and manage different types of risk. Never has there been a more critical time to define a path forward for the “future of risk”.
We believe that the recent economic challenges were, in part, more difficult to predict and manage due to the increasing complexity of risk management processes. Over the past few decades, the number of risk management functions has grown to the point where most large companies have seven or more separate risk functions — not counting their independent financial auditor.
As the number of risk functions increases, coordination becomes more difficult
This has created inefficiencies and resulted in a degree of fatigue on the business. As the number of risk functions increases, coordination becomes more difficult and often results in coverage gaps and overlapping responsibilities. The demands and various reporting requirements placed on the business by these risk functions can become significant and burdensome. The number of risk functions and the various communications from these functions can be a challenge for executives and the board of directors to manage and understand.
As complexity has increased, so has company spending on risk management. Based on a previous survey we conducted last year of Fortune 1000 companies, we estimate that the average company spends about 4% of revenue on risk management activities. We believe the answer to these challenges can be found by carefully considering how to balance risk, cost and value across the enterprise.
Considering the events of the past 12 months, it is not surprising that 96% of our recent survey respondents believe that their risk management programs could be improved. Furthermore, only 1% of companies intend to reduce their risk management resources. Given the current cost-conscious mentality, the fact that nearly all companies want to improve their risk management efforts and intend to maintain or increase their current levels of investment underscores the growing awareness of the value of sound risk management.
Moreover, 46% agreed that committing more resources to risk management would help to create a competitive advantage. Clearly, organizations recognize the importance of risk management. Leading organizations acknowledge that risk management is more than simply protecting existing assets; it is also about enabling performance to create future value.
However, the reality is that most risk functions will be asked to do more with the same or limited additional resources. There is a strong drive to improve risk coverage through better use of existing resources and to deliver more value from their respective functions.
The challenge for most organizations will be to find increased efficiencies in the way their risk management functions operate
The challenge for most organizations will be to find increased efficiencies in the way their risk management functions operate and define the improvements that create the greatest value. We believe the answer to these challenges can be found by carefully considering how best to balance risk, cost and value across the enterprise. Companies that effectively address this challenge are more likely to outperform their competitors.
Risk management has grown increasingly complex over the years, prompting organizations to increase the size, magnitude and reach of their risk management functions. However, an increase in risk management activities does not always correlate to more effective risk management. Recent events have revealed this vulnerability and provided a much needed “wake-up call.”
Many organizations had committed significant resources and investment in risk management but had not worked to connect their processes. Kingdoms or silos were developed, but the levels of interaction, shared reporting, data exchange and coordination was minimal.
While there has been a maturing of risk management, there is still considerable opportunity for improvement. Organizations need to constantly challenge their approach to risk management. This is especially true now, when risk functions are being asked to do more with the same — or limited additional — resources. More than ever, organizations need to rethink their approach to risk management in order to balance risk, cost and value. Our research shows the most commonly identified areas for improvement are:
- Improving the risk assessment approach to better anticipate, identify and understand risks.
- Aligning risk management focus with business objectives to drive greater value and focus on the risks most likely to affect the business.
- Enhancing coordination of risk and control groups to achieve greater efficiencies and eliminate redundancies, duplication and gaps among risk activities.
Organizations that improve their risk management activities will not only provide better protection for their businesses, but also improve their business performance, improve their decision- making and, ultimately, increase their competitive advantage.
Download: Future of risk 2009future_of_risk_rapport_2009