You already know the bad news. From catastrophic oil spills to financial market meltdowns, the past few years haven’t been kind to the risk professional.
But there is, in fact, some good news out there. According to new research—the Accenture 2011 Global Risk Management Study—organizations today are putting more comprehensive risk management programs in place, with the intent of moving beyond a reactive approach to risk to one that can fuel business growth in a smarter, more controlled fashion.
To overcome the organizational silos that have hampered visibility across the business, sometimes letting small problems become big ones, companies are focusing on the integration of risk data and management across functions. In response to past governance inadequacies and risk management’s traditionally low profile and lack of influence, companies are increasingly establishing C-level risk executives, often with a direct reporting relationship to the CEO and with more direct involvement in decision-making processes. And in the face of an increasingly complex business and operational environment for which many companies have been woefully unprepared, they are improving the sophistication of the systems they use to measure and analyze risk.
Most important, our global research has found evidence of the more effective execution of advanced risk management capabilities among a subset of companies participating in the Accenture survey. We call these companies, roughly 10 percent of all respondents, “Risk Masters.”
These companies are protecting themselves better in the short term by taking a longer-term perspective. They see the risk management function as a proactive enabler of investment opportunities. They are significantly more likely to consider risk management something that creates shareholder value, and they are especially adept at creating processes and mechanisms that link risk to business performance. The Masters are making clear that there is untapped business value in getting risk management right.
From reactive to proactive
A great many challenges lie ahead for all companies, of course. The types of risks companies are exposed to, as well as the severity of those risks, are growing. Fraud and financial crime, along with regulatory, operational and reputational risk, are on the rise, as are emerging risks such as terrorism, for which there is little to no historical precedent. Meanwhile, organizational silos and outdated information systems prevent many enterprises from adequately sharing information that could mitigate risks more effectively. And cost pressures continue unabated, requiring effective management in terms of both cost of operations and investment decisions.
But our research strongly suggests that meeting these challenges requires companies to use their risk management capabilities in a more holistic manner and to transform risk management from a reactive protector to a proactive enabler.
To say that risk management is more important today than it was two years ago—when we conducted the previous Accenture Risk Management survey—might be stating the obvious. But it is the widespread nature of this urgency, within and also beyond the financial services industry, that is particularly notable from the research findings.
Ninety-eight percent of all companies surveyed note that risk management is a higher priority now than it was two years ago, and 60 percent indicate it is so “to a great extent.” Those feeling special urgency were, of course, from the financial services industry, with banking, capital markets and insurance firms weighing in at around 70 percent. Resources companies checked in at 61 percent, and a number of other industries, including consumer goods, healthcare and telecommunications, were not far behind, at 53 percent.
The survey also reveals a problem, however: Although risk management has become a higher priority, companies are acutely aware that the performance of the risk management function lags behind actual business requirements and expectations in several key areas.
For example, while 93 percent of respondents indicate that the risk organization is important as a driver of sustained future profitability, only 76 percent say their risk organization is effectively playing that role. Executives recognize the importance of risk management to, for instance, managing a company’s public reputation and gaining positive comments from analysts, but the gaps between expectations and performance in those two areas are 8 and 11 percentage points, respectively. Perhaps most notably, while 85 percent see that risk management can help achieve competitive advantage, just 72 percent say they have achieved that goal.
There are a number of reasons that risk management groups fail to fulfill their potential. One previously noted: Organizational silos prevent many companies from having sufficient visibility to coordinate risk management across different parts of the organization. Fifteen percent to 24 percent of survey respondents note that their risk management approach is not integrated across most types of risk, and that silos remain. Between 40 percent and 50 percent say that the management of major risks is only “somewhat” integrated within the larger organization.
One of the companies we studied as part of our research, for example, retains an organizational structure in which risk management refers primarily to actions taken to minimize risk within a particular function or process. Therefore, no integrated, companywide view is available. The company sees this as a significant gap and is now taking action to help balance the considerations of risk and opportunity in a more holistic manner.
Tools and capabilities
Ultimately, an integrated approach depends on the ability to share, analyze and understand both internal and external data. So another important imperative is for companies to put in place the data architectures, analytical tools and information sharing capabilities that underpin any integrated approach to risk management.
Many risk executives are aware of this investment need. When survey respondents were asked what enhancements in particular their companies intended to invest in, the top answers included data quality, management and architecture, as well as analytics and risk modeling.
More effective organizational structures and governance systems are essential if this integration challenge is to be addressed successfully. Banks, of course, are particularly concerned about developing better integration.
At one bank participating in our research study, the risk area is linked to the credit, controllership and asset operations leadership as well as, ultimately, the company’s board of directors. The governance structure starts with a supervisory board focused specifically on risk, but then extends to the internal audit function as well as other governing groups, including planning, security management, strategy and risk management.
Each of these areas has a direct interest in the bank’s risk management capability, and the work is brought together and integrated through committees that, as part of the Risk Management Board, oversee three areas of concern: operational risk, credit risk liquidity and market risk. These committees report to the Global Risk Committee. This structure enables the bank to have centralized management while responding to regulators’ demands that each area of the bank retain individual responsibility for risk management as well.
In spite of significant investments in risk management structures and technologies, companies remain vulnerable to a host of business, operational and regulatory risks. Given the changing landscape, many companies are learning from the insights and experience of others.
In our analysis of the survey data, as well as conversations with a variety of risk executives, we captured several of these insights to help organizations move toward risk mastery. Although there is no single path toward mastery, these insights can help ensure that the risk management function is proactive and capable of anticipating threats to the business, while simultaneously providing guidance to entrepreneurial executives looking toward a new wave of growth.
Mastery Capability No. 1: Raise the bar on risk management as a driver of shareholder value
Almost two-thirds (64 percent) of Risk Masters indicate that their risk management capabilities provide competitive advantage to “a great extent,” compared with only 42 percent of the peer set (see chart). Masters are also more likely to identify risk as a higher priority.
Risk Masters are especially attuned to the risk management function as a source of specific benefits. For example, almost three in every four Risk Masters consider the risk organization critical to reducing operational, credit and market losses, compared with only a third of non-Risk Masters—a significant difference.
Sixty-seven percent of Risk Masters believe that the risk management function drives sustained future profitability, while only 46 percent of peers agree. Fifty-seven percent of Risk Masters say their risk capabilities have helped them manage the increasing volatility of the economic and financial environment, compared with only 25 percent of non-Risk Masters.
In short, the Risk Masters acknowledge risk management as a key priority for their companies, and they plan and invest accordingly. As the chief risk officer for one global energy company put it, “A high-quality and efficient risk management function is among the top strategic goals of the company, ranking second only to growth and profitability.”
Mastery Capability No. 2: Involve the risk organization in key decision-making processes
Companies that participated in this year’s Risk Management Study were far more likely than those in the 2009 report to involve the risk management function in major business decisions.
For example, half (50 percent) of respondents say their risk organization is involved in the strategic planning process “to a great extent.” A significant rise can be seen in risk management’s involvement in budgeting and forecasting, up from 33 percent in 2009 to 45 percent today. When it comes to setting objectives and incentives, the risk organization is now involved to a great extent at 39 percent of responding companies, compared with only 27 percent in 2009.
Large gaps exist between Risk Masters and non-Risk Masters in the extent to which risk management is involved in several key decision processes. For example, 79 percent of Risk Masters say their risk function is involved to a great extent in strategic planning, while only 46 percent of the peer set say this is so.
By involving the risk function in key business decisions, companies can link risk and profitability objectives, improve strategic capital decisions and increase shareholder returns. To a great extent, the visibility of risk management at the highest levels of an organization is what enables risk management to become a proactive force for guiding the business toward new opportunities.
Mastery Capability No. 3: Improve the sophistication of measurement and modeling
Many of the ongoing risk exposures companies face are rooted in a failure to adequately measure, model and analyze a broader array of risk types. Too often, the risk management function is slow and manual in its approach, wasting valuable time and effort on collecting, consolidating and aligning multiple data sources as opposed to having the time to effectively leverage information enabling more complete analysis and the evaluation of future risk scenarios.
Risk Masters, by contrast, are also masters of measurement. Much higher proportions of Risk Masters currently measure a fuller spetrum of risk types. For example, 90 percent of Risk Masters measure strategic risks, compared with just 63 percent of peers; 95 percent measure business risks, while only 70 percent of non-Risk Masters do so.
Risk Masters also have a significantly higher commitment to analytics and risk modeling. Sixty-four percent of Risk Masters are instituting analytics and modeling programs to enhance the effectiveness of their risk organization, compared with just 47 percent of non-Risk Masters.
As the global risk manager for one European manufacturer noted in a research interview, “Risk key performance indicators and specific, focused risk analyses are now more often included in investment and strategic decisions.”
“Our continuous improvement of risk tools and processes helps us maintain a high level of risk awareness and alignment with the business,” observed another risk executive. “But the tools and processes also release employees from basic number crunching and enable them to use their capabilities for deeper analysis.”
Mastery Capability No. 4: Integrate risk management capabilities across the organization
Among the striking gaps between the performance of Risk Masters and their peers are those that appear in the area of risk integration. Across all types of risk, Risk Masters excel at integration in comparison to peers (see chart).
As the CRO of a global reinsurance company put it, “An integrated vision of risks is absolutely necessary, not only in terms of consolidation of risks at the entity level but also across entities, per business line. Our risk management approach is integrated: Risk is clearly taken into account in the process for making key decisions, because the risk management function is always associated with that process.”
Mastery Capability No. 5: Establish a dedicated risk executive with oversight and visibility across the business
One way Risk Masters separate themselves from the pack is by having a highly placed risk executive—one with not only broad oversight but also with broad visibility and influence and backed by a dedicated risk management organization. This can ensure that risk and performance management are better aligned with the company’s strategic business priorities. Having a seat at the table can mean there will be a strong advocate at the top for an effective, sustained risk management culture.
Risk Masters are more likely to concentrate risk management in the hands of a chief risk officer and, by 81 percent to 62 percent, more likely than their peers to have a risk executive with the actual CRO title. This suggests that Risk Masters more readily acknowledge the importance of having a C-level risk executive as an influential part of top management.
However, it is the reporting relationship—and the inclusion of the head risk executive in setting and executing the broader business strategy—that is ultimately more important than the title itself. Risk Masters are more likely to have their risk executive report directly to the CEO (91 percent versus 78 percent for non-Risk Masters).
Mastery Capability No. 6: Infuse risk awareness across the organizational culture
One of the critical points to remember about risk management is that people are fallible, especially in the face of the growing complexity of business. Consequently, one of the key factors that distinguishes Risk Masters from their peers is their commitment to creating and infusing an awareness of risk exposure and the means to mitigate risks—as well as more detailed tacit knowledge and training—across the corporate culture. Sixty-two percent of Risk Masters say they have achieved a strong risk culture in the organization, compared with only 30 percent of non-Risk Masters.
In every industry, people and skills are critical components in achieving risk mastery. One CRO we spoke to placed the challenge of the people dimension on the same level as increased regulatory risk and the challenge of organizational integration. The company has lost a number of critical risk management personnel, and the executive faces the challenge of replacing the knowledge held by those people. In a market where demand for risk management skills remains high, it is important that companies build these capabilities in a broader population and have up-to-date plans to fill key positions promptly when they are vacated.
Risk Masters emphasize the importance of making risk management part of everyone’s daily responsibilities. In a company with a pervasive risk culture, people at all levels instinctively look for risks and consider their impacts when making decisions and performing their tasks.
Mastery Capability No. 7: Invest in continuous improvement
A final performance gap between Risk Masters and their peers can be found in the area of future investments in risk management, and in the goals of those investments. Across the board, Risk Masters were more likely to have improvement plans in place.
For example, 67 percent of Risk Masters are currently undertaking plans to improve the integration of their risk and finance processes, compared with 47 percent of their peers. Sixty-four percent of Risk Masters are at work on better analytics and risk modeling capabilities, while only 47 percent of non-Risk Masters have such plans.
In general, the data appears conclusive: Those that do not invest in risk mastery at the proper level or that do so only tactically, without an overall risk management vision in place, will struggle to outperform peers who do.
As the Accenture 2011 Global Risk Management Study makes clear, risk management is now becoming, for leading companies, a critical lever for supporting growth and future profitability. Companies that are able to master a range of integrated elements—involving risk management in key decision-making processes, putting leadership with board-level visibility in place, and infusing risk awareness across the organization—are creating the means to differentiate themselves from the competition.
The Risk Masters have set a very high bar: They are looking beyond reactive, compliance-oriented mindsets and are seeking, through their risk management investments, to create shareholder value and achieve sustainable long-term growth.
Sidebar | About the research
The Accenture 2011 Global Risk Management Study is based on a quantitative survey of executives from 397 companies across 10 industries. All respondents were C-level executives involved in risk management decisions at their companies; organizations were split primarily among Europe, North America, Latin America and Asia Pacific. Different-sized companies were also represented: About half of the companies have annual revenues of more than $5 billion; one-fourth have revenues between $1 billion and $5 billion; the remaining quarter have revenues between $500 million and $1 billion. In addition to the quantitative survey, in-depth interviews were conducted with a number of executives whose views are represented in the research findings.
For further reading
“It’s all about balance,” Outlook, June 2010
To review the full 2011 Global Risk Management Research findings, please visit www.accenture.com/globalriskmanagementresearch2011.
About the author
Steve Culp is the global lead of Accenture Risk Management. He has been with the company for 20 years, during which time he has delivered finance solutions across industries, including projects to deliver finance strategy, enterprise performance management and large-scale finance solutions using shared services and outsourcing. Previously, Mr. Culp headed Accenture’s European Finance & Performance Management service line and served as the global lead for that group’s finance and risk consulting services to financial services clients. He is based in London.