Accenture’s 2013 Global Risk Management Study starts with a great subtitle: “Risk management for an era of greater uncertainty.” I love this play on words: we live in uncertain times, and risk management is all about addressing the uncertainty between us and our objectives (as the esteemed Felix Kloman says, risk management helps us “pierce the fog of uncertainty”).
As ISO 31000 tells us, risk is the effect of uncertainty on objectives.
While the results of the Accenture study should be taken with at least a grain of salt because 25 percent of the respondents were CROs (22 percent were Compliance Officers, 25 percent CFOs and just 20 percent CEOs), they are encouraging.
The Good News for Risk Management
Let me share the good news before moving to the key point they missed.
The vast majority (98 percent) of surveyed respondents report an increase in the perceived importance of risk management at their organization. One phrase that resonated with us was 'Action is not optional.' That is seen as true both for the broader organization and for the risk management function."
At one time, risk management in many organizations could be described by some as 'the department that says no.' Today we would characterize risk management more as 'the department that enables execution.'"
We see risk management as being much more integrated and connected, playing a much larger role in decision-making across the organization -- particularly in budgeting, investment/disinvestment and strategy."
Survey respondents see risk management as enabling growth and innovation. In order to survive -- and certainly to grow -- every company should strive to innovate and move its business forward. Simply pushing forward without understanding and mitigating the risks ahead could ultimately lead to disaster in some form. To enable growth and innovation, effective and integrated risk management capabilities should be implemented early and throughout the process. And these capabilities are scarce -- both within the companies we talked to in this research and also in the market at large. So risk management capabilities should be prioritized and focused on the things that matter to move the needle for the organization.”
In addition, Accenture reports that “High-performance risk management organizations are taking a focused approach to embed analytics into their management processes.” I see this as essential, that risk management functions use analytics to understand changes in the internal and external environment reflecting current and potential changes in risk levels.
I will leave you to read the report in full, paying special attention to the section on “What Sets Risk Masters Apart?”
What Did the Report Miss?
Whether you like the COSO ERM Framework or, like me, the ISO 31000:2009 global risk management standard, both state that risk management is part of decision-making and that a mature organization has the management of risk as an integral part of organizational processes.
A continuing focus on what is essentially the building of a silo of risk management -- which is what Accenture advocates when they trumpet the existence of a senior executive as CRO -- will not make the management of risk an integral part of organizational processes.
A continuing focus on risk management as a separate activity with staff and leadership fails to recognize that every manager, executive and board member needs to be a practicing manager of risk.
It’s not enough to say that the CEO owns the organization’s risks when she is not encouraged to act as risk owner. Instead, she is repeatedly encouraged to delegate the management of risk to a CRO.
What I believe is necessary, and is missing from the report, is for the expert in risk management to teach the rest of the organization how to include risk and uncertainty as an integral and essential part of the strategy setting, decision making and performance management processes.
The Chief Risk Officer should become the Chief Risk Learning Officer, training, coaching and mentoring all the decision makers to be risk officers.
But how many have taken on that task? How many hold classes in risk management essentials? How many coach strategy officers and CFOs on how to embed the consideration of risk into their activities?
How many measure their effectiveness by the number of executives who no longer need their help?
I welcome your comments and perspectives.
Editor's Note: Read more of Norman's thoughts on risk management in Qualifying a Director as a Risk Expert