Enterprise Risk Management: Call for Action
The speed of change in the global business world presents a multitude of opportunities and risks that must be navigated to lead organisations in today’s marketplace. Over the past few years, boards of directors and senior executives have sought to strengthen their risk oversight so that they are attuned to emerging issues that may impact their organisation’s strategic success.
External parties also place greater expectations on boards of directors and senior executives to be more effective at overseeing the most significant risk exposures that potentially affect their organisations’ long-term viability. These parties include government regulators, creditrating agencies, stock exchanges and institutional investor groups. In response to these shifting expectations, many organisations are coming under pressure to implement Enterprise Risk Management (ERM) or equivalent processes to strengthen their top-down view of the portfolio of risks most likely to impact the enterprise’s strategic success. The findings from a recent report released by the association of Chartered Global Management Accountants (CGMA) - 2017 Global Risk Oversight Report, sheds more light on this. It provides the current state of ERM practices in four regions around the globe. The regions are Europe and the United Kingdom, Asia, Africa and the Middle East, and the United States of America. Because the business climates differ in various regions, the resulting expectations for more enhanced risk oversight also differ.
Some key useful findings from this new study indicate that organisations around the world face a similar volume and complexity of risks – no region is uniquely different in that perception. Views about the volume and complexities of risks are generally similar in all four regions. The organisations in Africa & the Middle East however perceive risk complexities to be higher than their peers in other regions.
Risk management practices range in maturity across the globe. The lowest penetration of enterprise risk management (ERM) processes in organisations was found to be in Africa & the Middle East.
The survey further showed that most organizations struggle to integrate their risk management processes with strategic planning. Despite the fact that most strategies may be impacted by a number of risks, only about 50% of respondents around the world indicate that they “mostly” or “extensively” consider risk exposures when evaluating new strategic initiatives.
For many organisations, their risk oversight and strategic planning efforts appear to be separate activities. A common problem is a disconnect between enterprise risk oversight and strategy execution. There needs to be executive buy-in and understanding that risk management processes provide strategic competitive advantage to solve this. Perhaps the relative immaturity of risk management processes in some organisations, makes the consideration of risk in the context of strategic decisions informal and ad hoc. This in turn limits the ability of the risk management function to contribute significant insights to the organisation’s strategic planning and execution activities. The problems facing organisations in most emerging markets, Nigeria inclusive, might appear to be a lack of detailed risk oversight infrastructure. Few are known to maintain or update risk inventories/registers, and have formal risk management policy statements. Some organisations wrongly combine the risk, audit and compliance functions, and rely more on internal management-level risk committees as opposed to chief risk officers. The findings in the report have given rise to a number of calls to action. The complexities in today’s business environment mean risk management is unlikely to get easier. The effect is that organisations are faced with increasing threats from economic and geo-political volatility, technological advances leading to increased cyber-attacks, climate change and financial instability. This means the risk environment and potential for significant operational surprises are imminent. Approaches to risk oversight may be insufficient to deal with the rapidly changing risks that are likely to occur. The current state of ERM adoption remains relatively immature, with some organisations yet to have “complete formal enterprise-wide risk management process and frameworks in place”. Using the risk maturity scale developed by the UK Institute of Risk Management (IRM), every organisation can be classified according to its risk maturity. The classification scale starts from the least level described as “basic”, the next level up is described as “reactive”, then “proactive”, and finally the highest level being “optimized”. The key objective of the IRM risk maturity model and training roadmap is to enhance current Risk Management processes and assist organisations to move from a “basic/ reactive” levels toward a more ‘Proactive/Optimised’.
Given the intricacies of managing risks across complex business enterprises, organisations need to strengthen the leadership of their risk management function. Appointing a risk champion (for example, a chief risk officer) or creating a management-level risk committee helps, but will require more to ensure that risk management processes are appropriately designed and implemented. It must be embedded as a culture throughout the organisation.
There is a need for increased senior executive involvement in risk oversight, suggesting that the status quo is no longer acceptable. Boards need to assume formal responsibility for overseeing management’s risk oversight processes through board committees. The level of immaturity and low robustness of enterprise risk oversight is attributable to several perceived barriers which may be restricting progress in strengthening the overall approach. Sufficient resources to ensure the process is effective can be a challenge for organisations in emerging markets.
There needs to be effort around communication and education to help articulate the value of investing in better enterprise risk oversight for strategic success. There is also the need to focus on integrating risk oversight with strategic planning and value-creating efforts to address some of the findings reported earlier. The more that executives recognise how robust risk insight increases the organisation’s ability to be agile and resilient, the greater will be the progress in expanding risk oversight infrastructure in general. Overall, more work remains to be done. .