Companies have made progress in keeping enterprise risk management top of mind, but most have yet to take all the steps necessary to identify and pursue risks that drive performance, according to EY’s 2015 global governance, risk, and compliance survey.
Of the nearly 2,000 board audit committee members, senior executives, and assurance and compliance executives who participated in the survey, 97% said their companies have made progress in linking risk management and business objectives, but only 16% considered them closely linked.
Respondents recognise the need to better identify and evaluate emerging risks and to adapt their company’s business strategy accordingly. Eighty-five per cent said opportunities exist to further improve the linkage between risk and business performance. But 77% limited their ability to adjust their business strategy to the changing risk landscape, because they evaluated their company’s risk profile annually instead of continuously.
“Companies get all tied up in identifying the risks, assigning ownership, and getting mitigation and action plans, and they forget about the education and keeping it top of mind with the people doing the work today,” said Lynn Fountain, CPA (inactive), CGMA, a consultant and former chief audit executive who is working as a contractor at Kansas City, Missouri-based accounting firm Mayer Hoffman McCann.
Companies must find ways to embed strategic thinking so that all process owners in the company understand how and when they can take advantage of risk, Fountain said. “It has to be spread throughout the organisation.”
Also, companies should be aware of other limitations, she said. For example, territorial struggles may erupt as to who should manage a risk, which would make execution of the best plans difficult.
To better take advantage of risks worth taking, to prevent counterproductive risks, and to be prepared for external risks that are outside of the company’s control, EY recommends these six steps:
- Identify and assess risks that impact business strategy. To identify new and emerging risks, companies need to routinely evaluate their business strategies and determine the level of risk they can handle to generate value. Each identified risk should then be assessed in strategic and business planning discussions and its likelihood, potential impact, or time to realisation determined.
- Design a risk response to reduce the downside and take advantage of the upside potential. Once key risks are classified as strategic, preventable, or external, they can be aligned with the company’s risk appetite to figure out what amount of risk is acceptable. A cost-effective and efficient risk response plan helps balance the mitigation of risk with the expected benefits of the strategic programme.
- Align the functions to execute the organisation’s risk response strategy. Identify the three lines of defence to define clear ownership and accountability for risk activities. This enables a company to validate risk coverage and foster a culture in which all parties understand their role in executing the company’s risk strategy. In a sound risk culture, the tone from the middle tier of management is aligned with tone from the top tier. Governance and business models support the delivery of desired risk behaviours and enable strong accountability and effective challenge. The risk-management framework is embedded in the way the business manages risk. And employee incentives support the delivery of desired risk-management behaviours.
- Develop risk processes to facilitate better co-ordination, communication, and reporting. Risk-management policies and processes are integral to influencing behaviours, co-ordinating activities, establishing communication protocols, and facilitating risk reporting.
- Design solutions that prevent, balance, or limit risk. Design risk and control frameworks that seek to eliminate preventable risks from arising and that can be monitored and tested to deter or detect preventable risks if they arise. Companies balance and manage strategic risks through solutions such as risk modelling and analytics, which enables them to monitor the risk exposure in real time and adjust the business strategy accordingly. Stress-testing, scenario planning, and war-gaming enable companies to assess the impact of outside forces on their business strategy, determine how to limit the external risks, and help bring the company back to business as usual.
- Implement technologies to effectively execute and sustain solutions. For risk prevention, optimise internal control frameworks to eliminate duplication and automate controls. Also, adopt continuous process monitoring solutions to further enhance and automate controls and to improve the second line’s and the third line’s ability to monitor internal controls. Scorecards, dashboards, and other forms of reporting, such as monitoring key risk indicators and key performance indicators, provide the board and executive management visibility into the risks that affect business strategy and the business’s risk profile.
Related CGMA Magazine content:
“4 Ways to Better Handle Enterprise Risk Oversight”: Surveys that focus on executives at small and mid-size enterprises suggest that many organisations have begun to strengthen their processes to handle emerging enterprise risks, but only one-third of the enterprise risk oversight programmes in the rest of the world are mature.
“Why Risk-Management Leaders Generate Higher Profits”: Executives and corporate directors believe business uncertainties and threats are increasing, a PwC survey suggests. The survey results explain how improved risk-management programmes can improve financial performance.
“Five Barriers Restricting Risk-Management Progress”: Only about 15% of companies see a strong link between their enterprise risk management (ERM) processes and their business strategy, according to a survey conducted by the ERM Initiative at North Carolina State University.
—Sabine Vollmer (firstname.lastname@example.org) is a CGMA Magazine senior editor.