A business risk deemed critical by an organisation’s CFO might not even be on the radar of the CEO. That particular scenario may demonstrate a lack of communication in the C-suite, but it’s no hypothetical. An annual survey report on risk shows that different executives have disparate views on what risks are the most important.
That finding, among several that underscore the importance of framing discussions about enterprise risk management (ERM), comes from Executive Perspectives on Top Risks 2020, published by North Carolina State University’s ERM Initiative and consulting firm Protiviti. More than 1,000 respondents shared opinions on the top risks facing their organisations in the eighth annual survey. Regulatory scrutiny and economic concerns are in the top two spots, with economic worry returning to near the top of the list after dropping outside the top ten last year.
The concerns of finance or technology executives might not resonate with the CEO or board, the survey shows. While some officers fret about operations, CEOs in the survey are often looking outward.
Three themes from the survey results stood out to Mark Beasley, CPA, the director of the ERM Initiative at N.C. State’s Poole College of Management: the return of concern about the global economy for the coming 12 months, talent and culture risks, and technology worries. Overall, despite talk of tariffs and mixed economic signals, executives believe that the global business environment will be slightly less risky in 2020 than it was in 2019.
Respondents who express concerns related to company culture may be signalling that their organisation doesn’t promote speaking up about risks or doesn’t offer a clear path for employees to escalate a risk. Also on the culture front, some companies may be content to have a siloed or ad hoc approach to ERM.
Legacy systems, especially at larger, less nimble companies, are one of the top technology risks. “Current tech infrastructures with legacy-based platforms can make it difficult to change rapidly and compete with someone who starts out with a new technology platform,” Beasley said. “Turning that big ship of their IT infrastructure, they’re afraid, is going to be too heavy and burdensome to be able to rapidly adjust.”
Talent and technology concerns, Beasley said, can be tied together as well. Companies might have a plan for upgrading their technology, but they can’t find the right talent to work with the technology. “The concern is their organisation may not be able to attract the skill and talent needed to really take advantage of these digital technologies,” he said.
The report offers several calls to action for companies seeking to better equip themselves to manage risks.
Assess the impact of leadership and culture on the risk management process. This topic is first for a reason, Beasley said. “If this part isn’t right, nothing else is going to work from an ERM perspective,” he said, using a push/pull analogy to illustrate. If the ERM function regularly pushes information to the board and C-suite, trying to draw attention to pressing concerns, that can be a signal that ERM lacks importance. On the other hand, if risk leaders are regularly invited to share in strategic discussions, if they’re being “pulled” in for their expertise, that’s a sign of a strong ERM presence. “If an ERM leader is pushing, then it’s a critical question: ‘Why am I having to push?’” Beasley said.
Ensure the process is robust. ERM, Beasley said, is far more than having one conversation each year or each quarter. “That needs to be an ongoing, robust conversation,” he said. “Someone’s got some insights that others don’t have, and that can be helpful to everybody.” Beasley gets the sense that management at companies has a sense of overconfidence about risk management. While many companies have a handle on their top risks and have plans in place to manage them, he maintains that none of the risks in the survey’s top ten are easy to manage. “There’s still an attitude of ‘We talk about risk all the time,’” Beasley said, and simply talking about risk is not enough in the fast-paced business environment that the 2020s will offer.
Evaluate whether the risk focus is sufficiently comprehensive. Where someone works can go a long way towards how they view specific risks. If different parts of an organisation are approaching risk in different ways, this can water down overall ERM. CEOs, according to the data, believe their companies’ top risks are external. They name four macroeconomic risks among their top five. For CFOs, three of the top five risks are operational concerns. And of the top 30 risks in the report, CEOs consider only one to be “significant”. Amongst CIOs and chief technology officers, the outlook is far more dire: they label 13 of the 30 risks as having significant impact.
Clarify accountabilities for managing risks. Once companies get a handle on what their top risks are, they can sometimes let out a sigh of relief. But Beasley said the next phase of risk management is critical. “You can come up with top issues, but what are you going to do about them?” he asked. That process should start with naming specific risk owners, so that people are accountable.
Communicate an enterprise view of top risks and board risk oversight. One hindrance to effective risk management is failing to link ERM to an organisation’s strategy. Risk managers must understand the entity’s main strategic objectives, but they also must change the way they communicate about risk, Beasley said. “Part of the issue is [risk managers] are their own worst enemy,” he said. “They are using risk lingo. They talk about inherent risks, residual risks, risk tolerance, risk appetite — when the C-suite is wanting to talk about business models, business plans, strategic tactics, and performance metrics. They’re using risk lingo, and the C-suite is using strategy lingo. It’s better to say, ‘Here’s what we’re doing strategically, and here are the top risks that could affect that plan.’”
— Neil Amato (Neil.Amato@aicpa-cima.com) is an FM magazine senior editor.