The majority of companies have education and review processes in place to keep the board and the senior executives informed about their risk exposures. Key risks are communicated to the C-suite regularly at 70 percent of organizations.
More than half the organizations surveyed (56 percent) said that they have increased the resources devoted to risk-related education and training over the past three years for chief risk office level and above, at the least.
Making these processes work requires a conduit for risk information: 75 percent cited the risk function as a channel by which information, intelligence and advice on risk reaches senior management.
However, only 17 percent of respondents described communication between the C-suite and the CRO as being comprehensive, or nearly so. More than one in four, 29 percent, expressed concern about a 'good news culture' that meant management did not receive unvarnished information on risk.
40 percent of respondents said their organisation has not yet set up a broad-based, cross-functional risk committee- despite the crucial role the risk committee plays in making sure that risk data are discussed thoroughly and passed on to the board.
The survey also found that companies have been slow to adopt risk-based incentives as part of compensation. Only 12 percent said they align risk management with executive pay.
Companies aspire to forge closer links between risk management and strategic planning. Roughly half said their risk management process is closely or very closely aligned with their overall strategy and budget. At the same time, there has been less progress at bringing the risk function's resources to bear on transformative business projects, such as mergers, acquisitions and divestments. Only 20 percent described the risk function as a tool for making more effective strategic decisions and investments.
Priority risk areas
These were the risk categories to which respondents ranked as of greatest concern:
- Strategic 63%
- Financial 55%
- IT/data privacy 44%
- Legal and regulatory compliance 44%
- Brand/reputation 42%
- Market/competition 42%
- Technology 41%
- Systemic 37%
- Political/geopolitical 35%
- Workforce 33%
- Natural disasters 20%
- Terrorism/violence 10%
•Date: 23rd August 2013 • UK/Europe •Type: Article • Topic: Enterprise risk management