Risk-Management Failures Highlight the Need for More Scrutiny

Companies are showing improvement in risk management—but they're not quite there yet.

As recent problems at Walmart and JPMorgan indicate, companies still have more work to do on refining risk-management systems. And those high-profile cases have pushed companies to re-double their efforts.

One of the top things companies are doing is to focus more on strategic risks than just operational ones, says Steve Strammello, managing partner for risk consulting at accounting firm Crowe Horwath. “We're also now seeing individual departments coming together to look at cross-functional risks,” he says. “That's a relatively new phenomenon that we've been seeing over the last couple of years.”

Rather than just having risk committees at the board level, “we're seeing more and more ad-hoc committees that perform cross functions,” Strammello adds.

A recent study by research firm Lexakos buoys the assertion that companies are threading risk-management systems into the fiber of the organization. According to the survey, respondents say they are adding representatives from several functions to their risk teams or committees. The most prominent functions included the chief financial officer (38 percent); general counsel (37 percent); and chief executive officer (31 percent). Other significant functions included the chief risk officer (24 percent); chief operating officer (20 percent); and internal audit executive (19 percent).

Developing a common language about risks within the company and standardizing risk-management processes not only makes it easier to track and monitor risks, but it's “the first big step toward creating a simpler framework for the board to understand,” says Rick Wolf, founder and CEO of Lexakos.

Some companies trail way behind, however, on building out risk management. According to the survey, which polled 185 compliance, legal, and risk executives, 38 percent said their organizations have no risk committee.

Other companies have not expanded risk committees outside the board. When asked whether the organization's risk-management committee has an executive component, 69 percent said it did not.

Many companies still appear split, however, on whether to create a chief risk officer role. Nearly half of the companies surveyed said they have no such specific function, with financial services firms far more likely than non-financial companies to employ a dedicated chief risk officer.  

According to the Lexakos survey, 85 percent said they have a risk-management function. More times than not, however, this means the chief executive or chief financial officer is the one saddled with risk management—if not a compliance, legal, or audit executive. At 35 percent of companies who responded to the survey, the risk management function reports directly to the CEO; and 28 percent report to the CFO. By comparison, 23 percent of respondents said their risk functions report to the general counsel. Of those risk-management functions, 76 percent are centralized, and 24 percent are decentralized.

The Lexakos study also found that many companies are not putting the necessary resources into building the risk-management system. In fact, 43 percent of respondents said the 2012 strategic plan does not include risk management among budget priorities. The study found that companies are allocating money on a risk-by-risk basis, rather than spending a lump amount on risk management, in general.

“The challenging part is assessing the magnitude and priority of the risk. Making the approach management is taking to mitigate risk understandable for the board is really the key.”

—Rick Wolf,

Founder and CEO,

Lexakos

Some risk experts say that too many companies implemented a cursory risk-management program just to satisfy regulatory requirements, but have not invested the time and resources to make it more functional. That check-the-box mentality will start to diminish as the risks that companies face grow more complex, says Sally Bernstein, a principal at PwC. “The role will start to evolve into somebody who can take a more operational view versus just a strict legal view or a pure audit view,” she says.

The company needs “a champion to spearhead the risk-management function in the organization, and that's likely to be where the chief risk officer comes in,” says Wolf.

Strategic Planning

The good news is that more companies are using sophisticated tools to focus their risk-management efforts. In preparing their strategic plans and budgets for this year, 64 percent of respondents said they conducted a risk assessment to evaluate and prioritize risk areas of focus. Sixty-five percent said their strategic plan includes risk remediation.

Yet, some companies may be “remediating risks prior to understanding all the priorities and budgeting to address the most critical areas first,” says Wolf.

“It looks like there is not a lot of discipline in the way companies have gone about it,” Wolf adds. The correct approach is to appraise the cost of mitigating those risks, he says.

Dashboards, such as heat maps, are helpful for identifying a company's top risk areas and helping management figure out where to allocate resources, but according to the survey, many are still lacking in this area. Nearly two-thirds of respondents said they do not use dashboards to track and report on risks.

Making the leap from identifying a company's risks to providing information to the board that they can actually act upon, however, is “one of the challenges that organizations are facing,” says Bernstein.  While a heat map has its benefits, “if you can't do something with the data, than it's not that helpful,” she says. 

The Lexakos study found that companies are also focusing risk management on data and technology. Forty-eight percent said privacy is a critical risk for their organizations, and 44 percent cited losses from internal and external security breaches. Business continuity and disaster recovery also were cited as serious threats for 43 and 42 percent of respondents, respectively.

Another finding: Boards have not let up on their intense focus on risk. Board members are becoming “more sophisticated” in understanding the organization's risks and are “demanding more forward-looking information,” says Strammello. And they are asking better questions of management, he says, such as: “What risk trends are low in priority today but may be moving up the ladder? What are we doing to address those risks?”

Companies cited social media as an emerging risk that is getting more attention. Companies realize the need to balance access and use of social media with the regulatory and reputational risk dangers. “This is an area where you don't want to become too risk adverse,” says Henry Ristuccia, co-leader of U.S. governance and risk services for Deloitte. “You want to embrace this risk.”

DIRECT REPORTS

The following chart form Lexakos shows the direct reporting line at respondents' companies:

Source: Lexakos.

Deciding which risks to focus on is becoming an increasingly difficult task. Trying to come up with every possible risk that an organization could face is impossible, says Bernstein.  “You'll never think of every risk,” and boards don't want to hear about every risk anyway, she says. Bernstein recommends that companies find six to twelve key risks that are repeatable and measurable to present to the board, “because then you can actually respond to issues in a very productive way.”

“Companies can identify what their risk are pretty well,” agrees Wolf. The challenging part is assessing the magnitude and priority of the risk,” he says. "Making the approach management is taking to mitigate risk understandable for the board is really the key.”

Most companies (80 percent) said they give periodic reports to their board. And among those who audit and monitor their risk-management program, 44 percent said they do it “quarterly,” while 37 percent said they do so annually. Seventeen percent said they do not audit or monitor their risks at all.

Many companies still struggle with enterprise risk management in the sense that they get bogged down with a single process, “instead of thinking of it as a multi-layered process,” says Bernstein. In addition to identifying key risks, it's also about establishing controls, and strategizing where certain risks bring value.

“At the end of the day,” says Bernstein, “good risk management is good business management.”