A fall 2008 survey of over 550 organizations sheds insights about to risk exposures facing many organizations and their relative preparedness. There is also a discussion of several key business topics including identifying, assessing, measuring, and managing risk; board oversight and involvement; and risk management departments and functions.
Top Ten Risks
Economic slowdown moved up seven spots on the list to the number one concern facing companies today. The economic slowdown impacts risk management by creating pressure to deliver results with fewer resources. Companies need to remain committed to established, effective risk management strategies and avoid ignoring risk control efforts in order to reduce costs as they are essential to long-term cost mitigation.
Regulatory and Legislative Changes
Regulatory and legislative changes moved up four places to the number two risk in 2009. These risks involve a company’s inability to comply with current, changing, or new regulations, which can hinder the ability to effectively conduct business and achieve objectives. The volume, complexity, and frequency with which regulations change can make it difficult for companies to keep up but compliance is important as non-compliance can lead to market and reputation losses.
Business interruption risks dropped one spot to the number three risk identified. The largest challenge for companies in overcoming this risk is lack of knowledge. To prepare, companies should identify, assess, evaluate, and prioritize threats, examining risk exposures created by interdependencies. Mitigation strategies may include insurance, contingency planning, and outsourcing.
Increased Competition Risk
Competition risk is ranked fourth and is a new entry to the list for 2009. Managing competition risk requires a high-level, enterprise-wide approach that takes steps such as identifying and understanding new marketplace competitors, taking note of regulatory changes, and being aware of economic trends. Competition risk should be a key focus for boards and senior management.
Commodity Price Risk
Commodity price risk was ranked fifth and was also a new entry to the list for 2009. These prices are a sizeable risk to many companies due to the dramatic price volatility commodities can experience. It is essential for companies to find an appropriate balance between long-term contracts and spot purchases and diligently manage this balance as conditions change.
Reputation risk dropped from number one to the sixth highest risk. Reputation risk is a major concern because the public’s perception of the quality, integrity, and intention of an organization can significantly impact the organization. To manage reputation risk, companies should locate existing risks and understand their impact on reputation and create an early warning system to identify or prevent potential problems as well as a communications and contingency plan.
Cash Flow/Liquidity Risk
Cash flow and liquidity risks are ranked seventh and are new to the 2009 list. Cash flow and liquidity are key components in a company’s overall business risk profile, so their management is important, especially given the recent turmoil in global credit and banking markets.
Supply Chain Management
Supply chain management risk was ranked eighth, falling four places. Companies can manage this risk using targeted risk assessments and supply chain mapping to identify and prioritize risks and this information can be used to develop risk quantification models. Proactively designing resilient supply chains is a key risk management strategy available.
Third Party Liability
Third party liability was ranked ninth, falling six places. Third party liability is a significant risk for businesses with the trend towards increased frequency and severity of lawsuits suggesting shareholders, investors, and consumers may seek compensation rather than accepting market losses. There are also significant third party liability concerns regarding directors and officers.
Failure to attract or retain top talent fell three places to the tenth highest risk in 2009. Companies today need to have a talent management plan specific to the organization that drives key business objectives. Effective change management and communications are also important, developing a compelling business case for change and engaging employees in constant two-way feedback.
Risk Preparedness for the Top Ten Risks
Overall risk preparedness increased from 60 to 70 percent over the last two years. Preparedness is defined as having a plan in place that addresses a given risk or a formal review of that risk. Organizations may be more prepared due to a continuing focus on risk identification, quantification, and analysis, and managing risk on an enterprise-wide basis, which were reported as the number one and two business activity priorities respectively. Companies are least prepared for those risks that are more complex and difficult to control such as damage to reputation (58%), economic downturn (60%), and regulatory and legislative changes (65%).
Losses Associated with Top Ten Risks
The risks with the greatest number of related losses in the past year are economic slowdown (57%), commodity price risk (57%), third party liability (40%), and increasing competition (39%). It is interesting to note that 77% of respondents indicated they had a plan in place or had undertaken a formal review of commodity price risk, yet 57% were still unable to avoid a loss.
Identifying, Assessing, Measuring and Managing Risk
Organizations’ total cost of risk is comprised of risk transfer costs, risk retention costs, and external and internal risk management costs. Respondents indicated that lowering their total cost of risk is the top benefit of investing in risk management (69%), with the second greatest benefit being an ability to make more informed decisions on risk taking and risk retention (67%). However, while 92% measure risk transfer costs, only 44% measure internal risk management costs, indicating that only 44% can be tracking their total cost of risk, a decrease of 14% from 2007. Larger organizations and those with formal risk management departments are more likely to measure their total cost of risk than smaller companies and those without risk departments.
The most common way companies identify major risks is using senior management’s intuition and experience (40%), followed by more systematic approaches such as business unit risk registers or key risk indicator worksheets (28%). Only 18% of organizations use board-level discussions and analysis to identify key risks, but this has increased from 7% in 2007. The method used most frequently for assessing major risks is split between intuition and experience and business unit quantitative analysis. Only 12% of respondents report using board-level analysis, although this has increased 50% since 2007. Larger organizations and those with formal risk management departments are more likely to assess risks using quantitative and board-level analyses, while smaller companies without risk management departments are more likely to rely on management intuition and experience.
Board Oversight and Involvement
Risk is a top priority for board-level agendas and 76% of respondents indicated their board committees have established or partially established policies on risk oversight and management. Smaller companies and those without a risk department are less likely to have board-established policies than larger companies and those with risk departments. There is some board-level involvement in the current approach to risk management at 89% of companies, with annual board reviews and approvals being the most popular approach followed by the board considering specific business risks. Companies with revenues of less than $1 billion are twice as likely to not have some board-level involvement in their current approach to risk management.
Risk Management Department and Function
Respondents indicate their planned prioritization of risk management activities over the next two years will remain consistent with current efforts. While risk management departments’ sizes vary considerably by industry and organization size, most companies are experiencing a contraction in risk management departments. This drives reliance on third parties with 71%, an increase from 2007, using independent consultants for project work and ongoing consultation.
Companies that do not have a chief risk officer (CRO) are generally not looking to fill this role (62%), although 10% indicate they are considering creating a CRO position. Even in companies without CROs, someone is managing risk. Seventy-eight percent have formal risk management or insurance departments and 43% of those without a department report this function is handled by the CFO. Most respondents with risk management departments (62%) indicate this function reports to the CFO, finance, or treasury.
Respondents indicated the most important factor in choice of insurers is financial stability and rating, followed by value for the money. Changes companies are looking for in the insurance market include more flexibility and the ability of insurers to recognize and reward internal risk management through lower premiums and broader cover. There is also discussion regarding the use of risk financing, global insurance programs, and captive insurance vehicles.