As regulatory and governance requirements continue to advance, often advocating more robust risk assessment practices, more organizations have implemented formal enterprise-wide risk management programs. KPMG conducted a survey of CEOs, board members, and risk practitioners across various sectors to provide insight on the challenges and potential areas for improvement in organizations’ risk management programs. The survey indicates five areas where challenges, and opportunities, may exist These include:
- More than half of the respondents believe that the full board is not accountable for risk oversight, indicating unclear risk accountability.
- Information sharing with the board is weak, as only half of the respondents indicated definitive processes to share information on risk management.
- Risk management is not fully integrated into day-to-day management decision-making.
- The role of the Chief Risk Officer (CRO) is not fully utilized. The CRO is often focusing on operational and process-level risks, rather than serving as a strategic business advisor to the board and CEO.
Risk identification and assessment
- Of the organizations surveyed, more than 80% do not consider more than a three-year horizon in risk assessments; 40% of those respondents do not look beyond a a one-year horizon.
- Risk assessment should have a long term orientation, rather than focus on short term outcomes.
- Currently, risk identification concentrates on internal factors instead of external considerations.
- Sustainability, climate change, and scenario planning are not commonly used in risk assessments.
- Almost half of survey respondents identified “lack of adequate training of risk quantification/usage of quantification tools” as a significant challenge.
- Risk responses are regularly identified based on the individual risk level with approaches developed to rely more on process-level controls, according to a majority of respondents. However, combining risks to use a portfolio-level approach and considering a broad range of approaches to risk mitigation is recommended.
- Software solutions should be adequately utilized to encompass a broad range of monitoring and reporting of risks, fully aligned to strategic objectives. A majority of respondents suggested that they do not currently utilize a software solution as such.
- Risk appetite should be clearly communicated throughout the organization and aligned with risk responsibilities and compensation.
Further, the survey lists five key imperatives to overcome the challenges identified, as summarized below:
- Separation of the risk process and content has the ability to improve the effectiveness of board risk oversight.
- Link objectives, strategies, and risks to key risk indicators in order to integrate enterprise risk management into decision making processes.
- Risk culture should be a strong focus, as it is an integral part of implementing an ERM initiative in an organization.
- Use a Chief Risk Officer to establish a common approach to risk management throughout the organization and serve as a strategic business advisor.
- Integrate governance, risk, and compliance into a single, enterprise-level effort.
Click below to download survey