The Evolution of Risk and Controls: Seeking Value Creation
This report, published by KPMG, highlights a growing trend among executive’s that mounting pressures arising from external pressures such as globalization and regulation make a holistic, effective ERM system necessary in today’s businesses. Senior executives increasingly wish to incorporate risk management activities in strategic planning and utilize these processes for value-creation. Boards and key stakeholders are placing greater demands on executives to show that risk and controls are making measurable, positive contributions to value creation, rather than merely serving a compliance role. Companies are responding with greater investment in risk and control functions. While most respondents indicate they are comfortable with a combination of in-house and external talent for this role, they note that more technical tools for implementation are required. The overall risk strategy must also be communicated to all silos of the business, so managers can incorporate the individual units into the business as a whole. Finally, top management recognizes that this process must be managed top down and that it takes time to implement correctly.
Increasing investment in risk strategies
Internal and external factors are contributing to a changing risk environment. Survey respondents cited the most influential internal factors as including a focus on risk and controls by senior management and the board, the drive for improved cost management and efficiency, followed by market and geographic expansion. These concerns are in the context of the need for greater focus on risks given trends related to the use of technology, outsourcing, or bringing a new product to market. Over 35 percent of respondents noted that the emergence of new business risks is influencing their focus on risk and control functions for their organizations.
Respondents found external factors such as the regulatory environment, globalization, outsourcing and reliance on technology as top influences in risk considerations. Dialogue with external stakeholders, such as analysts and shareholders, was also a significant influence. Over
50 percent of those surveyed noted that this greater focus on risk and controls is directly attributable to an increased risk focus of senior management and the board.
The survey indicates that these factors led to management changing their perspective in assessing risk management functions within their organizations. Executives want risk oversight functions to be more future-looking and value-creating. To effect these changes, they are beginning to add risk management to their strategy development processes and they are becoming more cost effective with the systems used to implement ERM processes.
Coordination between internal audit and risk managers is increasing (59% of respondents). However, the survey found chief executives were very concerned about the ability to communicate and create buy-in across all entities in the business with a holist approach. Only 31 percent say they are successful at coordinating other sources of assurance.
Collaboration to establish framework
The number one barrier cited to effect ERM implementation was limited risk awareness or risk culture in the organization. Many respondents noted a need for a risk culture to permeate the organization that encourages the consideration of risk in every business decision and promotes a proactive, versus reactive, mindset about risk management. The vision for risk oversight of chief officers and the board must permeate the culture of the financial, accounting, internal audit and quality control managerial functions.
Respondents also noted that the silo based approach employed by many organizations to manage risks often results in one activity that overrides another, ultimately degrading value. In organizations that follow a silo-based approach, many lines of defense to risk can often be better coordinated to add value. The report illustrates several successful strategies that include the following: having multiple units report to the same executive, combining entities such as internal audit and group risk, and different entities collaborating on a project to create a central risk database.
Another roadblock cited was having enough in-house talent to create and implement such a large project. They study observed that companies outsourcing at least part of the internal audit function found they could still utilize the external skills to strengthen their system, but worried about the focus of the outsourced talent on the companies’ core competencies. Again, cooperation across the entity was cited as a concern in this process.
The study suggests a response to barriers was to increase communication and awareness through training and promotion. Senior management can incorporate risk management as a cost effective tool into the business’ strategic goals. They include warnings about the dangers in promoting an excessively sensitivity to risk environment or using a one size approach.
A difference was found between financial and non financial companies in managing communication. Financial services (and other industries with inherently risky products) tended towards a top-down approach that gave general guidelines for individual units to broadly interpret. Several non financial approaches were illustrated. While these have varying levels of involvement across the organization, they relied on a risk management strategy dictated by top management.
Innovation in risk management
Executives indicated they want to have high-tech, cost effective risk management systems. Many of the respondents were experiencing and planning a greater reliance on technology to address barriers. The four most widely used risk oversight advances include continuous monitoring and auditing, controls transformation, enterprise risk management, and the use of executive dashboards. Companies also expressed a wish to improve the way in which they measure and aggregate risks. While financial companies have created sophisticated metrics, technology for quantitative measurements is not available to many industries, according to the survey. The lack of in house talent was also mentioned in enhancing innovation within their risk management program.
The survey and accompanying analysis concluded that top executives are thinking more about risk management than before and beginning to implement essential programs and procedures. However, most executives are not confident an enterprise risk culture will be implemented in the next three years. They concede that an effective, holistic system will take time and resources to develop, and are watching for additional resources to make the transition smoother.
The survey
The appendix contains the questions asked of top management and responses by percentage.
Original Article Source: “The Evolution of Risk and Controls: from Score-Keeping to Strategic Partnering“, KPMG, 2007