Two years ago, no one had ever heard of Arab Spring or could have ever imagined a series of nuclear power plant meltdowns sparked by a devastating tsunami. Nor could anyone have foreseen how these events would impact global operations.
These were unprecedented and rapidly shifting environments that demanded organizations to reassess their exposure to political and security risks and how they are to be managed.
According to new research from Accenture, these events, along with the 2008 financial crisis, are pushing crisis management up the corporate agenda, making it competitive advantage. It is also one that is being integrated in strategic planning as a means for more proactive decision making.
Chris Thompson, a senior executive in Accenture's finance and performance management wing, sat down this week with Business Finance to discuss why risk management is gaining increased board visibility, why companies struggle to institute successful programs and what key components best prepare organizations to manage global risk.
Business Finance: It's been two years since the last global risk management study by Accenture. Tell us about the context surrounding this latest one and what you aimed to discover.
Chris Thompson: We suspected that attitudes had changed toward risk management, so we set out and surveyed 400 executives, all C-level, on a global scale, across all industries. We thought that risk management would be more of a priority and wanted to see if we could prove that out.
Two years ago, the business community was actually in a state of shock, fresh off the global economic crisis meltdown. Risk management looked a lot more like crisis management than as a forward-looking enterprise risk management and we wanted to see how that had changed.
There was also quite a large gap at that time between risk management and alignment of the business agenda. What we found was a lot of progress and a lot of gaps still. But today, overwhelmingly, risk management is growing and executives believe that risk management is going to be a source of competitive advantage.
BF: What has changed about companies' views and approaches on enterprise risk management?
CT: Well, we found that nearly all of the respondents reported that risk management is a higher priority for their company today than it was two years ago. Eighty percent, in fact, said that risk management is a key management function within their organization and that they've got an enterprise risk management program either in place today or they're building one over the next two years. We also found that 50 percent of companies have got a chief risk officer in place. That's up from 33 percent in 2009, which is a big increase.
However, it wasn't all good news. Twenty-five percent of the companies surveyed said they're still not measuring key risks that they think are important. Twenty-five percent said that their risk management capabilities are not integrated, so they're still measuring risks in a very separate siloed fashion, and they don't have a comprehensive way to bring those risks together and make enterprise risk management decisions for the company as a whole.
BF: What are some of the common themes you've found as far as with those companies that still struggle to implement a successful program?
CT: I think that the biggest inhibitor is the complexity. These are not small companies. The majority of companies we targeted were large, complex organizations. You can't just simply solve how operational risk is managed or supply chain risk or credit risk within one silo. You want to understand your aggregate exposure to that dimension whether it's individual entities that you've got credit exposure to, whether it's geographies that you've got exposure to or whether it's supply chain. If you're using that same supply chain in 15 different parts of your business, you've got to aggregate that risk. And it's the complexity of that, collecting that data, being able to analyze it from disparate parts of your business. It becomes an information challenge of gathering the right information and being able to make those risk decisions that companies struggle with.
BF: What have been some of the main drivers of that increased interest in company-wide risk management?
CT: I think the initial catalyst was the downturn in 2008. But it's also the significant volatility we've seen too. We've seen the disruptions to the supply chain that we've had through natural disasters like the volcano in Iceland and what's happening in Japan. We've seen supply chains getting longer. We've seen lots more functions being moved offshore. I think managing that complex business environment has driven the need for more sophisticated risk management.
If you want to be able to take advantage of those types of business opportunities, if you want to get into new products in this ever more complex world, then you've got to be able to manage the risk associated with that or you're not going to be competitive against your peers.
BF: How is risk management factored into a company's objective to grow revenues and boost profitability?
CT: Based on what we're seeing, quite a bit. Forty-nine percent of the people we've surveyed said that risk management had a critical role to profitability for their company.
I think we've always seen companies managing risk when they make business decisions. You have to. There's risk in all decisions we make. But so often it's based on senior management making gut-based decisions rather than making that based on hard data that's been collected and analyzed, where the trends have been viewed over a good period of time.
I think the people that do that best in the future will collect that data. They'll have that integrated into the way that their executives make business decisions. They'll have it part of the training of all of their employees. There's some work to be done, but I think the expectation is there—that risk management is a key part of growing the company's revenue and future profitability.
BF: What are some of the key components you've seen from best-in-class organizations in their successful risk management programs?
CT: Well, most importantly, it's a tone from the top of the house. If risk management is important, then it's going to be part of the fabric of the company. We can call that a risk culture. But, as we've seen in some industries, financial services springs to mind, the revenue producers can take control and risk management can be pushed to the side if it's not critically part of a company's DNA.
You need to gather a lot of information; otherwise it becomes an art and not a science. You need to have analytics built on top of that. I think it's critical that you have a function that looks at emerging risks for the company. It's very easy for risk management to be the function that looks in the rearview mirror and tries to prevent companies from repeating the mistakes of the past. That's important; it never looks good if you repeat the mistakes of the past, but risk management has to be a forward-looking function as well.
And finally, you need to make sure that everybody in your company understands their role in risk management and has gone through the appropriate training, whether it's simple things like looking for insider fraud or wastes and abuse of the company's assets all the way up to their role in taking risk into account in business decisions, planning and budgeting.