This is the fourth post in a series where I bring you findings, questions and insights related to Enterprise Risk Management (ERM), derived from an extensive ERM survey conducted by the AICPA in conjunction with NC State University. I highly recommend reviewing the findings, which are available in the “2023 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices - 14th Edition” by AICPA and NC State University, found at https://erm.ncsu.edu/library/article/2023-risk-oversight-report-erm-ncstate-lp.
Risk Identification and Assessment capabilities among Financial Services Companies exhibit low levels of maturity and sophistication.
Risk Identification and Assessment Processes are at the heart of any Enterprise Risk Management program. As baseball great Walter Johnson (RHP – Washington Senators) once said “You can’t hit what you can’t see.” And according to the survey, companies have a lot of work to do on the “seeing” part of Risk Management.
One of the issues that the survey uncovered is that a significant majority of Financial Services respondents said that their companies rarely, if ever, update their Risk Inventories. In the world of the 2020’s,with emerging risks such as Climate Change, InsurTech adoption and GenAI, just to name a few, emerging at an accelerated rate, this is inadequate in terms of staying safe and having an early warning system that actually warns you. One can justifiably ask: “Do these companies even have a working ERM process?”
Not surprisingly, most respondents mentioned that their Risk Management processes cover the risk categories that are “top of mind” such as IT (downside risk is spectacular) and Legal / Regulatory / Compliance (whole departments usually manage these) quite well. But in a continuing theme, less than 50% say the same thing about Market, Strategic or even Operational risks, all of which can quickly strike a significant blow to the company’s fortunes.
And finally, there is the issue of actually developing and deploying risk measures and indicators that are quantifiable vs. more qualitative in nature, as the latter are more difficult to define and rate consistently, whether it’s across business functions or across time. And here, roughly 70%of the respondents reported that they use a mostly qualitative approach (which is better than nothing) or No Formal Assessments at all (which is nothing!)
What this all points to is that Financial Services companies have work to do in terms of updating their Risk Inventories such that they capture and manage emerging risks, broaden their focus beyond the usual Risk “Categories of Interest” and try to quantify most risks such that can be measured, analyzed and help decision-makers take action. Companies making these investments will collect Risk Management dividends for years to come.
And even more importantly, these findings indicate the simple absence of a credible risk culture or sense of risk ownership that extends beyond a handful of individuals within the organization. They are symptoms of a much bigger problem that organizations appear reluctant to address. The CEO, CFO, and CRO must take ownership of ERM and make it a corporate priority. It is always a good time to save your company.
In further posts, we will continue our discussion of the key elements needed to build your risk culture. Please share your comments, reactions, and observations so we can help you accelerate your ERM evolution.
Book a Free, 45-min. ERM Strategy Session Now!
If you’re a CRO, CEO, CFO or COO, please fill out the form below with your name, title*, email, Company name, and phone number. We'll give you a call some time between 8:30AM - 5 PM ET, Monday thru Friday to schedule the session.
*Appointments limited to Senior Managers with Risk Management Responsibility only.