The global financial collapse should have sent corporate executives running to implement enterprise risk management (ERM) strategies, but so far it hasn't.
That's the conclusion of two recent reports by KPMG and the Risk Management and Insurance Management Society (RIMS) that both issue wake-up calls for corporations to revamp and strengthen ERM practices. "This is an imperative that says, in order to prevent another financial catastrophe, organizations must change the way they think about risk and consider implementing an enterprise risk management program or improve the one they already have in place," warns Joseph Restoule, RIMS president and head of risk management at NOVA Chemicals Corp.
Most companies remain out of the loop. For example, when KPMG asked 130 audit executives and board members about their ERM strategies, the consulting company found deficiencies around risk culture. Almost 60% acknowledged that their companies' employees had little or no understanding of how to assess risk.
What's more, despite repeated warnings that ERM's success depends on support from the C-suite as well as board members, one-third of the corporate executives interviewed by KPMG said that the top leaders at their organizations had no risk management training or guidance, with only 16% receiving frequent or at least annual training. That's unfortunate, says Restoule: "The key to successful ERM practices depends on certain behavioral attributes of the organization at all levels."
John Farrell, KPMG's lead partner for ERM comes to the same conclusion. "When ERM programs miss the 'behavioral' piece of the equation, there is no foundation for critical thinking and judgment around decision-making," he says "All executives--particularly senior management--must understand the risks facing their organization in order to help define their company's risk appetite and effectively manage risks."
The just published RIMS report, The 2008 Financial Crisis: A Wake-up Call for Enterprise Risk Management, also blames risk management failures on an over-use of financial modeling, an over-reliance on compliance and control, the lack of understanding about risk tolerances and failure to incorporate state-of-the-art technology. Indeed, just one-fourth of the respondents to KPMG's survey said their companies apply technology to their ERM programs. Another 25% said they are considering technology purchases in this area.
Once the "tone from the top" is established, KPMG suggests aligning the process to strategic objectives to drive business value. To revamp and strengthen ERM, companies need to establish a single view of risk, with a common risk language, categories, evaluation factors and response options, and also make sure internal auditing resources are spread across the company. Programs that aren't enterprise wide are doomed to failure, Farrell says. "When risk management is siloed without one person or team owning the process, no one has visibility to aggregate exposures and accountability for the decisions and risk interrelationship can't easily be identified," he says.