Despite all the talk about risk management, a recent survey suggests that few companies are satisfied with their efforts, with just one out of 10 executives describing their company’s risk management programs as “highly effective.” Other results of the survey of more than 1,400 global executives, conducted by Harvard Business Review Analytical Services for Zurich Financial Services, indicate that one key to successful risk management is having a single executive, like a chief risk officer, in charge.
“Risk management needs to have an effective owner,” says Mike Kerner, CEO of Zurich Global Corporate North America. “There need to be really clear roles and responsibilities. If multiple people are responsible for something, nobody is responsible.”
According to the Zurich study, companies are more likely to do advance planning for many different types of risk if they have a chief risk officer (CRO) or other C-suite executive leading risk management than are companies with no one in charge. For example, 55% of companies with a CRO have plans in place for dealing with information security risks, vs. 39% of companies where another exec heads risk management and just 36% of those with no executive in charge. Sixty percent of companies with CROs have done business continuity planning, vs. 51% of companies with another executive in charge of risk and 47% of companies with no single executive in charge of risk.
Chief risk officers are becoming increasingly common at large companies. According to the survey, 42% of companies with 10,000 or more employees have a CRO, up from just 11% in 2008. The existence of a CRO drops to 28% among companies with 1,000 to 9,999 employees. But 26% of executives from companies of all sizes say that they put a single person in charge of risk management in the last three years.
He notes, though, that risk management can’t be solely the province of top executives, but also requires the involvement of a company’s line managers. “They see the risks more clearly, they’re more able to do something about them,” Kerner says, adding, “It’s not just enough to report up on the risk—you need to do something about it, you need to drive resources to dealing with those risks.”
When asked which risks have become more significant over the last three years, 89% of executives cited natural disasters and 60% the slow pace of the economic recovery. When it comes to strategic and people risks, 55% cited talent retention and acquisition as a risk that has grown in importance, while 50% said the reputation of the company or brand, and 49% business continuity planning.