KPMG Warns That Expectations of Risk Management Are Outpacing Capabilities

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


The warnings in KPMG’s latest report, subtitled “Top Eight Risk Management Imperatives for the C-Suite in 2013,” are important:

“A surge in complexity and uncertainty surrounding organizations as they search for innovative ways to expand into new markets, faceoff against increasing competition and pushing the envelope on technology. Yet these challenges are building faster than most organizations’ abilities to manage with agility, knowledge and a resilient risk-aware culture. Thus, the gap is widening and we are at a turning point — warranting an even stronger capability to master and optimize risk. Stakeholder expectations on an organization’s risk management sophistication continue to grow, yet capabilities are not keeping pace.”

The authors discuss eight findings from a survey of C-suite executives from around the world (no, there is no list of imperatives; we must assume that the imperatives they refer to are the actions to address their eight findings).

I agree with some, but not all of KPMG’s observations. In the discussion below, I have highlighted what I consider to be the imperatives for the C-suite. By the way, ignore KPMG’s misuse of the term “GRC.” They refer to GRC a few times, but they are only talking about risk management.

These are their eight, with my comments on each:

  1. Risk management is viewed as making a key contribution to the business; however, organizations need to improve howthey measure risk management’s return on investment and how they communicate its processes, value, and effectiveness to key stakeholders.

It is encouraging that respondents felt that risk management was making a contribution. However, the majority of respondents don’t even have an annual “bottoms-up” risk assessment process, let alone one that identifies top-down the more significant risks to the enterprise.

The comment about measuring risk management’s ROI is, in my opinion, foolish. Risk management involves assessing what might happen; how does that create tangible value that is measurable in terms of ROI? The value of risk management is that it enables organizations to make better decisions and take the right risks.

  1. Executives continue to struggle with assessing enterprisewide risk exposures.

KPMG does not provide a lot of detail on this critical area. While they talk about an annual “bottoms-up” assessment, they fail to even refer to the need for a more continuous process that identifies and assesses risks to objectives.

You can link this observation to other studies that report that 90% or so of organizations are relying on MS Excel for risk management. While they say they are highly dissatisfied, they have been unable to justify moving to a robust enterprise risk management solution, such as SAP’s Risk Management or similar solutions from smaller vendors.

If we are talking about risk management imperatives, I don’t see how you can have an effective risk management capability without software. CEOs and CFOs should ensure that the necessary funds are available.

  1. The C-suite sees risk management as critically important but few organizations are articulating their risk appetite.

We need to look deeper than this statement or the brief discussion by KPMG. While some say that “risk appetite” is a flawed concept, even though it is a requirement of multiple regulators, there is a key point and imperative here.

How do we expect decision-makers across the enterprise to make quality decisions and take the right risks when top management and the board do not make their expectations clear? Whether you call them risk appetite statements or risk criteria (my preference), every decision-maker needs to know what is desirable and what is acceptable. When KPMG states that 40% have a risk appetite statement but it has not been communicated, you have to shake your head.

It is essential that CEOs ensure that every decision-maker has the appropriate guidance to help them make quality risk-aware decisions and take the right risks.

  1. Regulatory pressure and changes in the regulatory environment is the issue posing the greatest threat to respondents; global economic and political instability is seen as the greatest risk scenario threat.

Yet another survey of “top risks.” The #1 risk in my opinion is an ineffective risk management capability! Without one, you are essentially driving the corporate highway with a blindfold on.

  1. Respondents believe business units are more adept than risk management departments, compliance, and internal audit in assessing and managing risk.

The survey reported a high level of confidence (75%+) that business units are effective in identifying, assessing, and managing risk. But, people in the risk management (74%) and internal audit (67%) teams are marginally less effective. Why is that a problem? I find it encouraging that business unit leaders are that good at considering risk in their daily decisions — although I don’t believe the numbers. That is where risk should be owned and managed, with advice, counsel, and assurance from the 2nd and 3rd lines of defense.

  1. Lack of human resources/expertise impedes convergence of risk and control functions.

Thank goodness! I see no need, other than using internal audit knowledge and leadership, for risk and control functions to be fully integrated.

  1. Weak incentive structures impede risk-based decision-making.

KPMG would like to see managers and executives have a portion of their compensation tied to risk management. The authors come close to getting this right when they talk about “effective risk-based decision making.” As I said earlier, the value of risk management is that it enables decision-makers across the enterprise to make better quality, risk-informed decisions and take the right risks. Those decisions drive performance, and that is and should be the basis for every manager’s compensation. KPMG does not help us determine how we distinguish when decisions are made using risk information and when they are not.

I don’t see this as a major imperative.

  1. Spending to enhance risk management will continue to increase over the next three years.

This is an observation without comment from KPMG. Let me make one: CEOs, other C-suite executives, and the board should ensure that risk management is sufficiently funded to enable:

a. Training of every decision-maker on how to integrate the consideration of risk into strategy-setting, daily decisions, and performance management.

b. Providing the resources and technology tools to enable those decision-makers to understand current and future risks to the achievement of their and the organization’s objectives.

c. The consolidation and aggregation of risk information to enable the management of enterprisewide risks.

d. The communication of risk criteria and other information (such as information about decisions by others that affect a manager) that enables decision-makers to take the right risks.

I have one final observation:

CEOs, the C-suite, and boards are fooling themselves if they believe their organizations, especially business unit leaders, are effectively considering risk as they make decisions every day that affect the achievement of objectives. The maturity of the great majority of risk programs is low, with risk being considered occasionally and not integrated into the fabric of the organization’s management.

It is past time to demand an honest assessment, preferably by internal audit, of the effectiveness/maturity of the risk management capability: Does it enable better quality decisions and the taking of the right risks every day?

Posted on Jul 8, 2013 by Norman Marks

Share This Article:    

  1. "The C-suite sees risk management as critically important but few organizations are articulating their risk appetite."

    "Executives continue to struggle with assessing enterprisewide risk exposures."

    What this says to me is that management views risk management as "critically important".....when you ask them about it.  As the adage goes, "Show me where management spends it's time and resources....."  You have to give credit(for honesty at least) to the 19% that admitted their belief that risk management contributes marginally or not at all to their organization. 

    I'm sure shareholders are encouraged that KPMG interprets the results to suggest that "companies will not be relaxing their guard any time soon."


  1. Norman: Thanks for drawing attention to the KPMG survey results. My primary concern with the survey is that it has not recognized that the "risk centric" approach to ERM, an approach a heavy focus on creating and maintaining a "risk register" and assigning "risk owners" used by a large percentage of organizations in the world is in fact "risky". This approach has diverted people's attention and focus from the real purpose of risk management - increasing certainty important value creation (e.g. Increase market share by X%) and potentially value eroding objectives (e.g. publish reliable financial statements) will be achieved operating with a tolerable level of retained risk. The "risk register" approach has been promoted and implemented in tens of thousands of organizations by consultancy firms and the IIA has promoted it in a number of its guidance publications. I believe that many of the points noted above from the survey are linked to the dysfunctional consequences of using "risk centric/risk register" type approaches to risk management. Regulators in each country who are increasing their focus and requirements in this area also need to ensure they are not part of the global regulatory wave forcing companies to implement risk centric approaches to risk management. We are promoting "board driven/objective centric" approaches to improve the way organizations manage risk. It starts with boards that want reliable information on the state of residual risk linked to key objectives. For those interested simply google "THE HIGH COST OF ERM HERD MENTALITY"
  1. I agree that a risk register and strategy-setting are not compatible. I see the risk register as being perfectly adequate for most operational risks - these are areas where risks are threats to normal operation. In these cases, I treat the risk register as a system for enumerating and tracking risk treatment tasks. "Training of every decision-maker on how to integrate the consideration of risk into strategy-setting, daily decisions, and performance management," is the preserve of the most senior parties in the organization. The two functions of traditional risk management (and internal audit), which focus on operations, and "strategy-setting" are worlds apart. To my mind 2008 showed that the latter is something of the final frontier of risk management.

  1. If a risk register is considered a means to an end in itself, that is wrong. If it is considered to be a list of those circumstances which could threaten the objectives (and therefore value) of the organization, so that the directors can ensure that they are being brought within their risk appetite by internal controls, then a risk register is essential. I don't see the risk register as being incompatible with strategy setting. Every strategy should be accompanied by the risks which threaten it and how they are to be managed. Insisting that every paper on strategy, major acquisitions and projects that are brought to a board meeting for approval has a risk assessment, will enforce risk awareness throughout the organization. These risks may not be detailed in the risk register but should be referred to in general, with the specific risks highlighted in a risk register updated by regular risk meetings held by the project team.
  1. This blog is quite helpful for those people who are looking for risk management information. After visiting your blog, anyone can get sound information about the importance of risk management in a company.

Leave a Reply