Reflections on the Economist Intelligence Unit's Report on Risk Management

Fall Guys: Risk Management in the front line, is an interesting read. Here are a few highlights and observations (the bolded highlights are mine):

“In the financial services industry, there is a clear consensus that serious mistakes were made with either risk management or risk governance….
“This renewed zeal for risk management extends far beyond the banking sector. Events such as the financial crisis, and more recently the oil spill in the Gulf of Mexico, have reminded senior executives that failures in risk management can prove to be extremely costly, not just to a company’s financial performance, but to their own careers and, sometimes, the lives of employees. The incentive to ensure that there is a clear and consistent approach to managing risk across the enterprise has never been greater.
“However, although risk management is currently enjoying an unprecedented level of authority and visibility, it remains a function in transition. Examples of companies that take a genuinely strategic approach to their risk management remain few and far between. Communication between risk functions and the broader business can sometimes be fragmented, while an enterprise-wide culture and awareness of risk can be difficult to achieve.”
“Senior executives surveyed for this report clearly recognise the importance of strategic risk management to their business. They see major strategic threats, such as weak demand and market volatility, as the biggest risks they face over the next 12 months, and regard the identification of new and emerging risks as the key goal of risk management. But they also see this aspect of risk management as among their biggest weaknesses, with just 35% saying that their company is effective at anticipating and measuring emerging risks.”
“Less than one-half of companies involve their risk functions formally in any major strategic decision, such as evaluating new market investments or M&A opportunities. Few companies even expect risk functions to play a support role in decision-making, with just 41% saying they expect risk managers to provide analysis to help management set corporate strategy.”
Less than one-half of companies have invested in risk processes, while less than one-quarter have allocated funds to headcount or training of managers in the central risk function.”
“However, although confidence levels in the knowledge of executive management are reasonably high, many respondents worry that the technical risk knowledge of non-executive directors is lacking.”
There is a chart at the end of the document that I found interesting. The authors asked “What, in your opinion, are the most important objectives of the risk management function?” The top three were:
1. Identifying new and emerging risks 58%
2. Enabling managers to make better decisions 45%
Ensuring corporate survival 36%

What do you think of the report? What are your primary ‘takeaways’?


Posted on Nov 29, 2010 by Norman Marks

Share This Article:    

  1. Norman:

    As usual you are on your game and cranking the stuff out and I wish that more folks would get involved in constructive fashion to respond to your blogs. It is one of the things needed to move the risk management profession (discipline) forward.

    My key takeaways are

    The report is raising nothing new albeit it is a good report. Risk Management is critical. It is not well understood or well executed by but a handful of companies. These three things are important that you raise but a more comprehensive list already exists in both ISO 31000 and BSI 31100- key objectives of a risk management system-the respective listings are the most important things and at end of the year, progress on each of those objectives should be measured.

    For once I would like to see a report that not only articulates the problems but provides a well thought through summation of what needs to be done to move this discipline forward. How about the following for starters.

    All the professional groups around the globe that claim to be experts in risk management such as COSO, AICPA, IIA, GARP, PRMIA, PRIMA, SOA, IRM, FERMA, RIMS come together at an interdisciplinary session/conference and agree on one set of common terminology to be used throughout the globe to talk intelligently about this subject matter  instead of each group only caring about their own commercial interests to the detriment of the world.

    continued below


    Continued from above

    We put out of business any consulting group that shows up on a company's doorstep with powerpoint stillshot presentations on risk management. Companies should not buy their services

    The organizations above agree and articulate in writing those schools from around the  globe that truly bring value to this discipline and distance themselves from those that do not- I have a long list of the latter and a short list of the former

    We publish more articles on risk management only in academically accredited journals and not those with weak or inadequate editorial advisory boards because it is a waste of time.

    We bring rigor to the risk assessment process which is an important piece of risk management. I am writing an article on this which hopefully will be published by the IIA in February. The risk assessment process stinks, what is wrong with it, what needs to be done differently, how this will bring benefit to the company.

    We bring rigor to the assessment process of a company's risk management process. We are currently discussing this subject matter and there currently exists very little professional guidance other than HM Treasury, a document that you circulated this past April. The focus on assessment should reside on three key things- assessing the capabilities, assessing the actual management of risks and assessing whether the objectives of risk management have been accomplished.

    continued below

  1. continued from above and concluding remarks

    We should shun any group that attempt to portray their individual software platform as a solution to ERM or worse yet tries to convince that somehow GRC (which in my opinion is mostly worthless and documented in your guest blog of October 6 for which no responses were received) is a further solution to the myriad of risk management issues.

    We should gravitate to those countries and institutions that clearly are on the cutting edge of this discipline. At the moment I would put the US well below that of Canada, the UK, Australia/New Zealand and probably as well South Africa based on the professional guidance we have seen from these countries (because of the disproportionate  misdirected SOX efforts and other issues noted in my response) For example I am planning to get more involved in both the IRM out of London and ISO 31000 as I have no confidence that COSO can deliver anything credible based on what I have seen these past ten years unless of course we insert folks such as you, Sobel, Parkinson, Fraser, Purdy, Anderson onto the Advisory Board.

    I am sure there are more comments to rant about. This is a good start. Taking this up one further notch would be getting someone onto the podium at the World Economic Forum in Davos this coming January to discuss common approaches to risk management.

    Best regards,



Leave a Reply