The State of Risk Management

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


A new survey, Leadership in Risk Management, provides some insights into the state of risk management among European companies. Sponsored by Zurich, FERMA, and PRIMO and published by Harvard Business Review Analytic Services, it shares the results of a survey of 217 companies based in Europe. The results are predictably biased because the feedback is predominantly from risk managers or officers (60%). However, we can look past that as we consider the more interesting findings.

Some of the results are encouraging. Others indicate that we continue to have significant obstacles establishing the management of risk as central to the setting of objectives and strategy, and then to the optimization of performance, achievement of objectives, and the delivery of value.

Key points include:

  • The C-suite is taking a stronger role in leading the risk management effort at major primarily European companies... Congruently, companies are underscoring the need for strong board involvement to facilitate decision-making regarding strategic and enterprisewide risks and to encourage acceptance of a culture of risk management further down in the organization. [Note: this finding has to be viewed with care, as while the survey indicates that top executives are paying more attention to risk, the survey seems to consider chief risk officers (CROs) as C-suite executives — which they rarely are — ndm.]
  • Increasingly, top management and the board are setting direction and taking tighter control of risk management, integrating with overall company strategy, and inculcating it deeper into the corporate culture. At the same time, they are intensifying their focus on such areas as reputation and IT risk and are acquiring new tools for forecasting and mitigating threats.
  • Companies are struggling… to create a wider role for the risk function as a participant in strategic planning and transformational initiatives [such as mergers]… 41% said the risk function has a seat during strategy setting, project launches, investment, and other business decisions, while 42% said it has a seat occasionally.
  • Only 20% described the risk function as a tool for making more effective strategic decisions and investments, and only 17% described it as a business tool to help drive profitability by facilitating achievement of objectives.
  • More than one in four (27%) said that risk management should help the company leverage upside growth opportunities along with mitigating downside exposures.
  • European executives express concern about the robustness of their risk management processes and channels of communication.
  • The challenge is still to make sure that risk is “owned” at appropriate levels of the organization and that risks are communicated efficiently, such that top management and the board can make timely, fact-based decisions about how to address them… More than one-third of respondents expressed concern that proactive communication, potentially preventing or lessening the impact of a crisis, does not take place in a timely manner during daily operations... Only 17% of respondents described communication between the C-suite and the CRO as being comprehensive or nearly so.
  • Key risks are communicated to the C-suite regularly at 70% of organizations... At almost three out of four (72%), it reviews top risk exposures and treatment actions at least biannually. [Note: this is terrible. Top executives should be not only aware of but ensuring key risks are addressed on a continuing basis — ndm]
  • Processes to define risk appetite are now in place at nearly half of companies. Systemic risk management tools and analytics that enable them to track and analyze risk, and can then inform risk committee discussions, are in more common use.

The document includes wisdom from Prof. Walker, Zurich Chair in Enterprise Risk Management at St. John’s University, on defects in the state of risk management. 

Board members have said to me, "We’ve got to get better in doing that." Some of the complaints I get from boards are that they don’t get strategy risk information on a timely basis. So they can’t really help the executive team make the right decision, because they feel rushed in some of these situations. Or they see ERM leaders who talk about ERM, but they don’t seem to think broadly enough and they don’t do deep dives, and they don’t connect the dots. Or I’ve heard board members say to me, "You say you’re doing ERM, but from our perspective, it looks a lot like silo risk management." So they want organizations to try to connect the dots a little bit more, because there’s a lot of value in doing that.”

Walker goes on to say, "The CRO must dispel a common image as a person who says no to ideas, and must demonstrate the value of the metrics and other tools at their disposal, often to skeptical officials." Walker cited a recent conversation with a chief strategy officer whose “biggest criticism of ERM was, ‘I need something that’s actionable. You tell me what the risk is, but how do I act upon that?’ So we’ve got to be ready for those difficult questions and have the solutions as well.”

Is this consistent with the state of risk management where you are?

Is risk management the department of "no," or does it help management make better decisions and drive performance, the achievement of objectives, and the creation of value?

I welcome your comments.

Posted on Aug 23, 2013 by Norman Marks

Share This Article:    

  1.  Norman,

    This article gives some great data as to how the C Suite as a "herd mentality" thinks about risk management.  Boards and C Suite are always talking about risk strategically.  The two questions I pose in my work and research is on the topic of "risk accountability":

    1. Do Boards and C Suite understand their own "pre disposition to risk" - there risk style?  Are they data driven?  Do they need to have both the EQ and IQ requirments met on understanding risk before they can make risk decisions.  

    2.Until they now their risk style - how will they understand what risk means the Board and C Suite - think about risk awareness and accountabilty as playing a role in  economic outcomes for the entity?

    Once they understand how all of the stakeholders in the C Suite and Board view risk accountability can they creae a framework for the organization to align key performance indicators with key risk indicators and create a 360 View of Risk and shift risk into the daily operations and management of the corporation.  


  1. Norman: Thanks for the alert on the survey. I agree with you that it has both positive indicators and some useful caveats. My personal belief is that many risk initiatives, be they from risk specialists and/or internal audit functions, have not stressed that the application of risk management is a choice that must be made by boards, senior executives, and organizations on whether to apply it and with what level of rigor. Not applying formal risk management is a significant risk in itself that needs to be understood. Many ERM initiatives have not communicated that risk management is simply and fundamentally a tool that, when properly applied, can increase certainty an organization will achieve objectives and reduce the probability that the probability of significant value eroding events reduced. I encourage all readers to access the Feb 2013 Financial Stability Board "Thematic Review of Risk Governance" available without charge using a simple Google search. The recommendations of this multi-country review are among the best I have seen in my 25+ years in the risk profession. The Internal Audit profession is offered an unprecedented opportunity if there is a will to aggressively exploit the opportunity offered.
  1. Another excellent offering. Thank you Norman. I have two comments, one thematic, the other a personal failing.

    As the survey suggests, the old adage still applies, "you can lead a horse to water..." If the horse says, "What trough?", or "No thanks, I'm good.", "I'm not thirsty", "I don't need water", "What if it's poisoned?" and gives other indications of attempts to thwart risk identification and corrective action, one must conclude we haven't learned our lesson yet. You have to wonder what is required for C-suite residents to take risk management seriously and to understand the instructive and ultimately profitable nature of enterprise risk management.

    My personal failing has to do with language - The world of internal audit and risk management is fraught with industry-specific language seemingly designed to obfuscate or at least deflect a true sense of concept.  I have some favorites, one being the risk appetite. How much risk can I eat at one sitting? Do I want that poached or fricaseed? Does it come with fries? Can you put catchup on it?  Everyone's interpretation of the word appetite is different, and as you build a risk program based on industry- or institution-specific vocabulary that is open to individualized definition, you mold the risk program to fit the institutional action rather than the institutional action molded to fit a risk management program. 

    For any risk managers designing a program and writing the particulars, I might suggest first reading a Hemingway novel. Simple direct language is necessary, and as Einstein said, if you can't explain it simply, you don't understand it well enough.

    Once again, thank you Norman for adding fuel to this important and on-going conversation.

  1. I think you hit the nail on the head in the question posed at the end of your excellent commentary. Risk management, like internal audit, must be the department of "yes" as well as "no". To my mind the risk management function should be involved not only in business process oversight but in business process improvement and identification of opportunities to gain a strategic advantage over competitors who manage risk - or their business processes- less well. This means that part of the risk management function involves the examination of the activities of other companies - competitors - to identify their weaknesses in risk management and to exploit those weaknesses. Of course the C-Suite must be listening - and the best way to get them to listen is to add real value to the bottom line of the company.

Leave a Reply