Accenture 2011 Global Risk Management Study: Important, Startling, but Deceiving Results

When I first read the Accenture 2011 Global Risk Management Study I was shocked. It seemed to say what nobody else, nor my personal experiences talking to hundreds of companies around the world, was indicating: that there had been a tectonic, positive shift in risk management practices and philosophy.

All of a sudden, risk management was broadly perceived as critical to optimizing and sustaining performance. A massive increase in acceptance and implementation of risk management had occurred since the last Accenture study in 2009.

But, a careful read shows that Accenture surveyed companies that either had an official Chief Risk Officer (64%), a senior executive who performed that role without the title (14%), or a manager who performs that role without the CRO title (6%). Only 16% of the respondents were at companies without a risk office. In addition, about half of the companies were large enterprises with revenues in excess of $5bn.

Even with this caution, the results of the study are important and interesting. After all, even risk officers have been talking about protecting value rather than enhancing performance. They have also not been so positive about continued investment in risk management as this study shows.

Here are some of the highlights for me, but there is a wealth of information, especially if you access their referenced Risk Management Thought Leadership Library.

  • Executives understand that the challenges facing their organizations have never been greater. They are increasingly looking to risk management leaders to provide guidance on the path ahead, mitigating critical risks and enabling long-term sustainable growth.
  • What we are witnessing, especially as we compare the 2011 results with the findings from our last  survey in 2009, is a clear maturation of risk management capabilities across all industries—a rapid march up the business value chain and the development of governance and organizational structures that give risk a voice at the executive table.
  • Risk management capabilities are more critical, more connected, more strategic and overall more valuable to enterprises as they execute their business plans. As a result, companies are spending more time and effort advancing their risk management capabilities as a business priority.
  • The executive mindset is broadening, and risk management is becoming both more comprehensive and more integrated—whether in decision making or in formalizing enterprise risk management programs or in the restructuring of the risk management organization and its leadership.
  • Companies have increasingly initiated comprehensive enterprise risk management programs and are more likely to have in place C-level executive oversight to ensure that risk is being managed at a more strategic level. In short, risk management capabilities are not only prevalent and a target of investments—they are also more strategic and aligned with growth strategies, and they are helping companies achieve their most important business priorities.
  • Beyond the immediate pressures of global markets, more demanding customers and dramatic industry change is a growing recognition that companies have an opportunity to drive competitive advantage from their risk management capabilities, enabling long-term profitable growth and sustained future profitability.
  • This means that risk management at the top-performing companies is now more closely integrated with strategic planning and is conducted proactively, with an eye on how such capabilities might help a company move into new markets faster or pursue other evolving growth strategies. At its best, risk management is a matter of balance—the balance between a company’s appetite for risks and its ability to manage them.
  • “Key risk performance indicators and specific, focused risk analyses are now more often included in investment and strategic decisions.”
  • Companies are increasingly concerned about the spectrum of risks—from supply chain to operations to regulation to reputation. Financial fraud and crime are on the rise.
  • Risk management needs to support positive business growth, not only protect against negative occurrences.
  • Organizational silos and outdated information systems prevent many enterprises from adequately sharing information that could mitigate risks more effectively.
  • Executives want risk management to be a driver for sustained future profitability, and they understand the importance of infusing a risk culture throughout their organization, but too few companies are achieving those goals.
  • The risk management organization needs to be included in activities such as strategic planning, objective setting and incentives, financing decisions and performance management processes.
  • It is vital to have in place mechanisms to create and distribute more broadly across the organization an awareness of risk exposure, detailed training and the means to mitigate risks.
  • Failure to link risk management to growth and value means leaving money on the table, and, consequently, the failure to achieve high performance.
  • “Risk is a higher priority for us than two years ago because business and risk complexity are changing—driven by regulation, competition, customer expectations, technology, processes, environmental issues and new products, as well as macroeconomic and market factors. Business and risk complexity are rising faster than the current risk management function can keep up. Hence, we are now enhancing our risk management capabilities to enable our organization to keep pace with those complexities.”
  • “A high-quality and efficient risk management function is among the top strategic goals of the company, ranking second only to growth and profitability.”
  • Almost all respondents felt that their risk management capabilities provide at least some source of competitive advantage, a finding consistent across industries.
  • Interesting geographical differences were apparent from the survey results. Companies in Latin America, for example, are especially likely to have ERM programs—an almost unanimous 99 percent of those surveyed. European companies were the least likely to have an ERM program at 52 percent; North America was also below the survey average at 60 percent.
  • Eighty-three percent of respondents see risk management investments (which includes salary and benefits for risk employees, professional services, technology costs, facilities and travel) increasing in the next two years.
  • Geographically, Latin American companies foresee larger risk management investments than other parts of the world: 90 percent foresee significant or moderate investment increases, compared to the survey average of 83 percent. Asia Pacific and North America are slightly under the average, at 82 percent and 81 percent, respectively.

I will close with this quote, just to please my masters at SAP (they have risk management solutions):

  • The effective use of technology in areas such as analytics is increasingly an important differentiator enabling leading organizations to stay ahead of the competition, helping them to focus their time and attention on the issues that matter most. 

What do you think? Do the Accenture findings gel with your discussions with (a) risk officers, and (b) senior executives? Are there sections of the report that you like, but which I didn't reference?

Please share.

Posted on Jul 9, 2011 by Norman Marks

Share This Article:    

  1. Regarding large companies (revenues greater than $5bn) perhaps large companies are both more sophisticated in terms of the need for risk management and have more resources at their disposal?  I hesitate to say "bigger is smarter" but bigger is often more well resourced.

    I also intuitively believe (and would welcome further research in this area) that large companies may be more diverse and thus more interconnected and interdependent -- increased diversity, connectedness and interdependencies indicate a more complex operating environment where more things can go wrong and where relationships may be more fragile/vulnerable.  Perhaps the larger players in the market are learning to be more rigorous in how it approaches such risk?  This poses some extremely interesting questions for companies such as SAP and the direction of analytical interest. 

    Perhaps they sense risk or vulnerability inherent in complexity (see IBM's study of 2010) but are a far lap from a solution.

    Very respectfully,

    John Marke

     

     

  1. Very interesting.  The more that risk management is critical part of organisations' activities, the more relevant (thank you, Denny) and useful internal audit assurance on RM's effectiveness can be.  Therefore, this is a great opportunity for us. 

    I can't, however, help feeling a bit nervous about the results.  This may be based on a quantitative survey but it is mostly a survey of the perceptions - how important do you think these things are to you?  That isn't yet proof that these things ARE important to organisational success.

    I also can't quite work out how they define "risk masters".  If they are defined as those with lots of resources and appropriate tone-at-the-top, then it is probably not surprising that risk masters tend to have more CROs than do non-masters. 

    So, very interesting, very valuable but not the last word.  Thanks for bringing to our attention, Norman.

  1. Jackie, I believe they have defined 'risk masters' as those with leading practices - in their opinion. It probably has something to do with how much their advice and guidance is followed.

  1. I use to read surveys like this one several times to drain them of all meaning an valueable trends. While that has been very useful to see how the industry is changing, it has now become furstrating. There are no examples! At first I thought this was because of the type and focus of the survey, however I now believe it is because the concepts of managing risk have yet to solidify. Some even argue that there is no need to solidify concepts because every organization is different... To that I would say, then why did we standardize financial accounting.

    If we truely want to be professional about how we provide risk management advice we have to advocate for a central understanding of risk and its management and measurement. This is tough because it effectively requires the combination of three industries professional perception of the topic. We have insurable risk which uses actuarial science and probability. We have our assurance industry which is prone to view risk as requiring unique control response, and we have business management which see risk as inherent (yet often undefined) in their oversight and alignment of operations.

    I firmly believe that the breakdown of silos, and progress towards giving management a true competitive advantage from risk management will not happen until these three perceptions are unified into standards. If we in IA want to raise our risk management profile, we need to understand that we can only offer 1/3 of the solution!

  1. It is interesting that information security is not explicitly identified in the survey. It might be included under operational, business, or safety categories. Cyber crime is mentioned several times but only in passing and not directly addressed. Another report is available on fraud and financial crime that doesn't mention risk in the title, but I haven't seen it.

     

  1. Isn't it interesting that as you say above "Accenture surveyed companies that either had an official Chief Risk Officer (64%), a senior executive who performed that role without the title (14%), or a manager who performs that role without the CRO title (6%). Only 16% of the respondents were at companies without a risk office. In addition, about half of the companies were large enterprises with revenues in excess of $5bn. " Makes you think as to why they would release a skewed survey, one that it not really reflective of the realities around the globe. As much as we would like to believe that  there has been this tectonic shift, it has not yet occured based on all of our contact. Seems that the survey is intended to produce hype and hype produces revenues in consulting services. My thinking is that if you want to produce a well balanced survey and if that is your primary agenda, then you do whatever follow up is necessary to get the non responders to respond.

    Isn't it interesting that no risk frameworks at all have been cited in the document -not even the COSO ERM monster which  Accenture no doubt is quite familiar with. But what about the ISO 31000 framework. Isn't it interesting that they do not even mention it?

    Isn't it interesting that they produce the title risk masters which ostensibly reflect the 10% of the 400 companies who responded to survey but they do not even share names of the risk masters? Who are these "masked men"- oops I mean risk masters?

    Isn't it interesting that the eight criteria they come up with for effective dimensions can for the most part not be tied back to substantial attributes of the ISO 31000 framework and furthermore isn't it interesting that one could not even take these eight attributes and find sub categories to begin the process of self evaluation without needing the help of the consulting firm?

    continued below

     

  1.  continued from above and conclusion

    Isn't it interesting that we have yet to witness significant contributions in the public domain in high quality peer reviewed journals by anyone from this firm. We see that they have published internally these eight criteria without consideration of ISO 31000 and without contributions to it from external personnel and also without I believe anyone from the firm actively championing on the outside ISO 31000? This does not strike me as providing thought leadership in risk management.

    In the end analysis, this survey will be seen for what it is and what it is is just an attempt to market their firm's products and services. I see little in the way of meaningful contributions to risk management here

     

Leave a Reply