Accenture Reports Good News for Risk Management but Misses a Key Point

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Accenture’s 2013 Global Risk Management Study (PDF) starts with a great subtitle: “Risk management for an era of greater uncertainty.” I love this play on words: we live in uncertain times, and risk management is all about addressing the uncertainty between us and our objectives (as the esteemed Felix Kloman says, risk management helps us “pierce the fog of uncertainty”). As ISO 31000 tells us, risk is the effect of uncertainty on objectives. 

While the results of the Accenture study should be taken with at least a grain of salt because 25% of the respondents were CROs (22% were Compliance Officers, 25% CFOs, and just 20% CEOs), they are encouraging.

Let me share the good news before moving to the key point they missed:

  • “The vast majority (98%) of surveyed respondents report an increase in the perceived importance of risk management at their organization. One phrase that resonated with us was 'Action is not optional.' That is seen as true both for the broader organization and for the risk management function.”
  • “At one time, risk management in many organizations could be described by some as 'the department that says no.' Today we would characterize risk management more as 'the department that enables execution.'”
  • “We see risk management as being much more integrated and connected, playing a much larger role in decision-making across the organization — particularly in budgeting, investment/disinvestment, and strategy.”
  • “Survey respondents see risk management as enabling growth and innovation. In order to survive — and certainly to grow — every company should strive to innovate and move its business forward. Simply pushing forward without understanding and mitigating the risks ahead could ultimately lead to disaster in some form. To enable growth and innovation, effective and integrated risk management capabilities should be implemented early and throughout the process. And these capabilities are scarce — both within the companies we talked to in this research and also in the market at large. So risk management capabilities should be prioritized and focused on the things that matter to move the needle for the organization.”

In addition, Accenture reports that “High-performance risk management organizations are taking a focused approach to embed analytics into their management processes.” I see this as essential, that risk management functions use analytics to understand changes in the internal and external environment reflecting current and potential changes in risk levels.

I will leave you to read the report in full, paying special attention to the section on “What sets Risk Masters apart?”

So what did they miss?

Whether you like the COSO ERM Framework or, like me, the ISO 31000:2009 global risk management standard, both say that risk management is part of decision-making and that a mature organization has the management of risk as an integral part of organizational processes.

A continuing focus on what is essentially the building of a silo of risk management, which is what Accenture advocates when they trumpet the existence of a senior executive as CRO, is not going to make the management of risk an integral part of organizational processes.

A continuing focus on risk management as a separate activity with staff and leadership is failing to recognize that every manager, executive, and board member needs to be a practicing manager of risk.

It’s not enough to say that the CEO owns the organization’s risks when she is not encouraged to act as risk owner. Instead, she is repeatedly encouraged to delegate the management of risk to a CRO.

What I believe is necessary, and is missing from the report, is for the expert in risk management to teach the rest of the organization how to include risk and uncertainty as an integral and essential part of the strategy-setting, decision-making, and performance management processes.

The Chief Risk Officer should become the Chief Risk Learning Officer, training, coaching, and mentoring all the decision-makers to be the risk officers.

But, how many have taken on that task? How many hold classes in risk management essentials? How many coach strategy officers and CFOs on how to embed the consideration of risk into their activities?

How many measure their effectiveness by the number of executives who no longer need their help?

I welcome your comments and perspectives.

Posted on Oct 13, 2013 by Norman Marks

Share This Article:    

  1. I agree fully that risk management should be the responsibility of all within the organisation across the line and support functions> Leaving it to the charge of a chief (or a team of) risk officer is not going to get any better results. It is like trying to find a scapegoat if something goes wrong.

        The CRO serving as Chief Risk Learning Officer should be a skill set as the function should report to the CEO and have direct access to the board - or idealy report to the Risk Committee of the board - communication skills are critically important. 

        CROs are not risk owners - they own the risk management process - business unit leaders own the risks.

  1.  John, are communication skills sufficient? Few have plans to train decision-makers.

  1. "...from survey responses we see risk management as being much more integrated and connected, playing a much larger role in decision-making across the organization—particularly in budgeting, investment/disinvestment, and strategy."

    Norman, you are right on.  Even as they push for and celebrate the incorporation of risk management into organizational decision-making, their treatment of the topic contributes to a view of risk management as some sort of tacked-on process that didn't exist prior to the invention of the CRO function.  They do have some really nice zebra pictures in their report, however.

Leave a Reply