KPMG Warns That Expectations of Risk Management Are Outpacing Capabilities
Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.
The warnings in KPMG’s latest report, subtitled “Top Eight Risk Management Imperatives for the C-Suite in 2013,” are important:
“A surge in complexity and uncertainty surrounding organizations as they search for innovative ways to expand into new markets, faceoff against increasing competition and pushing the envelope on technology. Yet these challenges are building faster than most organizations’ abilities to manage with agility, knowledge and a resilient risk-aware culture. Thus, the gap is widening and we are at a turning point — warranting an even stronger capability to master and optimize risk. Stakeholder expectations on an organization’s risk management sophistication continue to grow, yet capabilities are not keeping pace.”
The authors discuss eight findings from a survey of C-suite executives from around the world (no, there is no list of imperatives; we must assume that the imperatives they refer to are the actions to address their eight findings).
I agree with some, but not all of KPMG’s observations. In the discussion below, I have highlighted what I consider to be the imperatives for the C-suite. By the way, ignore KPMG’s misuse of the term “GRC.” They refer to GRC a few times, but they are only talking about risk management.
These are their eight, with my comments on each:
- Risk management is viewed as making a key contribution to the business; however, organizations need to improve howthey measure risk management’s return on investment and how they communicate its processes, value, and effectiveness to key stakeholders.
It is encouraging that respondents felt that risk management was making a contribution. However, the majority of respondents don’t even have an annual “bottoms-up” risk assessment process, let alone one that identifies top-down the more significant risks to the enterprise.
The comment about measuring risk management’s ROI is, in my opinion, foolish. Risk management involves assessing what might happen; how does that create tangible value that is measurable in terms of ROI? The value of risk management is that it enables organizations to make better decisions and take the right risks.
- Executives continue to struggle with assessing enterprisewide risk exposures.
KPMG does not provide a lot of detail on this critical area. While they talk about an annual “bottoms-up” assessment, they fail to even refer to the need for a more continuous process that identifies and assesses risks to objectives.
You can link this observation to other studies that report that 90% or so of organizations are relying on MS Excel for risk management. While they say they are highly dissatisfied, they have been unable to justify moving to a robust enterprise risk management solution, such as SAP’s Risk Management or similar solutions from smaller vendors.
If we are talking about risk management imperatives, I don’t see how you can have an effective risk management capability without software. CEOs and CFOs should ensure that the necessary funds are available.
- The C-suite sees risk management as critically important but few organizations are articulating their risk appetite.
We need to look deeper than this statement or the brief discussion by KPMG. While some say that “risk appetite” is a flawed concept, even though it is a requirement of multiple regulators, there is a key point and imperative here.
How do we expect decision-makers across the enterprise to make quality decisions and take the right risks when top management and the board do not make their expectations clear? Whether you call them risk appetite statements or risk criteria (my preference), every decision-maker needs to know what is desirable and what is acceptable. When KPMG states that 40% have a risk appetite statement but it has not been communicated, you have to shake your head.
It is essential that CEOs ensure that every decision-maker has the appropriate guidance to help them make quality risk-aware decisions and take the right risks.
- Regulatory pressure and changes in the regulatory environment is the issue posing the greatest threat to respondents; global economic and political instability is seen as the greatest risk scenario threat.
Yet another survey of “top risks.” The #1 risk in my opinion is an ineffective risk management capability! Without one, you are essentially driving the corporate highway with a blindfold on.
- Respondents believe business units are more adept than risk management departments, compliance, and internal audit in assessing and managing risk.
The survey reported a high level of confidence (75%+) that business units are effective in identifying, assessing, and managing risk. But, people in the risk management (74%) and internal audit (67%) teams are marginally less effective. Why is that a problem? I find it encouraging that business unit leaders are that good at considering risk in their daily decisions — although I don’t believe the numbers. That is where risk should be owned and managed, with advice, counsel, and assurance from the 2nd and 3rd lines of defense.
- Lack of human resources/expertise impedes convergence of risk and control functions.
Thank goodness! I see no need, other than using internal audit knowledge and leadership, for risk and control functions to be fully integrated.
- Weak incentive structures impede risk-based decision-making.
KPMG would like to see managers and executives have a portion of their compensation tied to risk management. The authors come close to getting this right when they talk about “effective risk-based decision making.” As I said earlier, the value of risk management is that it enables decision-makers across the enterprise to make better quality, risk-informed decisions and take the right risks. Those decisions drive performance, and that is and should be the basis for every manager’s compensation. KPMG does not help us determine how we distinguish when decisions are made using risk information and when they are not.
I don’t see this as a major imperative.
- Spending to enhance risk management will continue to increase over the next three years.
This is an observation without comment from KPMG. Let me make one: CEOs, other C-suite executives, and the board should ensure that risk management is sufficiently funded to enable:
a. Training of every decision-maker on how to integrate the consideration of risk into strategy-setting, daily decisions, and performance management.
b. Providing the resources and technology tools to enable those decision-makers to understand current and future risks to the achievement of their and the organization’s objectives.
c. The consolidation and aggregation of risk information to enable the management of enterprisewide risks.
d. The communication of risk criteria and other information (such as information about decisions by others that affect a manager) that enables decision-makers to take the right risks.
I have one final observation:
CEOs, the C-suite, and boards are fooling themselves if they believe their organizations, especially business unit leaders, are effectively considering risk as they make decisions every day that affect the achievement of objectives. The maturity of the great majority of risk programs is low, with risk being considered occasionally and not integrated into the fabric of the organization’s management.
It is past time to demand an honest assessment, preferably by internal audit, of the effectiveness/maturity of the risk management capability: Does it enable better quality decisions and the taking of the right risks every day?
Posted on Jul 8, 2013 by Norman Marks
Share This Article: