Are Boards really engaged in Enterprise Risk Management?

There’s no better way to understand the top concerns facing GRC professionals and Board level Executives than to hear from the individuals themselves. That’s why we were excited to delve into the findings of the recently published 2022 Global State of Risk Oversight report.

The report summarises key insights from 747 Executives in organisations around the globe and identifies similarities and differences across four separate geographic regions. (U.S., Europe & UK, Asia & Australasia, Africa & the Middle-East). The research conducted by the AICPA & CIMA in partnership with North Carolina State University’s Enterprise Risk Management Initiative delves into the current state of risk oversight processes in organisations of all types and sizes to obtain an in-depth understanding of the relative maturity of underlying activities, which Executives and Boards use to monitor an ever-changing risk landscape. 

The report’s detailed analysis hones in on helpful benchmarking perspectives about; what factors are driving organisations to improve their risk management maturity, enhancing the risk management process, maximising the strategic value of risk management, building a risk aware culture, and enhancing risk reporting & oversight for the board.

We found this report and its insights extremely telling and we wanted to take this opportunity to not only share the key findings with you, but explain how organisations can structure their risk management process to improve risk oversight and futureproof their organisations.

To what extent has COVID-19 changed the nature and type of your organisation’s top risks?

It was interesting to see that less than half of the respondents in Europe & the U.S. thought that Covid-19 had changed the nature of their organisations risks from the prior year. This clearly demonstrates the sheer number of risks that organisations are facing besides the pandemic, from operational risk and financial risk to cyber risk & geopolitical risk, organisations face an uphill struggle.

There is no doubt, that the impacts of COVID-19 will be long-felt, and the thought of returning to what was once viewed as “normal” operations is no longer realistic or viable.  Many businesses have moved into novel ways of conducting operations that has now become the “new normal”.

The pandemic put the spotlight on the importance of operational resilience, business continuity planning, and strategic risk management. Covid-19 drove home the importance of contingency planning and the need for an agile business model that can adapt to change to ensure long term sustainability. Having plans in place to ensure operations can continue to run during any kind of outage is crucial for any business looking to rise above the effects of the current crisis, and the next.

With so much to consider, it is essential that businesses invest in software solutions that will not only make risk management and strategy planning easier for GRC professionals, but also enable transparent access to real-time operational and transactional data that will enhance the visibility of risk, improve decision-making and build a business model that can adapt to change.

Do organisations describe their ERM process as systematic, robust, and repeatable with regular reporting of top risk exposures to the board?

Less than-half of the organisations surveyed would describe their ERM process as systematic, robust, and repeatable with regular reporting of top risk exposures to the board. This shows that there is extensive scope for organisations to improve their ERM process. Following the uncertainties of the covid pandemic many organisations are rethinking their approach to risk management and looking to introduce technology and automation to streamline processes, get visibility of strategic risk, and produce meaningful reports for the board.

Technology adds structure to a risk management framework, it broadens the scope of risk management by creating a risk aware culture, it makes reporting on risk management easier through live reports and dashboards, leaving risk professionals to focus their attention on protecting the organisation from unforeseen risk and advise the board on long term strategic decisions.

Is the nature and extent of key risk indicators (KRIs) regarding the entity’s top risk exposures robust?

Only around half of the companies surveyed thought the nature and extent of key risk indicators (KRI’s) regarding the entity’s top risk exposures was mostly to extensively robust, even less in the United States. KRIs or Key Risk Indicators focus on the most critical indicators for managing high-level risks – which vary depending on a business’s unique objectives and priorities. Getting access to the right data to understand and monitor the likelihood of these risks can be a challenge, and organisations need to be smart about getting access to the right data.

Organisations should ensure live transactional and operational data feeds into their risk management programme, this can be facilitated by using GRC software with API integrations that pull in live data from other systems and sources into the risk management process. This consolidation of data enables an organisation to set up a series of controls to identify and track the right KRIs and ensure risks and their controls are more accurately assessed. These indicators can then help organisations identify risks, analyse historical data for pattern recognition & forecasting and drive appropriate risk mitigation responses. This data can then further be utilised in the areas of alert management and capacity planning.

KRIs provide a single source of truth and should link to the business’s strategic priorities, thus empowering the business to identify the key risks related to each goal and alert stakeholders when the business is at risk of not achieving its targets.

Key risk indicators can also be monitored through, regular risk assessments, surveys, and questionnaires, these can be automated through GRC software to build a real-time view of how much the company is exposed to risk. Even insights about competitors and the market and long-term strategic growth and the need for modernization should be considered as part of a complete strategic risk management programme.

Effective risk programmes bring objectivity into stakeholders’ risk perception by providing a shared language to measure the effectiveness of risk mitigation within the organisation. A well-structured ERM programme strengthens risk culture by enabling leaders to recognise the benefits of effective risk management through live reports & dashboards. A comprehensive GRC solution will provide templates for risk assessments and give authorised personnel the ability to assign metrics to risk, and monitor risk & metrics against targets and tolerance thresholds. 

Does your risk management process provide unique competitive advantage?

Most Executives do not believe their organisation’s risk management processes provides a competitive advantage.

These low numbers could indicate that many organisations are only looking at short-term risks, rather than longer-term strategic risks posed by external competitors and the marketplace. If risk management is done correctly, it should absolutely feel like a competitive advantage. If you are more aware and prepared for external threats than your competitors or possess a more agile business model that can adapt to change and make quick decisions, then you will absolutely have a competitive advantage.

Another factor contributing to these low numbers is that many organisations see their risk oversight and strategic planning efforts as separate and distinct activities. Thanks to this disconnect between risk management and strategic planning within businesses – risk management programmes typically lack a strategic foundation from which they can build organisational value by informing decision-making and ensuring resources are allocated to strategic risks. But by aligning these activities and directly linking ‘risk’ to your strategic goals and objectives you can strike the right balance between risk & reward and identify risks that are worth taking in pursuit of your strategic goals & objectives to flank your competitors.

“Business leaders who understand that risk and reward are related are likely to increase their investment in risk governance to strengthen the resilience and agility of their organisation by navigating a complex and uncertain risk landscape. The use of ERM supports value creation and long-term profitability and sustainable development.” – Ash Noah, CPA, CGMA, Vice President & Managing Director of Management Accounting at the Association of International Certified Professional Accountants

The world moves around at speed, and it’s safe to say in the face of sheer pace, volume, and complexities of the ever-evolving array of risks that emerge, businesses that take care to be well-prepared can benefit strategically and those less-prepared organisations will face disruptions to their core business processes – and in worst case scenarios, their demise.

To what extent does your risk management process identify, assess, and respond to emerging strategic/market/industry risks?

While approximately half of organisations surveyed believe their risk management processes are focused on emerging strategic, market or industry risks, in some regions fewer than half believed their risk management processes provided important strategic advantages

In the age of intense uncertainty and complexity, a business’s success hinges on making intelligent and informed decisions by integrating corporate strategy and risk management. The key benefits of bringing together risk and strategy include; increasing the range of opportunities, identifying the impact of different risks on your strategy, and reducing negative surprises, and enhancing enterprise resilience.

By aligning risk management with the organisation’s strategic goals & objectives, organisations can better understand inherent risks that will prevent them from achieving their strategy, affording room to take calculated risks on key initiatives that are likely to grow the business or support corporate strategy.

Building an effective risk-informed strategic planning function is not a straightforward process. A holistic GRC software solution is best used to automate this alignment by breaking down strategic goals & objectives into a series of programmes, projects, tasks, actions, and risks and allocating them across the business with clear ownership. This power to consolidate disparate processes, systems, and data sources into a single point of oversight ensures the business remains agile and resilient by pre-empting what could happen from a strategic risk perspective – good or bad.

To what extent are risk exposures considered when evaluating possible new strategic initiatives?
 

It’s heartening to see that in most regions over half of the businesses consider risk exposure when evaluating possible strategic initiatives. This is a trend that we see growing steadily– as organisations start to realise the benefits of linking risk management to strategic goals & objectives. In addition, we see more organisations linking ‘risk’ to large project implementations and the management of various portfolios throughout the organisation.

According to Author and GRC Thought Leader, Norman Marks,
“Boards and senior management need to see the value of risk management and more importantly recognise how it adds value to overarching performance. Solutions that bring risk elements into strategic decisions that need to be made very quickly show the value they can generate, both in opportunity and in avoiding costly issues.”

Implementing a strategy planning software that integrates with your GRC process, adds a layer of agility to a business. The right solution enables organisations to break down strategic goals & objectives into a series of programmes, projects, tasks, and actions, and allocate them out across the business, enabling owners to complete actions and tasks within the system. This ensures the entire organisation is accountable for achieving the strategic goals created by the Board and Senior Executives, making it easier for leaders to roll out any changes. Being able to connect your organisation’s risks, risk tolerance and risk appetite to organisational strategy are key value propositions of the Camms suite of solutions.

To what extent will your organisation’s senior leadership team be calling for more enhanced risk management processes?

Calls for enhanced risk oversight are equally strong between Boards, CEOs, and Presidents, and those requests are occurring even when outside pressures from regulators are not as strong. According to the report’s findings, the need for more advanced risk oversight is becoming more evident. Organisations particularly in Asia, Australasia, Africa & Middle East acknowledged the need to strengthen their business continuity processes, while less than half attested to having regular and robust reporting of top risks to the board on an ongoing basis.

Thanks to the pressures emerging from Boards of Directors and Audit committees, members of senior management are calling for stronger and more effective risk oversight. In comparison regulatory pressure is less significant, cementing the fact that Boards and CEOs see value in risk management regardless of expectations from regulators.

The report also revealed that despite a greater need for effective risk management, and the growing level of uncertainty in today’s marketplace, only about one-third of organisations (for most regions in the world) have complete ERM processes in place and very few provide formal training and guidance on risk management.

In a volatile risk environment that demands effective ERM processes, many firms don’t have a mature risk programme, management capabilities, and a strong risk culture that will help them keep up with the volume and complexities of risks that are characteristic of today’s risk landscape.

An effective ERM system backed by the right technology will not only take onboard threats, harness opportunities and link those back to organisational strategy, but it will help organisations achieve their objectives both in the short, medium, and long-term. 

To what extent is the risk information generated by your ERM process formally discussed when the board of directors discusses the organisation’s strategic plan?

A noticeable difference was reported by organisations in the U.S. relative to those in other parts of the world regarding the extent to which top risk exposure was formally discussed when the Board conferred on the organisation’s strategic plan.  Only 28% of respondents in the U.S. indicated the extent of such discussions were happening “Mostly” to “Extensively.” In contrast, the percentages of organisations in Europe and UK, Asia, Australasia and Africa & the Middle East that formally discuss information generated by an organisation’s ERM processes when assessing the strategic plan placed higher at 44%, 47% and 50%, respectively.

Boards play a crucial role in risk oversight – and bear the primary responsibility for risk management.  Therefore, board members and leaders must support risk professionals to develop appropriate processes to identify, manage and mitigate risks.

The low numbers indicating the percentage of organisations that share risk information generated through their ERM processes with the board can be traced down to limited reporting capabilities. To fully realise the benefits of risk management efforts & processes, organisations must engage all areas of the business on the collection & monitoring of risk data. This can be remedied by using automated GRC tools with interactive dashboards & reports – providing extensive business insights that will engage the Board.

In an organisation which has achieved risk maturity, its Board and Governance leadership group are proactive in setting the company’s risk appetite. Active monitoring and reporting on risks through a meaningful dashboard can help create a more well-defined and direct path to achieving business value.

Key attributes of a successful risk and strategy-oriented approach include being able to easily view and track the organisation’s risk profile and status at any time – in turn providing stakeholders with easy-to-follow graphical summaries.  An ERM solution that includes an effective management dashboard can help you provide more meaningful reports to support decision-making on risk management and strategy choices, and better target resources to higher-priority risks that impact critical areas of the organisation to enhance performance and enable long-term sustainability. 

What are the main barriers to Enterprise Risk Oversight?

Collectively the biggest barriers to enterprise risk oversight were deemed as ‘competing priorities’ and ‘insufficient resources’. Perception of the risk management function also contributed to a lack of risk oversight with ‘unneeded bureaucracy’ and ‘lack of perceived value’ also rating highly

Organisations across the globe encounter countless barriers when it comes to advancing their risk oversight. Many firms remain hindered by the perception that they lack sufficient resources to ensure their ERM processes are effective, or they find that other priorities take precedence over risk management.

Collectively, these findings point to the fact that Executives interested in strengthening their organisation’s overall risk oversight face perceived barriers that they will need to overcome. A major part of their effort might need to be concentrated on educating their Boards on the value proposition for investing in enhanced enterprise risk oversight for strategic success and building a strong business case for GRC software.

In response to the reported findings of organisations struggling to connect risk oversight with strategic planning and value-creating efforts, risk managers and their teams will have to focus their efforts on integrating their risk management processes with their strategic planning.

Put simply, the more Executives recognise how strong risk insight upsurges the organisation’s ability to be agile, the greater progress they can make in expanding their risk oversight infrastructure.

The fact remains, that by several measures, ERM is more valued today, compared to 10 years ago. However, many contemporary businesses treat ERM primarily as a compliance activity, as opposed to an integral part of strategic and operational planning. Robust risk management remains an elusive concept for many businesses. In the same vein, the relative level of immaturity in enterprise risk oversight around the world can be attributed to perceived barriers to a business’s overall approach to risk.

Those organisations that adopt such an integrated approach are in a good position to transform risk management into a source of competitive advantage. The value ERM brings to any organisation (if implemented correctly) are many including fostering a risk-aware culture, improved decision-making, and lowering costs – just to name a few.

The time is ripe for risk management to evolve from a mere compliance check-box exercise to a decision-making resource –while keeping risks at a tolerable level. A dedicated ERM software allows users to produce Board-ready reports, access real-time dashboards, promote an organisation wide risk-aware culture via collaboration and enables powerful automation.

The ideal software should provide management and end-users with the insight they need to understand risk, make data-backed decisions, and reduce negative impacts. It also must enable risk owners to effortlessly share data across the entire organisation, submit risk assessments and more importantly align with globally accepted risk management principles and frameworks including COSO ERM, ISO 31000 and Basel.

Achieve ERM Maturity

To build an ERM reporting system that enhances organisational performance, businesses must first advance the maturity of their ERM programme. While the journey towards maturity takes a lot of planning, the resulting pay-off at the end of the road means benefiting from a powerful ERM framework that not only identifies risks before they impact the business – but also turns that risk into an opportunity.

An organisation’s financial performance is tightly enmeshed in the level of integration and coordination across risk, control, and compliance functions. This is why many businesses are now actively working on cultivating a strong risk-aware culture throughout their firm. While the penultimate aim is to fuel better performance and gain a competitive advantage, many are also beginning to realise the wide range of benefits created by an enterprise risk management programme – and software is helping them do just that. The business risk landscape is constantly metamorphosing, whether it is related to the unpredictable nature of today’s economy or risks stemming from increasing digitisation. When things are going smoothly for an organisation, it is hard to fathom them going wrong – but smart business leaders need to always be prepared to face those dreaded worst-case scenarios.

Weaving ERM into your overall business plan is simply part and parcel of running a successful business! – Beau Murfitt, Chief Strategy Officer, Camms

To bring your ERM programme into the 21^st century speak to the team at Camms about our next-generation enterprise software. Our Gartner and Forrester recognised ERM solution, can consolidate disparate processes, systems and data sources into a singular holistic solution, deliver deep insight into the risk profile, status and respective performance of every part of the organisation, while enabling integration and cross-functional collaboration between risk management & strategic planning. Reach out to us for a personalised demo today.