An AICPA survey finds that senior executives are still skeptical of the value an ERM program can provide, and their skepticism is prohibiting integration of risk management into strategic decision making.
That’s according to a survey of over 1000 CFOs, which found that only 25% had a formalized ERM process in place. Other takeaways include:
- Few organizations have adopted any guidelines or scales by which to assess risk likelihood and impact.
- While the CFOs recognize an increase in complexity of the risk landscape, they majority provide no formal training for employees.
- A disconnect between “the recognition of risk and the decision to invest in more structured oversight.”
For risk management to surpass the infancy stages at these organizations (where it often provides the least value), what’s missing from these ERM programs, and what should Risk Managers do to stem the tide of doubt from senior management?
A Change in Mindset
The survey finds that, for the third year in a row, regulatory risk ranked #1 on the minds of senior executives. Unfortunately, if these executives applied that same line of thinking to their personal lives, they would rank law enforcement as the largest risk!
Why don’t individuals rank law enforcement as a critical risk? It’s because we have the power to adjust our behavior accordingly. The largest risk to these companies isn’t that regulators might shut them down or increase examination scrutiny, the largest risk is that these organizations won’t have the ability to adjust their behavior to compensate appropriately. Regulatory enforcement is the outcome, it’s what can go wrong. It’s actually not a risk at all.
Risk is more Ambitious
The root-cause approach outlined above is challenging for risk managers, so you can only imagine the challenges involved in presenting that approach to the board or senior leadership. Here’s another MO for risk managers: risk management’s role is not to replace compliance, but to fill the gap between compliance and best practice.
Sony, Home Depot, Target, etc. did not violate any regulations, nor would a regulator have identified their deficiencies. They’re best shot was risk management.
While risk must be assessed from a regulatory respective, your evaluation criteria should include non-regulatory lenses, such as its impact on your operations, finances, strategic goals, etc. Considering only the regulatory angle is limiting, and potentially creates a gap.
Goals for Risk Management
A risk manager’s goal going forward should be to address their executives’ fear of increased regulatory scrutiny by framing their risk management programs around these concerns. This requires both a root-cause approach, and evaluation criteria that bridge the gap between regulations and best practice.