After years of being branded as company naysayers, risk managers are rising in rank and esteem. More chief risk officers and risk managers are now reporting to the board level, according to Accenture’s 2013 Global Risk Management Study, which queried leaders of 446 organizations around the world.
The report, “Risk Management for an Era of Greater Uncertainty,” found that the number of surveyed organizations with a functional CRO-level risk professional has risen from 78% in 2011 to 96% in 2013. Risk management is also becoming more integrated throughout organizations, particularly with companies’ investment and decision-making processes.
Steve Culp, global managing director for London-based Accenture Risk Management, discussed some of the survey’s findings and his observations about the state of risk management in the global market.
RM: What are the survey’s key findings?
Steve Culp: We continue to see the rise of the CRO. More importantly, we can see that this role at senior levels has progressed to have a voice at the table. That’s an important takeaway. Unless it’s top of the house, it’s difficult to drive a risk agenda.
By “voice,” I mean that, in a time of austerity in many geographies and difficult profitability in many industries, the risk agenda continues to get funding and continues to be a priority in hiring.
We also point out the level of integration of day-to-day business functions—budget and planning and strategic investments. That is a very important measure because, if risk is acting in concert with the other important business processes, it shows that the organizations are getting it.
RM: What’s driving this new acceptance of risk management?
Culp: We increasingly see alignment between the innovation and growth agenda and the risk agenda. In challenging times, organizations have to grow and survive—they have people to pay and businesses to serve. Businesses will also have to innovate more, or out-execute their competitors.
If you try to innovate and execute without really understanding the potential risks around your suppliers—regulatory exposure in new countries, online digital channels, potential malware and online customers that you may not be able to vet—all of these things are risks to your business. Unless risk [management] is there to help understand, mitigate and protect the businesses, you may have short-term revenue growth, but they will end up in the same place or have a failure with considerable costs associated.
RM: How much risk management recognition is driven by regulation?
Culp: In the Western world, risk regulation has accelerated and changed risk intelligence. In financial services, it’s very clear that the risk agenda at the board level and C-suite level has been raised substantially because of regulation. Internationally, regulation is also an issue. Global operating models are probably one of the biggest drivers of the risk agenda and regulation is a subset of that. The model of operating solely in one geography, including customers and suppliers, is increasingly rare. So as you vary products and customers and migrate supply chains globally, dimensions become increasingly complex, contributing to the demand for risk management.
RM: What can risk managers do differently to be more effective?
Culp: The report gives four actions companies can take to reach their long-term risk capabilities.
First, treat risk as a people game. Research points out that, in an environment where regulatory is consuming a lot of talent, you have to be focused on how you prioritize people and how you are going to continue to hire, build new skills and maintain talent. We see a lot of attention from the HR function and a lot of attention on broadening the net of how risk brings people in from finance or the business lines to play a more active risk role.
Second, new risks are relentless. Unfortunately, there was a time when risk management was referred to as the department that says “no.” We see now that leaders are engaging risk from the beginning. They are using risk to help identify and put in place the mitigation plans, to ultimately arrive at the end point in a safe manner.
Like with injuries of the brain or the spinal column, there is a “golden hour”: What you do in the first hour has an incredibly high impact on the success of the recovery. The same is true of organizations with highly prepared risk management capabilities. Disaster recovery needs to be part and parcel to the critical parts of the organization.
Next, it is also critical to manage compliance through a transformational lens. Companies now have different ways of reporting. We see a number of organizations looking at the continual evolvement of regulation, the primary division of strengths of their businesses, and how to rework their operating model so it will fit with a more rigid level of regulation in the future.
Boards may need to make new decisions about things such as having a smaller investment bank footprint and a larger web financial footprint. These are different conversations than those between compliance and regulation and business leaders two or three years ago.
Finally, it’s important to focus on insight, not just data and analytics. I try to apply three tests: whether or not you understand the question you are trying to solve, whether the data actually exists and is trustworthy, and whether or not the decision-makers in your business can actually use it in a timely manner.
RM: What’s next for risk managers?
Culp: In the industry we talk about permanent volatility—the pace of change continues to increase. Whatever analytics you may be driving today, the questions will likely be different in three to six months with regard to where you’re focusing those analytics capabilities. Continuing to evolve the questions and the focus to the external markets is as important as anything else. Wasting time and energy on studying old problems takes away from the opportunity to study tomorrow’s problems.