Head in the sand
Too often seen as the esoteric domain of the risk manager or internal auditor, risk management is increasingly relevant to strategic and operational decision-making in businesses throughout the UK
Too often seen as the esoteric domain of the risk manager or internal auditor, risk management is increasingly relevant to strategic and operational decision-making in businesses throughout the UK
In an environment of stringent regulation and evolving business risks, there
is a real need for organisations to identify and manage their risks as well as
their opportunities.
However, as our research shows, the corporate world still has a lot of work
to do in terms of adopting and adhering to the principles of risk management. We
interviewed senior executives from 90 large corporates and found that only 11%
believed their employers had fully defined their risk frameworks, while only 6%
felt their frameworks were fully effective. Despite the compelling case for
adoption of a risk management strategy, many organisations have been slow to
implement one, are too heavily reliant on individuals, and, most importantly,
lack the full backing of the board.
Sentiment on the effectiveness and value of a strategy was positive, but
levels of take-up and implementation have been alarmingly low: only 11% of
executives interviewed describe their risk policies, processes and standards as
fully defined and implemented.
And despite the recognised need for fully effective risk management, any
strategy has failed to seep into the culture of many organisations; 24% of
respondents felt that they had a well-established process, but that it was
reliant on individuals.
Unfortunately, the sticking point for companies has been board-level buy-in.
Boards are surprisingly reluctant to appoint a chief risk officer and even more
reluctant to make this a board-level position.
Culture change must come from the top of an organisation and trickle down and
if those responsible for risk management do not see the full support of their
board, it will be impossible to align the corporate culture to risk awareness.
While formal risk management is still a long way off in many UK-based
organisations, the desire to build them is there.
Clearly the value that a properly embedded framework brings is recognised by
those whose responsibility touches on risk management. The challenge, therefore,
is to convince all parties at all levels. Without this, organisations are in
danger of leaving themselves open to significant risks now and in the future.
Sukhdev Bal is a director of internal audit consulting practice
Protiviti