Fewer Companies Realize Strategic Benefit from Risk Management Activities

Every spring, NC State’s ERM Initiative in partnership with the AICPA releases their State of Risk Oversight report. Data for the report was obtained through a survey sent to senior executives across a variety of industries this past fall. For this year’s report, 563 surveys were completed, which is a significant increase over prior years.

While questions in the report do vary slightly from one year to the next, there are recurring themes or pillars.

One of these pillars – the connection between risk management and strategic planning – is one I’ve discussed in one way or another each year since the inception of my blog.

My first post on this topic in April 2017 explains:

Only 20% of the 432 respondents feel that the organization’s risk management process is a ‘proprietary strategic tool that provides a unique competitive advantage.’ Only 20%!

This was both surprising and disappointing at the same time…

If one of the core purposes of “ERM” is to identify and threats and opportunities to achieving strategic objectives, then how can only 1 in 5 firms feel their process delivers this benefit?

Well, I’m sad to report that it’s only gotten worse, declining 1% each year since my first foray into this topic. In 2020, only 17% of respondents either mostly or extensively believe their “…organization’s risk management process is a proprietary strategic tool that provides a unique competitive advantage.”

Ten years ago, only 11% of companies responding to the survey reported their firms as having complete ERM processes in place. While this number has remained flat in the last couple of years, it now stands at 30%.

So with more companies adopting ERM, it stands to reason that more would realize a strategic benefit from these activities, but that doesn’t seem to be the case.

This naturally leads to the question…

Why are fewer companies realizing a strategic benefit from ERM?

If you’ve been visiting my blog for any length of time, you should notice that posts from before last year mainly focused on ERM processes like risk assessment, risk appetite, risk ownership and more.

However, in the last year or so, my focus has pivoted to include more on embedding risk into decision-making and the daily operations of the organization.

And therein lies the answer to the question above – as long as “ERM” is considered a separate activity from managing the company, executives will continue to see little strategic benefit.

(This coincidentally is one of the main reasons for the rebranding of my consulting services to Strategic Decision Solutions.)

Many of the organizations responding to the survey are financial firms who are required to report their biggest risks to regulators. Their processes for identifying and assessing these risks can be long and drawn out. Therefore, executives view ERM as just another compliance exercise that provides no real value for helping the organization succeed.

As I’ve learned over the course of my career, robust enterprise risk management is about more than holding tight to a certain standard or process.  It’s not just about minimizing harm and producing a list of risks, but maximizing success, ensuring risk-informed decision-making and better agility in these fast-changing, uncertain times.

ERM practitioners need to stop thinking like “risk people” and start thinking like management. How can management’s practices be improved to include risk into their daily conversations and decisions? What about the governance of the organization?

The organization shouldn’t need another person at the table providing the risk perspective – this risk perspective should be provided by each manager at the table already.

Although the principal ERM standards are starting to reflect this, it’s clear from this year’s report that things have a long way to go.

What other reasons might there be to explain the continued decline in company’s realizing a strategic benefit to ERM?

I’m always on the lookout for additional perspectives to questions like this, so don’t be shy. Feel free to leave a comment below or join the conversation on LinkedIn.

And if your company is struggling to realize any strategic benefit to its ERM activities and would like an outside perspective to help get things unstuck, reach out to me to discuss your specific situation today!

Featured image courtesy of Sean Pollock via Unsplash.com

, , , , ,

Related Posts

6 Comments. Leave new

  • Ian Abrahams
    May 21, 2020 6:15 pm

    Hi Carol, I agree with the broad thrust of many of your blogs. Well done to come out and be a champion for change and better practices.
    In may view the difficulties start with a lack of knowledge in how to implement risk management. From this the risk standards (ISO 31000, COSO, etc.) are worth less than 10% of what it takes to document the framework that is capable of being implemented. No one has seen a proper, scientific roadmap with maturity pathway. No one shows that they know how to aggregate operational risks (as distinct from market and credit risk), risk appetite is still poorly done though the concept is understood. In my line of work we have solved the problems.

    • Hi Ian – thank you so much for your feedback and compliment. You are certainly correct about a lack of knowledge. In my early days as an ERM manager, I spent a lot of time trying to figure out where to start. The thing that people need to keep in mind is that ERM is going to work differently for every organization. While there will always be overlap, no single approach is going to work across the board, making it difficult (if not impossible) to develop a scientific roadmap to maturity. Every organization is different – in its needs, culture, financial resources. This is why so many companies are disappointed with the results they get from working with the big 4 consulting firms.

  • Hans Læssøe
    May 22, 2020 1:00 am

    This is as strange as it is disappointing. The most immediate questions to me is: “OK, CEO, you do not see a real/strategic value from your efforts on risk management and this has not improved over these past three years. What do you do about that?.”
    – What do you want to achieve, what is your end-game scenario?
    – How do you expect to get there?
    The latter may be answered in collaboration with your risk manager, and if he/she is adequately astute. If not, train or replace.

    By the end of the day, there is no way you can/will continue to pay for having a function you do not perceive add value.

    • Very disappointing indeed, but not entirely surprising in my opinion, especially if a majority of respondents are in the U.S. Like you and others say, if ERM/risk managers’ only focus on satisfying regulators and avoiding losses., advances in AI and other technology will render them obsolete. I’m sure many execs are okay with a “set it and forget it” approach if they can get away with it from a regulatory perspective.

  • Greg Suddards
    May 25, 2020 6:09 am

    I am having difficulty trying to imagine a strategic planning session in which strategy is set without consideration of risks. It means that strategy is limited to agreeing sales targets for existing markets and perhaps expressing a desire to examine the potential of new markets. No thought is being given to failures of supply chains, consequences of economic disruption, the effect of foreign exchange market volatility, potential disasters such as turbulent weather or seismological events, labour market disruptions and availability, inventory life-spans, politico-legal constraints, plant breakdowns, oh and what about that virus that everyone has been talking about.

    • I understand and agree, Greg. However, you’d be amazed at how many organizations simply come up with a goal without any serious consideration as to its feasibility, risks, and so on. One organization I’ve worked with had zero strategic plan at all…they would simply have an idea and run with it. What happens in my experience is nothing gets done at all, which of course puts the organization at even greater risk.


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.