The FINANCIAL — Ninety-seven percent of organizations have made progress in linking their risk management and business objectives, however, a staggering 85% haven’t created closer links, according to EY’s global governance, risk and compliance (GRC) survey 2015 “There’s no reward without risk”.
The survey of governance, risk and compliance management (GRC), which is based on the responses from 1,196 C-suite leaders, board audit committees, and assurance and compliance executives across all major industries in 63 countries also cited that 66% of organizations risk management has limited involvement in business decision-making today. Eighty-eight percent of respondents indicate that their Board or their Board committee provides oversight of the organizations risk management activities. However, their Board’s ability to provide oversight could be enhanced by more frequent evaluations of the organizations risk profile. Seventy-seven percent of the respondents only evaluate their organizations risk profile on an annual basis, limiting their ability to adjust their business strategy based on changes to their risk landscape.
The global survey finds that organizations are making progress in improving the way they manage risk in response to changing landscape. However, organizations also indicated that there is still further room for improvement and opportunities to be seized.
Paul van Kessel, EY’s Global Risk Leader, says:
“Organizations today are challenged with managing a rapidly changing risk landscape, as a result of market volatility, geopolitical crisis, wide-spread economic changes, regulatory reforms and cyber threats. While this creates many challenges for organizations, it is important to think, manage and respond to risk differently: find where there’s opportunity in risk and protect against the risk you would like to avoid. With the knowledge that risks are a never-ending challenge and new risks will be encountered every day, a stepped approach to risk management is required in order to build a risk-aware organization.”
Linking risk strategy and business performance
Organizations are able to clearly identify the key risks to “own” that not only result in negative consequences, but also those that generate value, enabling a direct linkage between risk and business performance. Eighty-five percent of the respondents indicated opportunity exists to further improve the linkage between risk and business performance and 90% of respondents indicated their company’s risk profile slightly or significantly influences their capital allocations.
Effective operating model for better risk control
Respondents clearly recognized the value of a well-coordinated operating model; 67% expected activities to be well-coordinated within three years. However, only 56% of respondents’ organizations have created a chief risk officer position to provide oversight over risk management activities.
Leveraging technology and frequent risk communication to efficiently manage risk
Organizations must view technology as a way to more efficiently and effectively execute, as well as sustain, their response to risk. The survey found that 46% of the respondent organizations still do not utilize GRC technology. Leading organizations prepare scorecards, dashboards and other forms of reporting for their Board and executive management, enabling management to adapt the organization’s business strategy as appropriate. However, 78% of the survey respondents only prepare management dashboards annually or quarterly indicating further opportunity exists to provide decision-makers with vital risk insights more regularly.
Matt Polak, EY’s Global Risk Transformation Leader, says:
“Clearly, organizations are making progress in understanding the myriad of risks they face, but there is still a lot of work to be done to make risk a more integral part of strategic discussions. Better identification of risks, clearer risk ownership processes, more structured and frequent risk communications to decision-makers and better use of technology are all essential to bridge the gap between understanding and execution.”