Part 1 | Are Risk Managers at Risk? A 7-step Action Plan To Save Your Company… And Secure Your Job

ERM managers need to improve their organizational stature and perceived value to be effective and take their place as senior decision-makers and advisors.  

As we begin 2024, it is useful to look back at the prior year, see where we have been, what we have accomplished, and most importantly, what we would like to achieve in the year ahead.  Risk Managers, we fear, have an especially tough road ahead.

Research shows that an effective ERM program increases enterprise valuation substantially, perhaps by as much as 20%. [1]

Yet, ERM is not taken seriously or perceived as valuable in most organizations.

According to the 2023 AICPA/NC State Survey on Enterprise Risk Management Practice [2], only 11% of financial institutions surveyed indicated that ERM “Mostly” or “Extensively” provided competitive advantage to their organization.  In contrast, 25% ranked it as only “Somewhat” valuable, and 64% felt the value was “Minimal” or “Not At All”!

Which leads to two simple questions... How do you capture the additional 20% enterprise value for your organization? And, how do you gain relevance and preserve your position when only 1 of 9 senior executives think your function provides them with any competitive advantage?

You do so by seizing the agenda and initiative, selling your organizations on the inherent value of ERM, and using better tools (including AI) to monitor risk and create new insights and value.  

But first, you address your current gaps!‍

AICPA/NC State Survey on Enterprise Risk Management Practice: Background and Findings

For nearly fifteen years, the AICPA and North Carolina State University have sponsored a survey on ERM practices and perceptions.   The survey is detailed and of a high quality.  For those interested in learning more, we encourage you to view the full report at https://erm.ncsu.edu/library/article/2023-risk-oversight-report-erm-ncstate-lp.

The survey reveals major gaps in current ERM processes and management in the following areas:

a)     Overall State of Risk Management Maturity:  End-to-End Risk Management Remains Elusive

• Only 34% of respondents felt that their ERM processes were “end-to-end.”
• 29% of Financial Institutions lacked formal ERM processes or were still in the planning stage.

‍b)     Strategic Value of Risk Management: Few Emerging Insights and Low Impact on Decisions‍

• Only 11% of respondents felt that ERM provided enough competitive advantage.  
• 57% felt that ERM didn’t track emerging strategic, market or industry risks effectively.

‍c)     Impact of Culture on Risk Management: Existing Organizational Beliefs Limit ERM Effectiveness

• 55% of organizations gave little to no ERM training to executives over the past two years.
• 63% felt that risk activities had minimal or no influence on performance compensation.  

‍d)    Risk Identification and Assessment Processes: Uneven, Siloed and Not Holistic

• Only 54% use a consistent ERM form and process, usually only in “traditional” risk areas, such as IT, Legal/Regulatory/Compliance, and Financial.
• Market, Strategic, and Industry risk—along with newer emerging risk such as Reputational and Political Assessments—don’t receive enough focus.
• 72% of risk assessments are typically informal and qualitative rather than numbers-driven, with little integration across the enterprise.  

e)    Risk Monitoring Processes:  More Explanatory and Robust KRIs Needed

•  72% of managers didn’t perceive existing KRIs as robust enough to provide early warning.

What Does it Mean for You and Your Current Role?

Ironically, survey participants largely agreed that the volume and complexity of enterprise risks have continued to increase over the last several years, but more than half felt that the current ERM process was not the most effective way to handle those risks.

This may be a communication or a perception problem, but it’s what people think. You are not a strategic priority, and your current value is low.  Competing priorities frequently take precedence and your function is not perceived as a useful or strategic decision-making tool for the organization.  

AI, Machine Learning, and big data sets all have the potential to change the perception of ERM - for the better or the worse. How you respond will make all the difference. You need to be prepared to seize new opportunities, or you will be left behind.

To begin, you need to lay the groundwork now by tackling the basics!

A 7-Step Action Plan For The Year Ahead

Drawing on these survey findings and our personal experience in creating effective ERM functions both as employees and consultants, we would like to share a 7-step action plan we have used successfully to assist you in the year ahead:

1. Clearly define—and communicate—the vision for ERM and sell it to the Senior Management, the C-Suite, and the Board.

2. Select a Risk Taxonomy and Refine / Update your Risk Appetite Statements

3. Scale Your KPIs and KRIs Properly with Better Frequency and Severity Rankings

4. Develop Appropriate ERM Systems that Emphasize LOB Accountability and Reporting

5. Prioritize and Triage Risks for Intervention Vs. Review

6. Develop Educational Programs Around Risk Frameworks

7. Monitor risk across the enterprise holistically by identifying correlations and potential cascades

Stay tuned as we share future articles that will expand on each of these seven topics to share our experiences and insights, drawing on what worked—and didn’t work—for us as we struggled with similar issues.  

2024 represents a unique opportunity to seize the agenda and improve the current internal ERM perceptions.  Let’s not waste it.

Welcome to 2024!

‍

Sources:

[1] The Value of Enterprise Risk Management, Robert E. Hoyt, and Andre P. Liebenberg, 2011.

[2] 2023 The State of Risk Oversight An Overview of Enterprise Risk Management Practices, 14th Edition

‍

‍Book a Free, 45-min. ERM Strategy Session Now!

If you’re a CRO, CEO, CFO or COO, please fill out the form below with your name, title*, email, Company name, and phone number. We'll give you a call some time between 8:30AM - 5 PM ET, Monday thru Friday to schedule the session.

*Appointments limited to Senior Managers with Risk Management Responsibility only.

Subscribe to receive alerts when new insurance related thought leadership content is published by our ERM subject matter experts:

‍