Global Risk Oversight

This report aims to help organisations to benchmark their relative risk oversight maturity and to highlight opportunities to enhance the strategic value of their risk oversight efforts.

The report, available for download below, summarises insights from 586 executives in organisations across the world. It provides insights on the current state of enterprise-wide risk oversight, including identified similarities and differences in four global regions:
Europe & the UK
Africa & the Middle East
Asia & Australasia
United States (US)

Key findings include:

1. Organisations all around the world perceive an increasingly complex risk environment.
Views about the volume and complexities of risks are generally similar in all four regions.
The exceptions are those organisations in Africa & the Middle East that perceive risk complexities to be even higher than their peers do.
Close to a majority or more of organisations outside the US have experienced a significant operational “surprise” during the past five years. Only 32% of US organisations have experienced similar levels of surprise.
2. Risk management practices appear to be relatively immature across the globe.
Around 30% or less of organisations indicate they have “complete” enterprise risk management (ERM) processes in place. The lowest percentages of organisations to do so are in Europe & the UK (21%) followed by Africa & the Middle East (24%).
Only about a quarter of respondents in all regions of the world describe their organisation’s risk maturity as “mature” or “robust”.
3. Most organisations struggle to integrate their risk management processes with strategic planning.
Fewer than 20% of organisations in Europe & the UK or in the US believe their risk
management processes are providing a unique competitive advantage.
Despite the fact that most strategies may be impacted by a number of risks, only about 50% of respondents around the world indicate that they “mostly” or “extensively” consider risk exposures when evaluating new strategic initiatives.
4. There appears to be a lack of detailed risk oversight infrastructure in most organisations.
Under one-third of organisations in all regions of the world maintain or update risk
inventories/registers. About one-half of organisations in Asia & Australasia and in Africa & the Middle East have formal risk management policy statements. This compares with only about one-third of organisations in Europe & the UK and in the US.
5. Internal management-level risk committees are more common than chief risk officers.
Around 30-40% of organisations have appointed a chief risk officer, whereas more than 50% of organisations (other than those in Europe & the UK) have management-level risk committees.
Most organisations (around 80%) have not conducted any formal risk-management training for executives.
6. The board of directors is placing pressure on management to strengthen risk oversight.
In the US, the greatest pressure for the increased involvement of senior executives in risk
oversight is coming from the audit committee. This contrasts with the other regions of the world, where the greatest pressure is coming from the board of directors or the CEO.
Boards of US organisations are more likely to delegate risk oversight to the audit committee, whereas boards for organisations in other parts of the world are more likely to delegate it to a board risk committee.
7. There are real barriers within organisations that are impeding progress in maturing risk management processes.
Outside the US, the most notable barrier is a perception that the organisation does not have sufficient resources to invest in ERM. The biggest barrier for US organisations, meanwhile, is the perception that there are more pressing competing priorities.

Calls To Action

The findings give rise to a number of calls to action:
1. The increasing complexities in today’s business environment mean risk management is unlikely to get easier. Senior executives and boards of directors benefit from honest and regular assessments of the effectiveness of the current approach to risk oversight in the light of the rapidly changing risk environment.
2. Given the fundamental relationship between “risks” and “returns”, most business-unit leaders understand that taking risks is necessary to generate higher returns. The challenge for management is to genuinely consider whether the process used to understand and evaluate risks associated with the organisation’s strategies actually delivers any unique capabilities to manage and execute their strategies.
3. Given the intricacies of managing risks across complex business enterprises, organisations may need to strengthen the leadership of their risk management function. Appointing a risk champion (for example, a chief risk officer) or creating a management-level risk committee may help to ensure that all risk management processes are appropriately designed and implemented.
4. Most organisations have tremendous amounts of data that might provide insights about emerging risks. Most of these, however, have not analysed that data with a risk perspective in mind. They may need to add key risk indicators (KRIs) to management’s dashboard systems and reports.
The remainder of this report provides a number of detailed insights into the state of enterprise risk management practices in organisations around the world. It ends with questions that boards of directors and senior executives may wish to consider as they seek
to strengthen their understanding of the risks that are most critical to achieving their strategic objectives. We also provide suggestions for further reading and links to
additional tools and resources.
Those organisations that embrace the reality that risk and return are related are likely to increase their investment in enterprise risk oversight. This will strengthen their resilience and agility when navigating the increasingly complex risk landscape that is on the
horizon. Organisations must enhance their enterprise risk oversight on a number of fronts, building robust processes, competencies and capabilities as well as making effective use of data to inform their efforts. Those organisations that successfully adopt such an
integrated approach are in a good position to transform risk management into a source of competitive advantage.