Tony Cherry summarises the findings of the...
Tony Cherry summarises the findings of the idRisk/Risk Counsel/StrategicRISK joint survey of risk managers
How are risk managers and the companies for whom they work responding to the challenges which they face at present? Is there a move towards a risk management model incorporating a chief risk officer at board level, or just below? Our survey, conducted at the AIRMIC annual conference in June, looked at these and other issues.
Identifying the challenges
Respondents were invited to pick as many as they liked from a list of five main challenges facing businesses. Economic conditions, corporate governance, regulatory matters and internal risk control and culture received equal prominence.
The hard insurance market was identified as a major challenge twice as often as other issues, probably reflecting the relative importance of insurable, as against business, risk for the members of the sample group. This response also suggests a need for further training for risk managers from an insurance background, to raise awareness of skills in relation to business risk.
Economic conditions
A third of respondents said their companies had postponed or cancelled development or acquisition plans because of financial constraints, and more than half confirmed that activities had been terminated, outsourced or divested. As many as a fifth said they did not know about postponements and cancellations.
We went on to ask whether the risks of not doing something (in the case of M&A and development activity) or stopping doing something (in the case of outsourcing) had been fully assessed. This is important, because it brings out the positive aspects of business risk.
In each case, about two thirds of those reporting abandoned or reduced activity claimed that the risks had been fully assessed. However, included among them are those who made conditional assertions, (for example 'I'm sure they must have been'), and it seems possible there was an aspirational element in responses to this section of questions.
Corporate governance
Virtually all respondents said that their board was well advised on risk. But subsequent responses in relation to internal risk controls and culture suggest that this was in some cases a charitable view.
Half of those interviewed indicated that their non-executive directors had access to independent advice on risk. The nature of that independent advice was not formally challenged in the survey. However, one or two more detailed responses, for example a statement that the independent advice came from auditors, suggest that, while the advice may be independent of the company, it is not always independent of the advice given to the executives.
While 93% considered reputation risk to be equally or more important than operational or hazard risks, only 69% thought it was equally or better managed, suggesting that in a significant number of cases, the management of reputation risk has yet to catch up with its identification.
Over half of all respondents reported that protection for whistle-blowers was either in place or in the process of implementation, which suggests that some organisations are taking this step independently of any requirement to do so.
Regulatory
We asked about the Enterprise Act, on the basis that competition regulation can theoretically impact on any business, whereas many regulatory regimes are industry specific. Fewer than half of the respondents were able to say for certain that their board had been advised on the issue, and only two risk managers knew what the advice was.
For most, it appeared that this area remained the preserve of general counsel - and the lack of information available to this sample of risk managers suggests that the communication mechanisms in relation to internal controls and culture may not be quite as effective as reported.
Insurance market
Not surprisingly risk managers displayed a high degree of confidence when answering questions in this area. Two thirds reported a reduction or cessation in one or more classes of insurance cover. Virtually everyone reporting such a reduction stated that the ability of the company to sustain uninsured losses had been fully assessed.
Eighty per cent said that their status and influence had been increased by the hard insurance market, but many added that they felt this could be transitory. There was a widespread view that this was a key period in which to take steps towards a broader involvement in risk, to secure this increase in status for the long term.
Internal risk control structures and culture
Very few of the companies represented in this sample have recruited or plan to recruit a chief risk officer. Half of the respondents believed that a system based on integrating the diverse strands of risk management responsibility within their companies is the right long term solution.
Many risk managers pointed to the danger of damaging a culture where everyone is responsible for risk, by nominating an individual. There appeared, however, to be some confusion between risk at an operational level, where the principle of universal responsibility is crucial, and at a strategic level, where accountability for advising the board is essential.
Despite the apparent level of confidence in solutions dependent on risk committees, often reporting to the finance director, 60% identified cultural and structural problems with this approach.
When these results are considered together with the lack of information about regulatory and business risk revealed elsewhere in the survey, there is room to question whether the approach of integrating traditional owners of aspects of risk, such as the risk manager, internal audit and general counsel, through a committee structure can in fact deliver effective risk advice to the board.
The challenge for individuals
Having looked at the aspects of risk management from the point of view of the corporation, we asked the respondents to reflect on which of the five major influences identified would have the biggest impact on them personally.
The answers did not fit easily into the categories provided, but half of all respondents felt that there were issues of internal structure and culture which had to be addressed if they were to achieve the full potential of their future role.
Conclusions
It is obvious that the status and role of risk managers have changed under the influence of increased corporate governance demands and the hard insurance market. However, it is equally clear that risk is still treated in isolation, and that cultural problems remain, contributed to by imperfect transfer of knowledge about risk within corporations.
This means that directors typically continue to face significant problems in understanding and measuring the risks in their business as a whole, while many risk managers have not yet acquired the broader exposure to non-insurable risks which would enable them to meet that demand.
It is apparent that risk needs to be championed at board level to secure a positive and joined up approach. While there have been some moves in this direction there must be room for doubt as to whether the necessary degree of change can be achieved without more effective structures and systems of identification and control.
Tony Cherry is head of Risk Counsel, Beachcroft Wansbroughs, Tel: 0117 918 2181, E-mail: acherry@bwlaw.co.uk
Basis of survey
The survey was carried out over the two and a half days of the AIRMIC conference in Manchester on 16-18 June. The questionnaire was designed with the assistance of John White of idRisk and Tony Cherry of Risk Counsel, who, with StrategicRISK staff took respondents through the questions.
Response
Twenty nine risk managers completed the questionnaire. There was a reasonable spread across business sectors. Sample size and spread means that any statistical conclusions should be treated with caution.
The subjective responses provide useful insights into the present state of corporate risk management strategies. However, it is important to take account of the environment in which the survey was carried out, which may have discouraged overtly critical comments.
Risk Managers Comment
"My role, which is insurance based, will need to broaden to include business and strategic risk"
"Risk assessment and control are integrated within the business via business planning. However, they do not currently form part of the performance measurement system for individuals. Without this, risk management will never be truly integrated"
"The state of the insurance market and the degree of corporate responsibility passed on to directors will have the biggest impact on my future role"
"I don't believe systems and processes are a solution. It's culture - not separate structures!"
"Economic challenges are high on the agenda"
"We have a high level of risk awareness but often the control/action element is not as 'formal' as it might be"