Risk management needs to be fully integrated into every aspect of company decision-making, overseen by an executive who reports to the CEO
In looking at the meltdown of the global economy, it's clear that poorly planned and executed risk management was a major contributor. And while the spotlight has focused largely on the risk failures of big financial organizations, large corporations in every industry have their work cut out for them with regard to risk management.
Traditionally, risk management has been reactive, planned, and largely process-driven, with the focus on financial scenarios and compliance requirements rather than risk's impact on corporate strategic objectives. Risk has not been integrated effectively or efficiently into corporate decision-making.
This is borne out by Accenture's 2009 Global Risk Management Study, which surveyed the risk-management attitudes of 250 of the world's largest companies. In our study, fewer than half the respondents said that at his or her company's risk management is deeply involved in strategic planning and investment and divestment decisions. And only a quarter said risk management has a real stake in setting objectives and managing performance.
This is a major problem that must be addressed with haste.
Effective risk management must be based on proactive, continuous assessment of all potential risks to a company. The operational, financial, strategic, and hazard-related risks of decisions—whether in introducing a product in a new market or shutting down a manufacturing plant—must be examined through these prisms. Since all corporate decisions carry potential risk, it is vital that a company assess risk both internally and externally.
At its most effective, risk management plays an integral role in the governance process, and the head of risk management is a trusted and empowered member of the executive team, whether he or she is the chief risk officer, the general counsel, CFO, or treasurer. While the CEO is the chief risk decision maker in any organization, the person with ultimate responsibility for risk management should report either directly to the CEO or no more than one level down.
Make risk management part of performance management
To achieve the kind of change that is needed, a major cultural shift is required. Risk management must be elevated in importance, a risk-based decision-making culture must be supported, and the relationship between risk management and performance management must be recalibrated. Executive management should ensure that risk management is at the forefront of decision-making and that it is consistently applied across the organization. Any weak links in a company's risk-management capabilities (people, processes, technology, analytics, organizational structure, policies, and communications) must be identified and addressed.
What should risk management look like in the wake of the financial crisis? A solid risk-management program should have four major goals:
Achieve the right balance between performance and risk.
Treat risk as a competitive differentiator to better manage the business, deliver sustainable shareholder returns, and help sustain profitability, ratings, and reputation.
Integrate risk-management practices and procedures throughout the enterprise to ensure that growth targets are achieved while downside risks are avoided.
Instill a culture of risk consciousness that respects and measures the importance of managing risks against reward.
Although the crisis in the financial-services industry ignited the global economic meltdown, all business sectors eventually became engulfed in it. The financial crisis simply magnified a silo-focused and reactive risk-management problem that has operated for years. Since large companies today are part of a dense web of global networks that make them particularly vulnerable to breakdowns in risk management, it's even more urgent to fix these problems.
a proactive and dynamic program
To understand the consequences of risk for their own supply chain, customer relationships, financing, and human capital, management must be diligent about monitoring external events that could have a negative impact on their company. They must also strive to improve the quality of information and data they use in assessing risk and create a dynamic risk-management program that has the flexibility to deal with a very fluid economy. An integrated and anticipatory risk-management capability supported by the right technology isn't just a protective tool—it can be a competitive advantage.
The good news is that the executives who participated in Accenture's survey were nearly unanimous in their belief that current risk-management practices need to be overhauled to correct deficiencies and capitalize on emerging opportunities. Most said their companies are responding by increasing their investment in risk-management capabilities and that they expect the changes to deliver positive financial results.
It's my belief that the swift decline in sales and revenues that many companies have experienced shocked them into action. Hopefully, that means they are focusing greater attention on risk than they have in the recent past. Just because we've experienced the greatest jolt to the economy since the Great Depression does not mean it can't happen again. While risk is only one of many critical issues management must get right, it's certainly one that needs to be addressed.