Most organisations have come a long way in managing financial risks, and it is a rare large company that does not have a C-level executive focusing on the overall approach to risk and compliance. That does not mean that risk and compliance are under control; in fact, there are usually varying levels of effectiveness throughout the organisation. Despite recognising the benefits of an integrated approach, few organisations manage risk and compliance activities consistently and efficiently. One reason is the apparent cost and complexity of an enterprise-wide risk and compliance implementation. In most organisations, risk responsibilities span a wide range of activities, from health and safety and IT security to financial reporting and credit risk exposure. This dispersal of risk responsibilities inevitably leads to a disconnected approach, with different departments setting their own policies and operating their own processes. Integrating these activities to permit an enterprise-wide view can seem like a Herculean task.
Ever-evolving compliance obligations muddy the waters further, particularly for heavily regulated industries, such as financial services, energy and utilities, and pharmaceuticals. As each new set of regulations emerges, a typical response is for the company to create a new initiative to handle it. According to Scott Mitchell, chief executive of the Open Compliance and Ethics Group, a US-based risk and compliance organisation with local communities in 11 countries, it is not uncommon for companies to have between three and 15 different compliance silos.
Amid these challenges, calls from a wide range of internal and external stakeholders for more effective enterprise risk and compliance management are becoming louder. Boards are under pressure to demonstrate effective oversight of risk management, while regulators are increasing their scrutiny of business practices. Rating agencies and investors are also looking more carefully at risk and compliance, and there is a growing consensus that effective management of this area is not just hygiene for business, but a barometer of good management overall.
In December 2010 the Economist Intelligence Unit conducted a worldwide survey of 385 senior executives from finance, risk, compliance and legal functions to assess the current state of risk and compliance management. The survey focused on perception versus reality: how executives view their risk mitigation capabilities versus what they are actually doing. This report presents the highlights of those survey findings, along with related additional insights drawn from interviews with industry experts and commentators. Key findings from this research are as follows.
- Companies may be underestimating the extent of risk and compliance failures in their organisation.
Just over one-third of respondents say that their organisation has suffered from one or more significant risk or compliance failures in the past three years. But this proportion is most likely owing to the fact that most respondents come from the finance function, where awareness of failures is relatively low. Among the four functions surveyed—finance, legal, risk and compliance—respondents from outside finance estimate significantly higher levels of risk and compliance failures. This suggests not only that the finance function is underestimating the level of failures, but that knowledge about risk failures is not being widely disseminated in order to improve practices and tighten policies.
- Risk and compliance management processes may appear to work well —until something goes wrong.
Unsurprisingly, respondents who say that they have experienced failures are far less likely to consider that their risk and compliance are consistent with best practice in their industry. Respondents who have experienced failures are also more likely to admit that they do not have
a consistent set of principles and policies governing business practices. In other words, companies may make the assumption that their approach is working well, until a major risk event reveals shortcomings that need to be addressed.
- Companies may not be learning the broader lessons from risk failures.
Almost three-quarters of respondents say that their organisation deals with risk failures by tightening up policies and procedures to reduce
the chances of a similar mishap. But not all companies adopt this approach. The majority of risk failures take place at the business unit level, which can lead to a tendency to address issues in isolation. More than one-quarter of respondents say that they fix the problem within the unit, outside the oversight of the wider organisation and of superiors. This suggests that a significant proportion of companies are not doing enough to share risk information and learn the broader lessons from risk failures.
- High-performing companies are more likely to have a consistent risk appetite across the organisation.
The survey reveals that most companies have a broad range of risk tolerances within the organisation. Sales and marketing functions have the greatest tolerance for risk, while finance and legal have the lowest. But what is more striking is the extent to which high-performing companies (those in the top 20% of their industry in terms of revenue growth) tend to be more consistent in their risk tolerance. Among that group, 48% say that their risk tolerance is consistent across functions, while just 29% of those in the lower-performing group (those in the bottom 60% of their industry) offer the same assessment.
For the full report and additional analysis, click here.