The recent recession has proven that economic cycles, and the dangers attendant on them, are very much alive. Financial difficulties, however, are just one of the risks that companies have to address. Indeed, acting in the face of uncertainty to maximise potential benefits and minimise dangers—a broad definition of risk management—is the core of doing business. An earlier study in this series[1] revealed a high degree of complacency among British and Irish companies about the need to change their business models in the wake of the downturn. This study, based on a survey of over 450 senior executives as well as in-depth interviews with practitioners, suggests that the complacency extends to corporate approaches to risk management. As the pain caused by the recession eases, there is a danger that so too will be the pressure on companies to re-think their risk management practices.
Following are the key findings of the research:
Risk management practices prepared companies poorly for the downturn. British and Irish companies saw widespread failure of their risk systems to help them foresee or address the recession. Nearly half of surveyed executives report that their reviews of strategic risks prior to the crisis did not adequately capture its extent, and only 30% think that their risk management processes helped to minimise its impact. How companies engage in risk management should shoulder part of the blame. Professor Michael Power of the London School of Economics notes that often it “is essentially compliance-based.... This has let us down because it creates an illusion of things being under control.”
Today's heightened attention to risk management is probably temporary. Sixty-eight percent of executives say their companies have changed how they value risk because of the downturn, and 71% say they review it more often. Management interest in risk typically increases after a large shock but usually lessens as conditions improve. As might therefore be expected, the focus today is more on the financial dangers just suffered rather than on addressing risk more broadly. Business leaders, for example, see financial risk as the biggest danger they face, even though Economist Intelligence Unit risk data suggests that macroeconomic weaknesses in both economies pose a greater danger.
Companies' risk appetite will change little in the near term as worries about the economy persist. In each type of business model risk covered in the survey, the most common sentiment among respondents is that their company’s level of risk aversion will remain the same over the next 18 months. These findings are in line with expectations that economic growth will be anaemic at best for some time to come. Warns one COO interviewed for the study: “There will not be a big change [in risk perceptions] until people have a better view of what is going on…. If the economy improves, we will forget quickly.”
Current risk management systems are failing to provide what companies need in many areas. The survey paints a disappointing picture about the effectiveness of risk management in general: processes have created a common awareness of risk from top to bottom at just 37% of companies, and they add value to the business at only 34% of all firms surveyed. Interviewees say that to improve these figures, risk management must go beyond the mechanistic calculation of risk based on specific metrics in order to produce compliance with regulation or best practice. Rather, risk managers should consider using scenario building, stress testing or other techniques which incorporate a diverse range of relevant information—not merely hard data—about the surrounding risk environment. The risk function will then be in better shape to help companies with the variety of strategic issues they face.
[1] Retrench or Refresh? Do existing business models still deliver the goods?, March 2010.