Leadership in Risk Management

By Harvard Business Review

THE C-SUITE IS taking a stronger role in leading the risk management effort at major primarily European companies, underscoring the higher priority risk has assumed in the wake of several years of financial and economic turmoil. Congruently, companies are underscoring the need for strong board involvement to facilitate decision-making regarding strategic and enterprise-wide risks and to encourage acceptance of a culture of risk management further down in the organization. Companies are struggling, however, to create a wider role for the risk function as a participant in strategic planning and transformational initiatives. And European executives express concern about the robustness of their risk management processes and channels of communication.

Vast changes in how business is done, sparked by the technology revolution and globalization, are meanwhile raising concerns about company and brand risk. These and other challenges are prompting companies to devote more resources to defining their risk appetite and to tracking, measuring, and analyzing risk through such tools as “heat maps,” key risk indicator scorecards, scenario analysis, and loss forecasting. The challenge, however, some executives said, is still to make sure that risk is “owned” at appropriate levels of the organization and that risks are communicated efficiently, such that top management and the board can make timely, fact-based decisions about how to address them.

According to a recent Harvard Business Review Analytic Services survey of European companies, sponsored by Zurich, the Federation of European Risk Management Associations (FERMA), and the Public Risk Management Organisation (PRIMO):

■ C-suite supervision of risk management is intensifying. The survey indicates that, at 35% of organizations, either a CRO or a risk manager has direct responsibility for risk management. At 27%, either the CEO or the CFO/treasurer has direct responsibility, while the board itself is responsible at 14%.

■ The majority of companies have education and review processes in place that keep the board and the C-suite informed about their risk exposures. Key risks are communicated to the C-suite regularly at 70% of organizations.

■ Only 17% of respondents described communication between the C-suite and the CRO as being comprehensive or nearly so. And 40% said their organization has not yet set up a broad-based, cross-functional risk committee—despite the crucial role the risk committee plays in making sure risk data are discussed thoroughly and passed on to the board.

■ Companies aspire to forge closer links between risk management and strategic planning. Roughly half said their risk management process is closely or very closely aligned with their overall strategy and budget.

■ Companies are making less progress at bringing the risk function’s resources to bear on transformative business projects such as mergers, however. Only 20% described the risk function as a tool for making more effective strategic decisions and investments.

■ Companies have been slow to adopt risk-based incentives as part of compensation. Only 12% said they align risk management with executive pay.

■ Brand and reputation risk are also rising concerns, cited by nearly two-thirds of companies as an area requiring top management-level attention.

■ Some executives and other experts single out lack of risk management talent as an important area of risk, particularly when the company is entering a new geographic or product market.

■ Processes to define risk appetite are now in place at nearly half of companies. Systemic risk management tools and analytics that enable them to track and analyze risk, and can then inform risk committee discussions, are in more common use. Read more >