Technology, geopolitics and a general increase in the level of complexity in the business world is creating a riskier environment for organisations to navigate. AICPA & CIMA’s Peter Spence outlines the findings of new research into the state of risk oversight in 2023
Risk management is sometimes seen as an exercise in compliance, right up to the moment that a risk event becomes a reality.
By then it will be too late to make up for not devoting the time and resources earlier when they could have made a difference.
Under the straightened economic circumstances that we are experiencing, finance professionals can find themselves focusing all of their attention on managing financial performance issues, limiting the time available to them to devote to risk management.
This is always a mistake, but particularly so now when the number of risks faced by organisations is increasing.
Businesses around the world are having to deal with complex challenges. There are geopolitical uncertainties, such as the continuing fallout from the war in Ukraine along with wider geopolitical tensions.
These are disrupting supply chains and affecting previously globalised trade networks. The digital economy is laden with opportunities for commercial growth, but it opens up new types of risks as well. These include increasingly sophisticated cyber-attacks which cross international jurisdictions and pose threats to reputation and privacy.
On top of these are the more ‘traditional’ economic threats businesses always face; inflation, recession, competition and adverse legislative changes which impact on the business model.
We know from new research conducted by AICPA & CIMA that this complex risk environment has made strengthening organisational resilience a priority among many leaders.
The research found that perceptions of increasing levels of risk are now reaching some of the highest levels observed in the past 14 years of our survey, rivalling the levels we found in the aftermath of the 2008 financial crisis. This is a fair reflection of the world we live in, especially given the events of the past few years, from the pandemic to the inflation spike.
As a result, there is now stakeholder pressure on organisations to improve their risk oversight, and to be better prepared when unexpected risk events emerge.
A key finding of our research is that existing enterprise-wide risk management processes may not be keeping pace with these new and fast changing realities. There is a heavy emphasis on risks related to technology, compliance, and financial issues.
At the moment, Enterprise Risk Management (ERM) processes are not as focused on emerging strategic, market or reputational risks.
One of the most striking findings of the research was that fewer than half of respondents described their organisations’ approach to risk management as “mature” or “robust”.
This was despite over two thirds of them perceiving that the volume and complexity of risks has increased noticeably. There is also a growing trend for organisations to maintain enterprise-level risk inventories compared to ten years ago.
The key to building a robust ERM system in an increasingly complex risk environment is engaging in dialogue about the top enterprise-level risks, and reaching consensus about those most critical to the organisation.
ERM is not a stand-alone ‘product’. To really add value to an organisation it needs to be an input into the strategic planning processes.
A concerning finding of our research was that less than half of the organisations we surveyed formally consider existing risk exposures when evaluating new possible strategic opportunities, and less than a quarter have their boards of directors formally discuss risk exposures when they discuss the strategic plan.
This could indicate that risk management processes are currently too focused on the operational level, or seen as a compliance task. Aside from anything else, remember that treating risk management as a compliance duty will bias your analysis towards known risks as opposed to considering emerging ones.
The time to think about managing risks is before they occur, not while you are trying to mitigate them. Senior management should have response plans prepared for the risks they have identified, with responsibilities clearly identified within them.
A robust enterprise-wide risk management process cannot be expected to prevent all the problems that might emerge.
However, senior executives who invest time and resources in robust risk management discussions and dialogue find that they are in a better position to deal with a significant risk event should one emerge.
To take part in the CFO’s latest research regarding ERM, please click here.
