|
|
 | ||
| ||
|
|
|
News < Back Sarbanes Oxley : Auditing : Survey Many Enterprise Risk Management Programs Lack Fundamentals Survey Found Deficiencies in Key Areas: Risk Culture, Risk Management Processes and Technology
“Given today’s unprecedented and extreme market fluctuations, mismanaging risk could affect a company’s competitive position and even its viability.” said John Farrell, KPMG’s lead partner for Enterprise Risk Management. “Management and Boards need to ensure that fundamental ERM components are in place if they expect their company’s risk management programs to deliver the intended results.” The survey found deficiencies around risk culture with more than half (58 percent) of respondents reporting that their company’s employees had little or no understanding of how risk exposures should be assessed for likelihood and impact. Since risk culture includes organizational / human behavior, as well as related training and “tone at the top,” it’s noteworthy that one-third (33 percent) of the respondents said that key leaders in their organization had no formal risk management training or guidance, with only 16 percent receiving frequent (at least annual) training. “When ERM programs miss the ‘behavioral’ piece of the equation, there is no foundation for critical thinking and judgment around decision-making,” said Farrell. “All executives – particularly senior management – must understand the risks facing their organization in order to help define their company’s risk appetite and effectively manage risks.” Farrell noted that companies must understand how much risk they are willing to accept in pursuit of their strategic objectives. Once risk threshold is defined across different risk categories, a company’s “risk appetite” should become part of the formal risk management framework. In terms of risk process, the internal auditors surveyed by KPMG report that their organizations are doing little to establish one consistent risk management and assessment process across the organization, with one-third (33 percent) reporting they had done nothing to eliminate redundancies in risk assessments. Only 13 percent of the internal auditors surveyed have consolidated risk assessment processes, and just another 14 percent have either established one governance or oversight function (risk committee), or use templates with common assessment questions across the organization. “Having a single view of risk is critical to making consistent and informed decisions,” noted Farrell. “When risk management is siloed, without one person or team owning the process, no one has visibility to aggregate exposures and accountability for the decisions, and risk interrelationship cannot be easily identified.” The final area of ERM in which the KPMG survey found serious shortcomings was technology, where only one-quarter (25 percent) of the internal auditors surveyed said their companies currently apply technology to their ERM programs, and another 25 percent said they were considering it. “Management would benefit from forward-looking reviews of current and emerging risks, and the only way to do that effectively, on a real-time basis, is through technology,” said Farrell. “Today, incorporating technology into ERM is an imperative; manually monitoring risks through spreadsheets is inefficient and potentially inaccurate.” For executives looking to revamp and strengthen their organization’s ERM program, Farrell suggested the following as starting points: • Get strategic: Align ERM to the company’s strategic objectives to drive business value, taking into account the needs of all constituencies. • Rationalize and simplify: Establish a single-view of risk, with a common risk language (e.g., risk context and categories, evaluation factors [e.g., likelihood, consequence], treatment options and monitoring/internal auditing allocation) to be leveraged across the organization. • Consider “three lines of defense”: Build upon a thorough “vertical” risk management structure with independence and clear accountability. • Formalize and standardize (with practicality): Create a sustainable risk management process (e.g., risk assessment, risk management and risk reporting). • Influence behavior through building competencies: Embed risk management competency in the business and operating philosophy. • Get proactive: Continuously improve the risk management and monitoring process to anticipate evolving market conditions and business objectives (e.g. risk quantification, risk appetite). “While there is no cookie-cutter approach to ERM, leading companies have successfully incorporated these guiding principles in their risk management programs to drive a consistent understanding of risk management throughout the organization,” said Farrell. KPMG conducted the surveys at the 2008 National Association of Corporate Directors Conference, and at the 2008 Institute of Internal Auditors International Conference. The approximately 130 respondents included a mix of senior internal audit executives and board members across all industries. KPMG LLP, the audit, tax and advisory firm, is the U.S. member firm of KPMG International. KPMG International’s member firms have 113,000 professionals, including more than 6,800 partners, in 148 countries. 
|
|
|
||||||||||||
 | |||
| |||
| |||
|
© 2019 Simplex Knowledge Company. All Rights Reserved. | TERMS OF USE | PRIVACY POLICY |
