Almost daily, U.S. business journals have chronicled the failure of major corporations to discover, evaluate, and mitigate the serious risks that have crippled the companies and financial markets. The disastrous results felt throughout the economy have given new and sharp meaning to the dire need for more muscular, comprehensive enterprise risk management (ERM) in corporate America.
This survey, in collaboration with CFO Research Services, is particularly timely for corporate executives at every level.
Conducted in April 2008, even before the full extent of the country’s economic problems was clear, this study reveals troubling barriers to excellence in corporate audit efficiency and risk management. It is hardly a reach to suggest that the deficiencies revealed in this survey could well have contributed to the magnitude of the economic collapse that has imperiled the country. At the same time, it offers a variety of guides and lessons for improving risk management at key corporate levels as the country struggles through recovery and re-establishes its economic strength.
Chief finance officers across the country, for example, revealed a surprising lack of understanding and support within many of their corporations for effective ERM. Too many of their C-suite colleagues, they said, believe such programs are “unnecessary” – a startling response in light of the dismal risk assessment performance of so many corporations.
While troubling in significant ways, these survey results also point to important opportunities for top executive teams to quickly and effectively begin assessing their corporate risk management and installing programs that will go a long way toward restoring the confidence of investors and stakeholders where necessary.
Research Objectives and Methodology
Crowe commissioned this research study to determine CFOs’ perspectives on managing risk across a number of dimensions. The study was also geared to identify how CFOs interact and collaborate with others, including the board, the audit committee, and chief audit executives.
The study was conducted in April 2008 and was answered by 157 chief finance executives at a broad range of companies across North America, with revenues ranging from $100 million to more than $10 billion a year.
Nearly half of the survey respondents listed themselves as CFOs, while 17 percent said their title was vice president of finance, and another 12 percent were directors of finance. They were from companies in every major industry, from auto, industrial, and manufacturing to financial services, real estate, and retail.
The Biggest Challenge: Managing Risk
The survey respondents show a heightened awareness that as the business environment has become more complex and more global, new varieties and levels of risk have been created in all types of business units.
Asked what will be “particularly challenging for your organization in the next 12 months,” fully 65 percent said “managing risk across the entire company.” Slightly less than half listed “improving financial reporting” as a particular challenge, and 43 percent chose “improving internal controls” (Exhibit 1). Each of these concerns, of course, is an important element of ERM.
But if managing risk across the entire company poses the main challenge for these executives, the Crowe study shows that they face daunting obstacles.
More than a third of the finance executives, for example, said their companies see risk management “as an unnecessary interference with business activities.” And the same percentage, 35 percent, said their companies showed a “lack of shared understanding and approach to risk management across business units” (Exhibit 2).
Nearly half of the survey respondents said that the greatest obstacle to improving risk management at their company was “lack of time, attention, and resources.” More specifically, the financial executives pointed to a “lack of dedicated risk management resources,” “lack of tools, frameworks, and decision-making structures for risk management,” and “organizational resistance” as critical barriers to successful risk management in their companies.
Twelve percent flatly pointed to the “lack of senior management commitment.” There is work to do in developing and upgrading ERM across corporate America.
More than that, the survey indicates that these barriers to effective ERM are indeed having an impact. It shows, for example, a potentially damaging inconsistency on the part of companies in assessing and then managing two main categories of corporate risk: financial and operational. Further and more important, the survey shows that, in light of today’s corporate performance and the inability to recognize and head off severe financial risk, ERM is mostly not working.
In response to one survey question, 73 percent of the respondents, for example, said their companies had in place a coordinated, centralized process for overseeing financial risk. In contrast, fewer than half, only 47 percent said a similar process existed to assess and manage operational risk. This finding is in line with responses to another survey question showing that companies were more tolerant of operating risk than financial risk.
Nearly half of the finance executives said their companies were either very tolerant or somewhat tolerant of operating risk. Only 38 percent, on the other hand, said their companies were very or somewhat tolerant of financial risk.
The Causes for Concern
It has turned out, however, that many companies were not equipped to assess their exposure, particularly to new financial market risk. And now, as the economy gradually recovers, financial executives show signs of having greater awareness of financial risk.
Forty percent of the survey respondents, for instance, said that financial factors would be a “substantial cause for concern” during the next year (Exhibit 3). An equal percentage was concerned about technological factors, such as information technology systems and communications problems. Only “market factors,” such as loss of customers, moves by competitors, and supply and distribution chain difficulties, scored as a slightly greater concern than financial or technology factors.
Forty-four percent of those surveyed – and remember this was before the subprime and credit markets imploded – were concerned about those market factors. Even so, when they were asked which factors had been “surprise” disruptions of company performance, 36 percent pointed to unexpected financial developments.
The other top unwelcome surprises during the past three years? Thirty-one percent said operational difficulties, and 29 percent said technology had caused unpredictable disruptions. A comprehensive, companywide ERM program would address each of these areas.
Questions About Priorities and Execution
Timing influences the outlook of these key financial executives. Three years earlier, for example, a similar survey asked them to prioritize the “most critical” needs for their companies to reduce business risk. Back then, 54 percent said that “more timely and accurate financial forecasting” would be their highest priority. This concern was a natural consequence of efforts to comply with Sarbanes-Oxley and deal with investor and regulatory skepticism following several years of corporate scandal, starting with Enron and WorldCom.
The next most needed anti-risk measure, picked by 34 percent of respondents then, was “improving corporate governance,” followed by “improved production” in fifth place, with only 25 percent identifying it as their company’s highest priority.
In the April 2008 survey, “improved production and operating processes” moved to the top position as the most-needed anti-risk measure, picked by 41 percent of the respondents. “More timely and accurate financial forecasting” was the number two “high priority” concern but now was picked by a lesser 37 percent of the respondents (Exhibit 4). Even as the economy was headed for decline, with companies across the spectrum having failed to anticipate weakening financial conditions, these finance executives had shifted their priorities from financial forecasting to improving operations and production. These results raise serious questions about their abilities not only to prioritize accurately but also to follow through on those earlier high-priority issues. Would more timely and accurate financial forecasting have helped companies avoid the 2008 credit and market conditions that plunged them into recession – as well as the more general financial collapse that followed? Can they be satisfied, looking back, with those improvements that were made in their forecasting and risk assessment methodology? Are they as unprepared now as they seemingly were in 2005 to cope with dramatic and unforeseeable downturns in their business and the economy?
A substantial opportunity exists for improving overall management and assessment of risk. More than that, it would be understandable if top finance executives and their C-suite colleagues were now looking hard for new and better ways of managing risk.
Who Runs the Show?
If that search for better risk management methods does, in fact, develop, this survey shows that the push will almost certainly have to come from the corporations’ top finance executives working with their C-suite colleagues and, to a slightly lesser extent, from boards of directors. Sixty-four percent of the responding finance executives described themselves as being in the leadership role for developing their corporation’s risk management strategy (Exhibit 5). Sixty- two percent also listed the C-suite executive team for this leadership role. These two top executive categories outranked, by far, others that were also listed as playing a leadership role in developing a risk management strategy. Twenty-three percent of the respondents said a chief risk officer and independent risk management function had a leadership role, for instance. Just 19 percent listed their board of directors.
The boards, business unit managers, audit committee, and, to a slightly lesser degree, internal audit team, do, however, play important supporting roles in developing risk policy. Seventy- six percent of the respondents said, for instance, that their business unit management team played either a “key” or a “supporting role” in this process. Sixty-four percent put their board of directors in those key or supporting roles. And 55 and 54 percent, respectively, said their audit committee and internal auditors had key or supporting roles in developing a risk management strategy.
Who’s Managing Risk? No One?
Perhaps most startling, though, 52 percent of the top finance executives indicated that either they didn’t know or their “chief risk officer and independent risk management function” played no role in developing strategy because their companies did not have either role. A chief risk officer who can act independently – free of influence from the top corporate power structure – and an independent risk management function are among the cornerstones of effective ERM. That position and an ERM team that functions independently does, however, require a commitment and funding from corporate leadership.
The survey showed that to the extent there is any pressure to increase resources devoted to risk management, that pressure comes first from C-suite management, second from the board of directors, and third from the board’s audit committee. That pressure, however, appears to be less than intense. Only 15 percent of the respondents said that their C-suite team was calling for a “substantial increase” in risk management resources. Nearly half, 48 percent, said that their top management team was pushing instead for “some increase”.
At the same time, a hefty 37 percent of the top management teams in the survey were asking for no or just a limited increase in such resources. And that applied to 58 percent of the boards as well. All this would seem to indicate a disturbing sense of satisfaction with existing ERM efforts and a decided lack of urgency toward any moves to upgrade them. That lack of urgency, however, may no longer exist in the current economic and business climate. Still, although the survey showed awareness – by top finance executives at least – that ERM was expected to be a significant corporate challenge going forward, it seems that their boards and C-suite colleagues were not equally impressed by this challenge. Only 20.5 percent of the respondents reported that their finance team would be devoting “much greater attention” to companywide risk management in the next 12 months. Even more of them, close to 26 percent, said that ERM would be getting “the same amount of attention.” In the middle, nearly 54 percent judged that risk management would receive “moderately more attention.” This response is not precisely a standing ovation for more ERM support, with almost 80 percent reporting only moderately more or the same amount of effort.
Ranking Their Performance: No Applause, Please
Just 21 percent of the respondents were willing to say that their company was “performing well,” meaning ahead of peers in its management of business risk. A nearly equal proportion, 20 percent, conceded there was “room for improvement.” Close to 57 percent indicated that their company was merely “performing adequately.” When the respondents were asked to rate eight specific risk management tasks, the numbers were disturbing (Exhibit 6).
More than 30 percent of the respondents declared there was “room for improvement” in the way their companies performed six of the eight tasks. And for the other two, “risk identification” and “response/mitigation formulation,” 29.5 percent and 27.5 percent, respectively, put their companies in the “room for improvement” column. That between 36 percent and 56 percent of the finance executives rated their company’s performance just “adequate” in these eight important risk management functions is hardly reassuring.
At the time of the survey, slightly more than 42 percent did say that the weakening U.S. Economy “would put the most strain” on risk management processes and practices during the next 18 months. But fully half said that another kind of unexpected change, “mergers, acquisitions, divestitures, or organizational restructuring,” would pose even bigger problems. These two categories of risk, perceived then and presented as distinct, may now have become more intertwined. They now appear to describe the single and often most overwhelming challenge to present-day corporate financial health.
Managing Risk More Effectively: More Collaboration and a Companywide Approach
The survey allowed respondents to provide more complete written answers to suggest better ways to assess and manage risk. They saw the need not only for focusing on the financial and operational business functions more equally but also for more top management collaboration on the design, development, and execution of ERM. Nearly 40 percent said they already have “very close collaboration” with chief compliance or risk officers, general counsels, and the heads of internal and external audit. At the same time, though, 27 percent admitted to having “not very close collaboration” with the head of internal audit. And nearly as many, 26.4 percent, said they had the same distant relationship with their chief compliance or risk officer. In their open-ended replies, the finance executives urged more respect and collegial involvement, specifically with the internal auditors and their teams. The responses highlight an undercurrent of animosity, or at least an adversarial relationship that is not only unnecessary but also destructive. One finance executive typifying an organizational animosity toward ERM, for example, wrote: “Do not let pessimistic auditor- types put you out of business by overcontrolling everything. Life comes with risk. You cannot eliminate all of it. Get over it!” Fortunately, this opinion did not prevail. One CFO called internal audit a “key agent in spreading the word on incorporating risk management into day-to-day activities” and which, as another CFO put it, “is well suited to pursue, unearth, and identify exposures.” One of the CFOs emphasized the need to “eliminate all adversarial relationships with the (internal audit function), and, as another said, “treat (IA) as a partner, not as police.” A great many of the free-form answers also pointed to the importance of more comprehensive collaboration. “Managing risk should be incorporated in the day-to-day process,” one executive wrote. “It needs to be part of every decision at every level – not a separate checkpoint late in the process.” Another urged colleagues to “be as deeply involved in functional operations as possible. Timely visibility into issues and events is critical.” “You need full collaboration from the rest of the organization,” wrote another respondent. “You cannot do it alone.”
Finally and hopefully, these chief financial executives had little doubt that there are significant, crucial benefits from a systematic, effective, companywide risk management program. Sixty-one percent pointed to “fewer performance surprises,” and 57 percent listed “better business planning.” “More effective resource allocation” was the third most often mentioned benefit, and “improved ability to identify business opportunities” was fourth. Surely, corporations these days would like to see more of those. Not to mention one of the last mentioned, but undoubtedly far from least important, perceived benefits: “higher profits.”
Where Are We Today?
The first three quarters of 2009 continued to validate our findings. As a result of Crowe’s work with clients and discussions with others, we can identify some of the more significant trends today:
- “Black swans” continue to loom. While rare, major crises are extremely damaging and difficult to predict. They usually result from interrelated risks, such as the recent combined economic, banking, and housing crisis.
- “Silo-based” risk management programs have proved to be dangerous. They contributed to AIG’s failed risk management efforts, for example. Highly interrelated risks should not be isolated and managed independently.
- Corporate governance – including business practices and ethics, ERM, transparency and disclosure, monitoring, legal and regulatory, boards and committees, and communication – continue to be weak or overlooked altogether. Risk management and compliance cannot be effective without good corporate governance.
- Most ERM programs do not clearly define, or completely overlook, roles and responsibilities for top audit, risk management, and C-suite executives.
- Often there are no clear links between ERM efforts and broader business strategies.
- The executives responsible for developing and executing ERM often have had little or no understanding of how to assess risk exposures for likelihood, impact, and speed of onset.
- Soft issues are critical. Risk management is not likely to be effective in an organization with an adverse culture, inappropriate values, or misplaced incentives.
- Some organizations, we believe, are putting off the ERM journey because of concern about what they might find and then have to address.
- Many organizations are struggling to develop an effective monitoring process.
- The current economic climate has diverted resources and managers’ attention away from the ERM process.
Only when the tide goes out do you discover who’s been swimming naked. Warren Buffett
Conclusion and Recommendations
The study shows clearly that there is considerable work to be done designing, developing, and implementing high-impact ERM programs in too many corporations. It highlights surprisingly fundamental barriers to doing so, from a significant belief among top management that ERM is an “unnecessary interference” with managing their business, to a “lack of shared understanding” within companies of the need for better risk assessment.
The survey found more than half the respondents rating their company’s ability to perform major risk assessments across business units as merely adequate. At the same time, the survey points to the strong leadership roles that chief finance executives and their C-suite colleagues can have developing ERM in their organizations. Indeed, given the risk assessment mistakes that have been made and the present need to restore confidence in corporations and their management teams, there has never been a more timely opportunity. An excellent start, indicated in this study, would be the hiring of a chief risk officer and the installation of an independent risk management function in the companies that have neither.
Finally, as noted previously, the most basic recommendation is for more collaboration on risk management among chief finance executives, their C-suite colleagues, their boards of directors, and the managers of their corporation’s operating units. There should be a sense of real urgency, now more than ever, to ensure that this collaboration produces a companywide approach to ERM.
I hope you enjoyed the read.
Jonathan T. Marks, CPA, CFF, CFE
Attribution to my co-author, dear friend, and former partner, Rick Julien.