Avoiding the Black Swan: Barriers to Improving Risk Management
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
November 2009
Survey Results
Avoiding the Black Swan:
Barriers to Improving Risk Management
The Unique Alternative to the Big Four®2
Avoiding the Black Swan: Barriers
to Improving Risk Management
Executive Summary While troubling in significant ways, these Nearly half of the survey respondents
Almost daily, U.S. business journals survey results also point to important listed themselves as CFOs, while 17
have chronicled the failure of major opportunities for top executive teams to percent said their title was vice president
corporations to discover, evaluate, and quickly and effectively begin assessing of finance and another 12 percent were
mitigate the serious risks that have their corporate risk management and directors of finance. They were from
crippled the companies and financial installing programs that will go a long companies in every major industry, from
markets. The disastrous results felt way toward restoring the confidence auto, industrial, and manufacturing to
throughout the economy have given of investors and stakeholders where financial services, real estate, and retail.
new and sharp meaning to the dire necessary.
Results
need for more muscular, comprehensive
Research Objectives The Biggest Challenge: Managing Risk
enterprise risk management (ERM) in
and Methodology The survey respondents show a
corporate America.
Crowe commissioned this research study heightened awareness that as the
This survey from Crowe Horwath LLP, in order to determine CFOs’ perspectives business environment has become more
in collaboration with CFO Research on managing risk across a number of complex and more global, new varieties
Services, is particularly timely for dimensions. The study was also geared and levels of risk have been created in all
corporate executives at every level. to identify how CFOs interact and types of business units.
Conducted in April 2008, even before collaborate with others, including the
Asked what will be “particularly
the full extent of the country’s economic board, the audit committee, and chief
challenging for your organization in
problems was clear, this study reveals audit executives.
the next 12 months,” fully 65 percent
troubling barriers to excellence in
The study was conducted in April said “managing risk across the entire
corporate audit efficiency and risk
2008 and was answered by 157 chief company.” Slightly less than half listed
management. It is hardly a reach to
finance executives at a broad range of “improving financial reporting” as a
suggest that the deficiencies revealed in
companies across North America, with particular challenge, and 43 percent
this survey could well have contributed
revenues ranging from $100 million to chose “improving internal controls”
to the magnitude of the economic
more than $10 billion a year. (Exhibit 1). Each of these concerns, of
collapse that has imperiled the country.
course, is an important element of ERM.
At the same time, it offers a variety of
guides and lessons for improving risk Exhibit 1: The Biggest Challenges
management at key corporate levels “Which of the following activities do you believe will be particularly challenging for your
as the country struggles through organization in the next 12 months?”
recovery and re-establishes its
Managing risk across the entire company 65%
economic strength.
Improving financial reporting 47%
Chief finance officers across the
Improving internal controls 43%
country, for example, revealed a
Complying with regulation 34%
surprising lack of understanding
and support within many of their Adopting International Financial Reporting Standards 18%
corporations for effective ERM. Too Developing a fraud prevention program 8%
many of their C-suite colleagues, Monitoring whistle-blower process 6%
they said, believe such programs are Complying with Foreign Corrupt Practices Act 5%
“unnecessary” – a startling response
Other 7%
in light of the dismal risk assessment
0% 20% 40% 60% 80%
performance of so many corporations.
www.crowehorwath.com 3Crowe Horwath LLP
But if managing risk across the
entire company poses the main Exhibit 2: Barriers to Change
challenge for these executives, “In your opinion, what are the greatest obstacles to improving risk management at
your company?”
the Crowe study shows that
they face daunting obstacles. Lack of time, attention, and resources 48%
More than a third of the finance
Perception of risk management as an unnecessary
35%
executives, for example, said their interference with business activities
companies see risk management Lack of shared understanding and approach to risk 35%
management across business units/departments
“as an unnecessary interference with
Lack of dedicated risk management resources 26%
business activities.” And the same
percentage, 35 percent, said their Lack of tools, frameworks, and decision-making
26%
structures for risk management
companies showed a “lack of shared
Organizational resistance 24%
understanding and approach to
risk management across business Lack of internal expertise 14%
units” (Exhibit 2).
Lack of senior management commitment 12%
Nearly half of the survey respondents
said that the greatest obstacle Overly complex corporate structure 12%
to improving risk management at Inadequate or overly complex technology
10%
and information systems
their company was “lack of time,
attention, and resources.” More Lack of independence of risk function 5%
specifically, the financial executives Lack of strength and capabilities in the internal
3%
audit function
pointed to a “lack of dedicated
Other 2%
risk management resources,”
“lack of tools, frameworks, and 0% 10% 20% 30% 40% 50%
decision-making structures for risk
management,” and “organizational
assessing and then managing two main process existed to assess and manage
resistance” as key barriers to successful
categories of corporate risk: financial and operational risk. This finding is in line
risk management in their companies.
operational. Further and more important, with responses to another survey
Twelve percent flatly pointed to “lack
the survey shows that, in light of today’s question showing that companies were
of senior management commitment.”
corporate performance and the inability more tolerant of operating risk than
Clearly there is work to do in
to recognize and head off serious financial risk.
developing and upgrading ERM
financial risk, ERM is largely not working.
Nearly half of the finance executives said
across corporate America.
In response to one survey question, 73 their companies were either very tolerant
More than that, the survey indicates
percent of the respondents, for example, or somewhat tolerant of operating risk.
that these barriers to effective ERM
said their companies had in place a Only 38 percent, on the other hand, said
are indeed having an impact. It shows,
coordinated, centralized process for their companies were very or somewhat
for example, a potentially damaging
overseeing financial risk, while fewer tolerant of financial risk.
inconsistency on the part of companies in
than half, only 47 percent, said a similar
4Avoiding the Black Swan: Barriers
to Improving Risk Management
The Causes for Concern
It has turned out, however, that many Exhibit 3: Causes for Concern
companies were not equipped to assess “In the past three years has your company’s performance been disrupted in a
substantial way by surprises in any of the following categories? In your opinion,
their exposure, particularly to new
which of the following categories poses a substantial cause for concern at your
financial market risk. And now, as the company in the next year?”
economy gradually recovers, financial
executives show signs of having greater 36%
Financial factors
awareness of financial risk. 40%
31%
Operational factors
Forty percent of the survey respondents, 31%
for instance, said that financial factors 29%
Technology factors
40%
would be a “substantial cause for
27%
concern” during the next year (Exhibit 3). Market factors
44%
An equal percentage was concerned Infrastructure/Physical factors 22%
13%
about technological factors, such as
21%
information technology systems and Management factors
27%
communications problems. Only “market 21%
Employee factors
factors,” such as loss of customers, 31%
moves by competitors, and supply and Organizational factors 19%
19%
distribution chain difficulties, scored as a
15%
slightly higher concern than financial or Reputational/Legal factors
11%
technology factors. 14%
Regulatory factors
18%
Forty-four percent of those surveyed
0% 10% 20% 30% 40% 50%
– and remember this was before the
subprime and credit markets imploded Negative surprise in past three years
– were concerned about those market Substantial cause for concern over the next year
factors. Even so, when they were asked
which factors had been “surprise”
program would address each of to reduce business risk. Back then,
disruptions of company performance, 36
these areas. 54 percent said that “more timely and
percent pointed to unexpected financial
Questions About Priorities accurate financial forecasting” would
developments.
and Execution be their highest priority. This concern
The other top unwelcome surprises was a natural consequence of efforts to
Timing obviously influences the outlook
during the past three years? Thirty-one comply with Sarbanes-Oxley and deal
of these key financial executives. Three
percent said operational difficulties, with investor and regulatory skepticism
years earlier, for example, a similar
and 29 percent said technology had following several years of corporate
survey asked them to prioritize the
caused unpredictable disruptions. A scandal, starting with Enron and
“most critical” needs for their companies
comprehensive, companywide ERM WorldCom.
www.crowehorwath.com 5Crowe Horwath LLP
The next most needed anti-risk
measure, picked by 34 percent of Exhibit 4: Critical for Cutting Business Risk
respondents then, was “improving “In your opinion, which of the following are most crucial to address to reduce business
risk at your company?”
corporate governance,” followed
by “improved production” in
fifth place, with only 25 percent Improved production and operating processes 41% 41% 17%
identifying it as their company’s More timely and accurate financial forecasting 37% 48% 16%
highest priority.
Better inventory planning 23% 24% 53%
In the April 2008 survey, “improved
Better information security/privacy 20% 49% 32%
production and operating
Better enterprise software for finance and accounting 16% 41% 42%
processes” moved to the top
position as the most-needed anti- Improving corporate governance 12% 48% 40%
risk measure, picked by 41 percent Better outsourcing strategy 10% 25% 65%
of the respondents. “More timely
Better management of outsourcing relationships 9% 30% 61%
and accurate financial forecasting”
was the number two “high priority” 0% 20% 40% 60% 80% 100%
concern but now was picked
High priority Moderate priority Low priority
by a lesser 37 percent of the
respondents (Exhibit 4). Even as the
economy was headed for decline,
Are they as unprepared now as they Sixty-four percent of the responding
with companies across the spectrum
seemingly were in 2005 to cope with finance executives described themselves
having failed to anticipate weakening
dramatic and unforeseeable downturns as being in the leadership role for
financial conditions, these finance
in their business and the economy? developing their corporation’s risk
executives had shifted their priorities
A substantial opportunity exists for management strategy (Exhibit 5). Sixty-
from financial forecasting to improving
improving across-the-board management two percent also listed the C-suite
operations and production. These results
and assessment of risk. More than that, executive team for this leadership role.
raise serious questions about their
it would be understandable if top finance These two top executive categories
abilities not only to prioritize accurately
executives and their C-suite colleagues outranked, by far, others that were also
but also to follow through on those earlier
were now looking hard for new and better listed as playing a leadership role in
high-priority issues.
ways of managing risk. developing risk management strategy.
Would more timely and accurate financial Twenty-three percent of the respondents
Who Runs the Show?
forecasting have helped companies said a chief risk officer and independent
If that search for better risk management
avoid the 2008 credit and market risk management function had a
methods does in fact develop, this survey
conditions that plunged them into leadership role, for instance. Just 19
shows that the push will almost certainly
recession – as well as the more general percent listed their board of directors.
have to come from the corporations’ top
financial collapse that followed? Can
finance executives working with their
they be satisfied, looking back, with
C-suite colleagues and, to a slightly
those improvements that were made in
lesser extent, from boards of directors.
their forecasting and risk assessment
methodology?
6Avoiding the Black Swan: Barriers
to Improving Risk Management
The survey showed that to the extent
Exhibit 5: Where the Buck Stops there is any pressure to increase
“What role do the following stakeholders play in developing your company’s risk resources devoted to risk management,
management strategy?”
that pressure comes first from C-suite
management, second from the board
CFO and corporate finance function 64% 28% 7% 1% of directors, and third from the board’s
C-suite executive team 62% 25% 6% 3%5% audit committee. That pressure, however,
Chief risk officer and independent appears to be less than intense. Only
23% 11% 8% 6% 52%
risk management function 15 percent of the respondents said
Board of directors 19% 25% 39% 8% 8%
that their C-suite team was calling
Business unit management 16% 50% 26% 5% 3% for a “substantial increase” in risk
Audit committee 14% 25% 30% 11% 20%
management resources. Nearly half, 48
percent, said that their top management
Internal audit function 6% 23% 31% 12% 28%
team was pushing instead for “some
External auditors/third-party consultants 4% 16% 45% 29% 9% increase.”
0% 20% 40% 60% 80% 100%
Leadership role Key contributor role
Supporting role Little or no role
Don’t know/Does not apply
The boards, business unit managers, Who’s Managing Risk? No One?
audit committee and, to a slightly Perhaps most startling, though, 52
lesser degree, internal audit team, do, percent of the top finance executives
however, play important supporting indicated that either they didn’t know or
roles in developing risk policy. Seventy- their “chief risk officer and independent
six percent of the respondents said, risk management function” played no
for instance, that their business unit role in developing strategy because their
management team played either a “key” companies did not have either role.
or a “supporting role” in this process.
A chief risk officer who can act
Sixty-four percent put their board of
independently – free of influence from the
directors in those key or supporting roles.
top corporate power structure – and an
And 55 and 54 percent, respectively,
independent risk management function
said their audit committee and internal
are among the cornerstones of effective
auditors had key or supporting roles in
ERM. That position and an ERM team
developing risk management strategy.
that functions independently does,
however, require a commitment and
funding from corporate leadership.
www.crowehorwath.com 7Crowe Horwath LLP
Exhibit 6: How Are We Doing?
“In your opinion, how well does your company perform each of the following risk
management tasks?”
Incorporation of risk analysis in investment decisions 22% 36% 35% 8%
Response/mitigation formulation 19% 53% 27% 1%
Implementation of risk mitigation strategies 16% 51% 31% 1%
Risk monitoring and reporting 16% 47% 36% 1%
Risk assessment and quantification 15% 49% 34% 2%
Information gathering for risk management purposes 14% 52% 33% 1%
Incorporation of risk analysis in strategy setting 14% 46% 36% 4%
Risk identification 13% 56% 29% 1%
0% 20% 40% 60% 80% 100%
Excellent performance Adequate performance Room for improvement Don’t know/Not applicable
At the same time, a hefty 37 percent C-suite colleagues were not equally Ranking Their Performance:
of the top management teams in the impressed by this challenge. Only 20.5 No Applause, Please
survey were asking for no or just a percent of the respondents reported that Just 21 percent of the respondents were
limited increase in such resources. And their finance team would be devoting willing to say that their company was
that applied to 58 percent of the boards “much greater attention” to companywide “performing well,” meaning ahead of
as well. All this would seem to indicate risk management in the next 12 months. peers, in its management of business
a disturbing sense of satisfaction with Even more of them, close to 26 percent, risk. A nearly equal proportion, 20
existing ERM efforts and a decided lack said that ERM would be getting “the percent, conceded there was “room
of urgency toward any moves to upgrade same amount of attention.” In the middle, for improvement.” Close to 57 percent
them. That lack of urgency, however, may nearly 54 percent judged that risk indicated that their company was simply
no longer exist in the current economic management would receive “moderately “performing adequately.”
and business climate. more attention.” This response is not
When the respondents were asked to
Still, although the survey showed exactly a standing ovation for more ERM
rate eight specific risk management
awareness – by top finance executives support, with nearly 80 percent reporting
tasks the numbers were disturbing
at least – that ERM was expected to be only moderately more or the same
(Exhibit 6).
significant corporate challenge going amount of effort.
forward, it seems that their boards and
8Avoiding the Black Swan: Barriers
to Improving Risk Management
More than 30 percent of the respondents Managing Risk More Effectively: animosity toward ERM, for example,
declared there was “room for More Collaboration and a wrote: “Do not let pessimistic auditor-
improvement” in the way their companies Companywide Approach types put you out of business by
performed six of the eight tasks. And for The survey gave respondents an overcontrolling everything. Life comes
the other two, “risk identification” and opportunity to provide more complete with risk. You cannot eliminate all of it.
“response/mitigation formulation,” 29.5 written answers to suggest better ways Get over it!”
percent and 27.5 percent, respectively, to assess and manage risk.
Fortunately, this opinion did not
put their companies in the “room for
They saw the need not only for focusing prevail. One CFO called internal audit
improvement” column. That between 36
on the financial and operational business a “key agent in spreading the word on
percent and 56 percent of the finance
functions more equally but also for more incorporating risk management into day-
executives rated their company’s
top management collaboration on the to-day activities” and which, as another
performance just “adequate” in these
design, development, and execution of CFO put it, “is well suited to pursue,
eight important risk management
ERM. Nearly 40 percent said they already unearth, and identify exposures.” One
functions is hardly reassuring.
have “very close collaboration” with of the CFOs emphasized the need to
At the time of the survey, slightly chief compliance or risk officers, general “eliminate all adversarial relationships
more than 42 percent did say that the counsels, and the heads of internal and with the (internal audit function), and, as
weakening U.S. Economy “would put external audit. At the same time, though, another said, “treat (IA) as a partner, not
the most strain” on risk management 27 percent admitted to having “not very as police.”
processes and practices during the close collaboration” with the head of
A great many of the free-form answers
next 18 months. But fully half said that internal audit. And nearly as many, 26.4
also pointed to the importance of more
another kind of unexpected change, percent, said they had the same distant
comprehensive collaboration. “Managing
“mergers, acquisitions, divestitures, relationship with their chief compliance or
risk should be incorporated in the day-
or organizational restructuring,” would risk officer.
to-day process,” one executive wrote.
pose even bigger problems. These two
In their open-ended replies, the finance “It needs to be part of every decision at
categories of risk, perceived then and
executives urged more respect and every level – not a separate checkpoint
presented as distinct, may now have
collegial involvement specifically with late in the process.” Another urged
become more intertwined. They now
the internal auditors and their teams. colleagues to “be as deeply involved in
appear to describe the single and often
The replies highlight an undercurrent functional operations as possible. Timely
most overwhelming challenge to present-
of animosity, or at least an adversarial visibility into issues and events is critical.”
day corporate financial health.
relationship that is not only unnecessary
“You need full collaboration from the
but also destructive. One finance
rest of the organization,” wrote another
executive typifying an organizational
respondent. “You cannot do it alone.”
www.crowehorwath.com 9Crowe Horwath LLP
Finally and hopefully, these chief financial Where Are We Today? Most ERM programs do not clearly
executives had little doubt that there The first three quarters of 2009 define, or completely overlook, roles
are significant, crucial benefits from a continued to validate our findings. As and responsibilities for top audit, risk
systematic, effective, companywide a result of Crowe’s work with clients management, and C-suite executives.
risk management program. Sixty-one and discussions with others, we can Often there are no clear links between
percent pointed to “fewer performance identify some of the more significant ERM efforts and broader business
surprises,” and 57 percent listed “better trends today: strategies.
business planning.” “More effective “Black swans” continue to loom. The executives responsible for
resource allocation” was the third most While rare, major crises are extremely developing and executing ERM often
often mentioned benefit, and “improved damaging and difficult to predict. have had little or no understanding
ability to identify business opportunities” They usually result from interrelated of how to assess risk exposures for
was fourth. Surely, corporations these risks, such as the recent combined likelihood, impact, and speed of onset.
days would like to see more of those. Not economic, banking, and housing crisis. Soft issues are critical. Risk
to mention one of the last mentioned, but “Silo-based” risk management management is not likely to be
surely far from least important, perceived programs have proved to be effective in an organization with an
benefits: “higher profits.” dangerous. They contributed to AIG’s adverse culture, inappropriate values,
failed risk management efforts, for or misplaced incentives.
example. Highly interrelated risks Some organizations, we believe, are
should not be isolated and managed putting off the ERM journey because
independently. of concern about what they might find
Corporate governance – including and then have to address.
business practices and ethics, Many organizations are struggling
ERM, transparency and disclosure, to develop an effective monitoring
monitoring, legal and regulatory, process.
boards and committees, and
The current economic climate has
communication – continue to be
diverted resources and managers’
weak or overlooked altogether.
attention away from the ERM process.
Risk management and compliance
cannot be effective without good
corporate governance.
10Avoiding the Black Swan: Barriers
to Improving Risk Management
Conclusion and Finally, as noted previously, the most
Recommendations basic recommendation is for more
The study shows clearly that there collaboration on a risk assessment
is considerable work to be done program among chief finance executives,
designing, developing, and implementing their C-suite colleagues, their boards
high-impact ERM programs in too of directors, and the managers of their
many corporations. It highlights corporation’s operating units. There
surprisingly fundamental barriers to should be a sense of real urgency,
doing so, from a significant belief now more than ever, to ensure that this
among top management that ERM is collaboration produces a companywide
an “unnecessary interference” with approach to ERM.
managing their business, to a “lack of
shared understanding” within companies
of the need for better risk assessment.
The survey found more than half the
respondents rating their company’s ability
to perform major risk assessments across
business units as merely adequate.
At the same time, the survey points to
the strong leadership roles that chief
finance executives and their C-suite
colleagues can have developing ERM
in their organizations. Certainly, given
the risk assessment mistakes that have
been made and the present need to
restore confidence in corporations and
their management teams, there has
never been a more timely opportunity.
An excellent start, indicated in this study,
would be the hiring of a chief risk officer
and the installation of an independent risk
management function in the companies
that have neither.
www.crowehorwath.com 11Contact Us About Crowe
Rick Julien, CPA, is a partner with Crowe Crowe Horwath LLP (www.crowehorwath.com) is one of the largest public
Horwath LLP in the Chicago office. accounting and consulting firms in the United States. Under its core purpose of
He can be reached at 630.586.5280 “Building Value with Values,®” Crowe assists public and private company clients
or rick.julien@crowehorwath.com. in reaching their goals through audit, tax, risk and consulting services. With 25
Jonathan T. Marks, CPA, CFE, CFF, is offices and 2,500 personnel, Crowe is recognized by many organizations as
the partner-in-charge of the fraud and one of the country’s best places to work. Crowe serves clients worldwide as an
ethics practice with Crowe Horwath independent member of Crowe Horwath International, one of the largest networks
LLP in the New York office. He can in the world, consisting of more than 140 independent accounting and management
be reached at 212.572.5576 or consulting firms with offices in more than 400 cities around the world.
jonathan.marks@crowehorwath.com.
For more information, please contact
Vicky Ludema at 800.599.2304 or
vicky.ludema@crowehorwath.com.
www.crowehorwath.com
If printed by Crowe Horwath LLP, this piece is printed on
Mohawk Color Copy Premium, which is manufactured
entirely with Green-e certified wind-generated electricity.
Crowe Horwath LLP is a member of Crowe Horwath International, a Swiss association. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath
LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all
responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by
Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance
specific to your organization from qualified advisers in your jurisdiction. © 2009 Crowe Horwath LLP
RISK8094AYou can also read
