Risk management function under-utilized in strategic planning: Marsh-RIMS report

DENVER, Colo. – The vast majority of C-suite respondents taking part in the 11th annual Excellence in Risk Management Survey say that risk management is playing a more strategic role within organizations, but its full potential is not being realized.

Marsh and RIMS released a joint report Monday during the RIMS 2014 Annual Conference & Exhibition in Denver. The survey was compiled from online responses received in February from almost 600 risk professionals, C-suite executives and others involved in risk-related functions.

In all, 93% of C-suite respondents indicated risk management carries either some or significant impact on setting their organization’s business strategy. In fact, 76% of those polled confirmed their organizations treat risk management as a key strategic function.

That said, only 20% of C-suite respondents reported their organizations use the risk management function to its fullest abilities.

It is encouraging that risk management “has evolved over the past 10 years into a role that is much more aligned to an organization’s strategic planning,” Carol Fox, director of the strategic and enterprise risk practice at RIMS, says in a joint statement.

There is “more pressure on risk professionals to become increasingly strategic in support of organizational prosperity. While the last several years’ surveys have shown only incremental movement in grabbing this opportunity, the 2014 results are encouraging, showing that risk professionals are deploying new approaches and building capabilities inside their organizations,” notes the report.

Despite the positive evolution in risk management, though, “there always is more to do and additional opportunities to be uncovered and seized,” Fox says, citing as an example what can be done through deeper use of analytics.

“By its nature, risk management relies on data and, in this era of Big Data, can no longer function as a technological runner-up,” the report states.

“If used properly, data and analytics can help organizations make better business decisions while at the same time, increase the profile of risk management within the organization,” Brian Elowe, a managing director at Marsh, suggests in the joint statement.

C-suite respondents ranked risk mitigation and risk identification as their top two areas where organizations would benefit from improved use of data and analytics. For risk professional respondents, they ranked risk bearing capacity and risk quantification as their top areas.

The survey found that all four areas depend on an understanding of internal and external metrics, which are made available through the aggregation of data and deeper analytical capabilities, the statement adds.

C-suites and boards are asking risk professionals not simply about the insurance coverage in place, but what “unexpected risks the organization may face, and where to invest capital most effectively,” Elowe points out.

Risk professionals identified cyber risk as their number one risk priority for 2014, up from 12 in 2013. The risk is also gaining more consideration among C-suite respondents, moving from 26 in 2013 to 12 on their risk priority list for 2014.

These results demonstrate that a gap exists between risk professionals’ and the C-suite’s prioritization of cyber risk. “With the potential that exists for cyber-attacks to bring significant losses and reputational damage, cyber security represents an area in which risk professionals can grab the lead to ensure their organizations are prepared,” the report states.

A recent Marsh study shows a 21% rise in the number of companies purchasing cyber insurance in 2013 over 2012, the report adds.

A chart in the report shows that the top 10 risks cited by C-suite respondents are legal or regulatory shifts; litigation or claims; regulatory compliance; brand/reputation; economic conditions; workforce health and safety; business continuity/crisis management execution; talent availability; competitors; and business disruption.

For risk professionals, the list is data security/privacy; economic conditions; brand/reputation; natural disaster; regulatory compliance; litigation or claims; legal or regulatory shifts; technology/systems failure; supply chain vulnerability; and business continuity/crisis management execution.

There were also differences when it came to the role risk managers play. Survey results indicate that while 47% of risk professionals identified risk management execution as their primary role, only 16% of C-suite respondents agreed.

“Instead, C-suite responses tended toward the CFO as the primary executioner of risk strategy,” notes the report. “Even within the C-suite, at least seven different roles were shown as having responsibility for risk strategy and execution,” it adds.

Asked what knowledge and abilities will be most important to meeting the organizations’ risk management needs over the next three to five years, C-suite respondents chose an aptitude for strategy and business acumen by a 2-to-1 margin over any other response.

More specifically, the chart in the report detailing knowledge and abilities offers the following survey findings:

• strategy and execution aptitude – C-suite, 67%; risk professionals, 55%;
• business acumen – C-suite, 55%; risk professionals, 32%;
• planning and organizing capabilities – C-suite, 35%; risk professionals, 30%;
• collaboration skills – C-suite, 31%; risk professionals, 28%;
• analytic expertise – C-suite, 29%; risk professionals, 27%;
• specific technical knowledge – C-suite, 27%, risk professionals, 37%;
• communication and presentation skills – C-suite, 16%; risk professionals, 31%; and
• change expertise/influence – C-suite, 8%; risk professionals, 24%.