NEW ORLEANS—Seventy-nine percent of companies are aligned with their risk management reporting structure, however, only 27% of risk professionals believe that emerging risks will be a company priority in the coming year, according to the 12th annual “Excellence in Risk Management Survey” released here by Marsh and RIMS.
In the last five or six years, “We have seen significant narrowing of the gap, where there is better alignment of what risk managers and risk executives are providing their organization and what their C-suite and management is looking for and needing in this riskier world that we all live in,” said Brian Elowe, a managing director at Marsh and co-author of the report. Findings are based on more than 300 responses to an online survey and a series of focus groups with leading risk executives.
Elowe explained that the study focused on organizational alignment, risk management effectiveness, data analytics and technology and cyberrisk.
In their study of organizational dynamics, he said, “We looked at priority setting, organizational structure and performance measurement standards to understand effective execution of a risk management strategy.”
The first insight was in respect to structures risk management reports to inside an organization. “We also asked whether the people responding to the survey felt risk management was reporting to the correct area inside the organization. We found that 79% of the respondents said they felt risk management was reporting into the appropriate area inside their organization,” Elowe said.
Looking deeper, he said the survey found that 50% of executives report into the finance area. The other half reports into a wide number of areas inside the company–12% report to general counsel, 8% to other C-suite members, 5% to internal audit, 5% to operations, 2% to human resources and 11% to “other” functions.
“We found that while they are all in the risk management function, those that report to areas outside of finance tend to be involved in areas deemed to be more strategic in nature. So they are more likely to be involved with things like ERM strategies, IT, privacy and security.”
Elowe said, “We think that finance executives might be well-served to help facilitate greater connections inside their companies to help broaden the perspective that risk executives reporting into finance might be able to have inside their own companies.”
In addition, only 27% of risk professionals reporting to the CFO or treasurer said they expected an increase in spending for training risk management staff. This is compared to 46% in increases expected by those reporting to other areas.
The top-five programs reporting to risk management were insurance management (92%), claims management (88%), enterprise risk management (67%), captive operations (65%) and emergency response (63%).
Looking at functions that report into risk management, he said that while the traditional functions of insurance and claims were well aligned, there is a significant alignment with IT. This is compared to several years ago when IT “operated in and of itself in an organization. That is an outcome of the growing cyberrrisk and the need for organizations to have a multi-disciplinary approach to how cyber is affecting their organization.”
Discussion groups agreed that the “here and now” is most important to their companies and that more needs to be done to develop understanding of emerging risks. “Risk managers are concerned they are not looking far enough ahead,” Elowe said, adding that company focus is largely directed to regulations and compliance. Carol Fox, director of the strategic and enterprise risk practice at RIMS and co-author of the report observed that organizations focused on operations are generally not as involved in strategy. She said management understands risks, but fell off in actually planning for emerging risks.
- Risk management departments that do not report into finance are generally better aligned with other strategic functions within their organizations — most notably in the areas of enterprise risk management, compliance, information technology (IT) risk management, privacy, and security.
- Despite the importance placed on emerging risks by many board members, senior leaders, and risk executives, only 27% of survey respondents said that identifying emerging risks would be a priority in the coming year.
- Over the next two years, 42% of organizations expect to increase the level of investment in risk analytics, according to our survey, with 57% saying it would remain flat.
- Nearly 60% of respondents said their organization has no formal communications plan in anticipation of a cyber event.
- Risk professionals who report into the CFO or treasurer are much less likely to expect an increase in spending for training risk management staff in the coming year compared to those reporting elsewhere.