In the present economic scenario with escalating risks, it is imperative for organizations to have a risk management strategy. However, more than half of the GRC departments do not prepare an integrated risk management strategy. Despite knowing that lack of it can put the organizations into jeopardy. The graph below from Economist Intelligence Report “Too Good to Fail?” covering financial institutions and insurance companies supports my assertion.
On an average in Asia-Pacific region just over 50% of financial institutions have a regularly monitored risk management strategy. It would be fair to assume that the percentage will be much lower for all industries.
Hence, the question arises – why are GRC departments not preparing a risk management strategy? I am discussing below five reasons for the same. Check it out to assess the barriers in your organization for forming a risk management strategy.
1. Non-involvement in business strategy formation
As per the survey “Fall guys: Risk management in the front line – A report from the Economist Intelligence Unit Sponsored by ACE and KPMG” – just 41% of the organizations involve risk management function in formulating and implementing corporate strategy. Non-involvement in business strategy formation results in risk managers failing to get the bigger picture and understanding business strategy risks. Hence, GRC departments’ plans focus on addressing tactical and operational risks. Therefore, risk managers fail to do strategic “risk management”.
2. Lack of accountability at senior management level
Most reports mention that risk managers do not have adequate authority. The second challenge is that they do not report to the CEO and GRC department heads are reporting to different functional heads. These challenges give a level of anonymity to the functioning of risk management departments. Their annual strategies are merged with the functional department strategies to which the GRC head is reporting. For example, if CAE is administratively reporting to the CFO, the finance department strategy swallows up internal audit plan and strategy. This results in lack of accountability at CEO and Board level. Hence, there is no focus on preparing an integrated risk management strategy for the company.
3. Minimal organization focus on strategy development
Sometimes organizations do not have a strategy formation process. The “McKinsey 2010 Strategy Survey” results show that just 6.5% of the organizations have an effective strategy development process. Secondly, 20 % of organizations view corporate strategy development as an aggregation of business unit strategies. Management does not make any exclusive effort on building a corporate strategy. In such scenarios, the risk management departments’ strategy is an accumulation of individual balance scorecards of department heads. Without a right strategy development culture, it is unlikely that GRC departments’ heads have a formal dialogue with senior management to develop an integrated risk management strategy.
4. Lack of knowledge on strategy formation
While it might sound unlikely that risk managers, the predictors of doom and gloom, do not know how to develop a strategy, it is a possibility worth exploring. It might appear to be an odd failing for people geared towards numbers but one must take into account that most risk managers do not receive formal training on strategy formation. Second aspect to think about is that strategy is much more than numbers. Third aspect is that risk managers in their reports focus on dollops of operational and financial risks but there is just a smattering of strategic risks. Hence, there is a high probability that they lack skills to prepare a strategy.
5. Outdated GRC departments
Many will raise hands raised to say that GRC departments have more teeth after the financial crises. However, in my view some may still be navigating without a compass. Due to internal politics of the organization, GRC departments may work in silos and execute work with a checkbox mentality. The GRC department heads may put more boots on the ground to do better risk coverage rather than develop risk management strategy. In such situations, GRC heads form blind spots due to poor prioritization of risks, lack of awareness of competitor skills and minimum awareness of new risk management approaches. Therefore, sometimes GRC departments are working with an outdated mindset and skills.
In my opinion risk managers cannot play the blame game, and hue and cry over lack of visibility at CXO /Board level if they are not focused enough to develop a risk management strategy. One cannot reach a destination without a roadmap and minus a risk management strategy, risk managers are aimlessly conducting various activities. In this volatile business climate, strategic agility is a key competitive advantage. Hence, rather than be mentally resistant to sober analysis, risk managers need to do some introspection to assess the reasons constraining them from preparing a risk management strategy. A successful adoption of risk management strategy will enable their organization to wade through this turbulent economy. To conclude :
“Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” – Sun Tzu
- Report: Too good to fail? New challenges for risk management in financial services – By Economist Intelligence Unit
- Fall guys –Risk management in the front line A report from the Economist Intelligence Unit Sponsored by ACE and KPMG