A survey of KMPG LLP’s internal auditors and board members reveals that many companies are falling short in three critical areas of their enterprise risk management (ERM) programs—risk culture, risk management processes and technology.
"Given today's unprecedented and extreme market fluctuations, mismanaging risk could affect a company's competitive position and even its viability," says John Farrell, KPMG's lead partner for enterprise risk management. "Management and boards need to ensure that fundamental ERM components are in place if they expect their company's risk management programs to deliver the intended results."
Approximately 130 respondents, including a mix of senior internal audit executives and board members across all industries, including insurance, participated in the survey. More than half the survey respondents (58%) reported deficiencies around risk culture, namely, that their company's employees had little or no understanding of how risk exposures should be assessed for likelihood and impact.
"When ERM programs miss the 'behavioral' piece of the equation, there is no foundation for critical thinking and judgment around decision-making," says Farrell. "All executives—particularly senior management—must understand the risks facing their organization in order to help define their company's risk appetite and effectively manage risks."
Further, with one-third (33%) reporting they had done nothing to eliminate redundancies in risk assessments, organizations are doing little to establish one consistent risk management and assessment process across the organization, notes the survey.
"Having a single view of risk is critical to making consistent and informed decisions," Farrell notes. "When risk management is siloed, without one person or team owning the process, no one has visibility to aggregate exposures and accountability for the decisions, and risk interrelationship cannot be easily identified."
Survey results around technology also were dismal. Only one-quarter (25%) of the internal auditors surveyed said their companies currently apply technology to their ERM programs, and another 25% said they were considering it.
"Management would benefit from forward-looking reviews of current and emerging risks, and the only way to do that effectively, on a real-time basis, is through technology," said Farrell. "Today, incorporating technology into ERM is an imperative; manually monitoring risks through spreadsheets is inefficient and potentially inaccurate."
