The survey found that the main barriers to better risk management are:
 - Over-focusing on compliance rather than fundamental processes (42%)
 - Lack of strong management support (41%) and
 - Reluctance to de-silo related information (35%).

Worryingly, a majority of the companies said their approach to ERM continues to be basic or reactive, although about 40% of executives surveyed considered their approach to ERM to be ‘proactive’, involving the board as well as business and functional leaders at all levels of the organisation.

“The disasters of the past three years have prompted companies to ramp up their ERM processes and work harder at installing a risk management culture,” said Axel Lehmann, Chief Risk Officer at Zurich.

“Some companies have also made more basic changes designed to forestall similar occurrences or enable executives to respond to them more effectively. And at the same time, however, the threat of unanticipated ‘black swan’ events has encouraged many companies to broaden their search for potential risks,” he added.

The survey found that, apart from natural disasters and economic slump, the other most often cited risks are largely operational matters.

More than half of companies mentioned risk related to talent retention and acquisition as having risen significantly.

Corporate and/or brand reputation has become a more significant concern at half of the companies. Business planning and continuity as well as legal risks were mentioned by nearly half of the respondents in the survey.

Respondents reported that dedicated Chief Risk Officers (CROs) are far more likely to oversee risk management now than three years ago, although the Chief Executive Officer (CEO) bears ultimate responsibility.

The study also found that, at companies with strong ERM processes, ‘ownership’ of risk stays in the hands of business and functional leaders.

“The CRO’s role is to establish an enterprise risk management framework, to align and control group-wide risk taking, to advise and to communicate regularly as well as to provide them with resources to better manage risk themselves. The result is what executives interviewed for the study call a ‘collaborative culture’ that integrates risk awareness into the company’s strategic planning,” said the study.

According to Harvard Business Review Analytic Services, five distinct lessons emerge from the survey:
-  Risk management needs to have a clear ‘owner’ to be effective
 - Risk management and corporate goals must be integrated
 - Companies must manage risk proactively
 - Companies must look deeper and wider to determine what their most serious risks will be in the long run
 - Companies must break down silos and managerial bottlenecks.

A similarly worrying new paper from PwC, Black swans turn grey: the transformation of risk, has warned that many organisations’ risk management practices are worryingly incomplete and are being outpaced by an era of catastrophic ‘black swan’ events.

PwC said that businesses need to be more agile and innovative if they are to combat catastrophic, major-impact black swan events such as terrorist attacks, tsunamis or major oil spills, by updating and innovating archaic practices to achieve wider risk resilience.

Richard Sykes, PwC Governance, Risk and Compliance Leader, said: “The risk landscape is changing, and established risk management approaches need to be updated to keep pace. Many organisations currently have the wrong focus.

They major on financial and operational risks and crucially regard risk and strategy as separate, rather than seeing risk-taking as a key source of value creation. But the world where risk events could be predicted—and their impacts controlled—is fast disappearing.”

He added: “By their nature, black swan events should only occur at unpredictable intervals. Yet recent experience suggests events that fit this definition are happening more frequently. Rather than being infrequent outlier events, it seems they are now part of a faster-changing and more uncertain world, which makes it hard for businesses to understand where new risks are going to come from.

The paper suggests that enterprise risk management can influence the personal behaviours and sense of responsibility that businesses need by encouraging a box-ticking, process-led approach.

PwC said this could lead front-line staff to see risk as separate from their own business decisions. “Large organisations now have blind spots from which high-impact risks can emerge to damage or even destroy their business,” said the paper.

“Comprehensive risk management practice, on the other hand, makes companies distinctive, more appealing to prospective clients and gives competitive edge. When properly embedded it helps protect reputation and enhance resilience, while providing a clear view of the board’s attitude to integrity, risk and safety,” continued the report.

Armoghan Mohammed, PwC Risk Partner, said: “By understanding today’s risk landscape, organisations can progress from managing specific risks to achieving wider resilience. What is needed is a new, more flexible and holistic approach to risk management that develops a risk aware culture and fosters an explicit focus on risk appetite. This will provide a clearer ownership of risks at leadership levels—with risk awareness and accountability shared across the organisation through a common risk culture. It can also give a higher market rating. There’s growing evidence that businesses that are seen to truly embed a risk-aware culture and behaviours are valued more highly by the markets.”

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Education News