Saturday, July 7, 2012

Risk Management - High Level, but Low Tech

According to a June survey conducted by KPMG LLP, enterprise risk management processes of many major financial services firms are surprisingly manual - perhaps dangerously so.  The survey results are somewhat unexpected given that the financial services industry is one of the most technologically sophisticated, complex, and heavily regulated industries there is.  Of the financial firms responding to the survey, 47% relied primarily on manual processes across their organizations to manage enterprise risk and compliance.  This can be contrasted with their counterparts in the telecommunications industry, also heavily regulated and tech savvy, for whom only 15% relied primarily on manual risk and compliance control systems.

Though there is some role for manual processes, KPMG feels that these industries may be putting themselves in jeopardy by eschewing, or at least failing to employ fully the benefits of technological risk and control monitoring systems.

These industries tend to be highly regulated and should rely on technology to better manage their risk and compliance. It is also important for their oversight functions, e.g. internal audit, compliance, SOX, etc. to be able to sufficiently align and integrate risk-related information. Given the volume of risk information, technology enablement appears to be inevitable.

Despite the need for near-constant attention to risk mitigation and oversight, organizations continue to struggle with how best to manage their enterprise risk management processes to make them more efficient and effective.  Survey respondents, including those in the financial services industry, cited a number of reasons contributing to why technology was not being fully employed in the risk functions at their firms. Half of the firms said that “organizational or geographical silos and politics” were the main impediment to effective enterprise risk management, while board and management resistance and cost were more minor concerns.



Participants in the KPMG pulse survey overwhelmingly (50 percent, see Figure 4 below) cited “organizational or geographical silos and politics” as the main impediment to effective ERM. This was followed by “lack of resources” (19 percent), “conflicting priorities” (12 percent), and “unclear benefits” (11 percent). The cost of ERM software and Board or Executive resistance (4 percent, respectively) lagged farther behind. 

Another reason firms -- and not just financial firms but all firms --- may be dragging their feet a bit about employing systemwide risk management systems is a lack of commitment to an overall culture of risk awareness.  The survey revealed lukewarm efforts amongst a majority the surveyed firms to inculcate risk awareness amongst management and employees.





Despite what would appear to be a real need to create a risk-aware culture, few organizations seem to have a formal ERM training and/awareness program. Indeed, only 17 percent (see Figure 5 below) of those polled said they did have such a program in their organization, while 40 percent responded they had a “somewhat” formal training and awareness program compared to 43 percent that did not.

On the bright side, KPMG's survey did reveal that large majority of firms are trying to formally align organizational processes with strategic initiatives, and enterprise risk management appears to be a major strategic driver.  It seems that, at least on a strategic level, firms are taking risk management very seriously.