“The increasingly complex, interconnected and global nature of the risks we face demands greater understanding and ‘air time’ at board level and regular, in-depth discussion with relevant market-facing executive teams.”
Sir Peter Gershon, Chairman, National Grid PLC and Tate & Lyle PLC
From safety to cyber-security, successfully managing business risk is becoming increasingly crucial to company survival. How can organizations ensure that they are monitoring risk and the right indicators effectively? The authors provide in-depth advice on how using key risk indicators to drive proactive executive behavior can reduce exposure to risk, improving company performance.
The risk landscape of the modern business environment is constantly evolving, and companies need to maintain continuous oversight to deal with key risks that could threaten their businesses. Over the past decade, a number of high-profile corporate crises, many directly attributed to failures in risk management, have highlighted the extent of the problem and the danger posed for many organizations now. Notable recent examples include the collapse of UK construction giant Carillion (with contract risk as a key driver), and the cyber attack on shipping and energy company A. P. Moller Maersk. orporate boards are increasingly demanding the ability to continuously monitor risk exposure, using metrics to assess, validate and verify whether risk is increasing or decreasing.
Meanwhile, executives and other stakeholders need the ability to respond rapidly to emerging threats before these crystallize into serious financial and reputational impact.
This is of particular concern to executives, such as CFOs, general counsel and company secretaries, who in many cases are responsible for ensuring that adequate risk governance is in place. In addition, companies stand to benefit financially by reducing their total cost of risk (TCOR) through reduced insurance premiums, reduced uninsured losses and improved credit ratings. According to the 2017 Aon Risk Maturity Index Insight Report, companies with the best risk management maturity outperformed those with the poorest maturity financially, with up to 15 percent better stock-price performance and up to 25 percent lower stock price volatility. Studies by other organizations, including the Federation of European Risk Management Associations (FERMA), have established similar links between risk management maturity and financial performance.
This article will explore some of the ways in which effective risk management approaches, in particular the use of key risk indicators (KRIs) to drive proactive executive behavior, can reduce unnecessary risk exposure and minimize the potential for catastrophic events. In the sections that follow, we discuss the current state of risk-monitoring maturity in the business world, considerations for the selection of appropriate leading and lagging KRIs, and their effective implementation, and then present insight for executives on what steps to take to improve risk monitoring. While the concepts discussed in this article are well established, evidence shows that management teams are still consistently poor at addressing the process and technical challenges necessary to turn them into fully operational solutions that deliver business value.
Risk monitoring and proactive correction are still immature
Risk management is a growing priority for companies across all sectors, not just those that operate in highly regulated environments. Senior leadership needs to better monitor risk to support improved decision-making, as well as minimize the likelihood of catastrophic events that may cripple their businesses financially and reputationally. This is not a task that individual functions, such as a dedicated risk team, can manage independently of the rest of the organization. A cross-functional approach at executive level is required for it to be effective. Additionally, there is a growing regulatory obligation for companies to make statutory disclosures on financial viability, solvency and liquidity in light of the key risks they face. There is also pressure exerted by more active investors demanding evidence that risk management is reducing uncertainty and volatility, while improving confidence in financial forecasts.
However, shortfalls in the risk management approaches many companies currently operate can leave them dangerously exposed. These companies either have no corporate-level mechanisms for monitoring and acting on risk exposure, or gather potentially relevant data but fail to develop appropriate metrics to support effective monitoring, control and timely remediation. These metrics can take the form of KRIs, which can be used at all levels of management to provide evidence of the effectiveness of risk management strategies being implemented. Even when companies do employ KRIs, they frequently select inappropriate ones, for example, relying too heavily on lagging indicators rather than leading indicators. Alternatively, they struggle to implement effective monitoring environments that will provide early warning that their risk management strategies are off track, and thus enable timely corrective actions.
The maturity in approach can vary enormously, even though this methodology has existed for some time. Many organizations operate in the first two boxes of the simple maturity model illustrated in Figure 1. Although insufficient KRI-related maturity assessments have been conducted to develop a robust universal benchmark, our experience assessing maturity suggests that most companies, even those conforming to Fortune 500 best practices, lie towards the lower end of the maturity scale, and usually lower than where senior management thinks they are operating.