Organizational risks are increasingly on the radar of top executives, and it’s chief financial officers and CEOs — not chief risk officers — who should ultimately bear the responsibility for risk management, according to a survey released Wednesday.
“Aftershock: Adjusting to the new world of risk management,” published by Forbes Insights in association with Deloitte, found that 26% of executives think the main responsibility for overall risk management belongs to the chief executive officer, with 23% saying the responsibility lies with the CFO or treasurer. The chief risk officer or head of risk came in third place, at 19%.
Mark Carey, a partner at Deloitte & Touche LLP and leader of the governance and risk strategies practice, says he was not surprised that the CEO would be seen as the party ultimately responsible for risk. “There is a body of thought that at the end of the day the CEO is responsible — and that the CFO or CRO is there to support the CEO,” he says. He observes, however, that there are more CEOs and CFOs than chief risk officers in the nonfinancial industries that were surveyed.
What most surprised Carey was the finding that financial risk would be the most volatile area of risk over the next three years. Sixty-six percent of respondents indicated as such. “Given everything we’ve gone through over the last four or five years, to have the majority of respondents say they think financial risk would still be the most volatile area was very surprising,” he says. “I would have expected no change, or less volatile.”
The risks companies are experiencing as part of the global economic crisis, financial and otherwise, are proving to be a catalyst for change. Fifty-five percent of executives reported their organization will revamp their risk-management approach within the next 12 months, and 91% of executives said they plan to do so in some form in the next three years.
Despite heightened attention to risk management, though, less than a quarter of the surveyed executives said their organization monitored risks continuously, as opposed to just periodically, a result that surprised Carey. Reputational and supply-chain risk were even less likely than other business risks to be monitored continuously.
When the executives were asked how they planned to revise their risk-management approaches, 52% said they would elevate the profile of risk management throughout their organization, 39% would reorganize risk-management processes, 37% would provide additional staff training, 31% would incorporate new technology, and 28% would integrate risk into strategic planning.
Asked by what degree their organization’s approach to managing and responding to risk has changed over the past three years because of financial-market volatility, 39% of the executives said it has changed significantly, 40% said somewhat, and 17% said not at all.
The report surveyed 192 U.S. executives from consumer and industrial products, life sciences, health care, technology, telecommunications, and media companies. The respondents came from companies with at least $1 billion in revenue, and fully half of the companies had revenues of greater than $10 billion. Sixty-five of the survey respondents had the title of director or vice president; 49, CEO; and 26, CFO, treasurer, or controller.