Large corporates put their risk management in the hands of CFOs and focus less on strategic risk
A dominant focus on the downside of risk is restraining the value derived from good risk management, research by Deloitte and Hedley May revealed recently.
The interview-based research of 36 large non-financial corporates found that less than half (42%) of them had a dedicated Chief Risk Officer (CRO). The interviews with CROs, CFOs, CEOs and audit committee chairs, found that 72% had their risk function embedded within internal audit. This suggests that most of the time the CFO is ultimately responsible for risk management.
According to Deloitte, interviewees were concerned about a lack of clarity in the role of the CRO and risk function, suggesting that boards and executive committee level CROs are not being supported enough with strategic risk management.
There isn’t an established best practice approach yet around the role of the CRO and how it links to strategic risk
Hans-Kristian Bryn, a risk partner at Deloitte
Hans-Kristian Bryn, a risk partner at Deloitte, explained that CROs today are less concerned with strategy and instead focus their attention primarily on the downside of risk and controls.
“There isn’t an established best practice approach yet around the role of the CRO and how it links to strategic risk, but I do think we’ll see further developments and enhancements of the strategic risk management approach in the next couple of years,” said Bryn.
In relation to strategic risk management, respondents mentioned the need to identify and build resilience to emerging risks and high-impact “Black Swan” events (low probability risks that can have devastating effects).
Bryn stressed that putting risk in a more strategic context and incorporating the upside of it into decision making can increase the value of risk management.
There is a recognition that there is value to be had from good risk management
“Historically when people have been doing risk identification and assessment exercises their focus has traditionally been on ‘what loss could we have’. […] If you start to include strategic risks - whether that’s market share, volume, price, competitive behaviour - then there’s a distribution of items with both an upside and a downside. It’s about which risks we address and about the metrics that we use around those risks.”
“There is a recognition that there is value to be had from good risk management which includes looking at the strategic elements.”
A wider adoption of enterprise-wide CROs within the corporate space is unlikely in the near future, said Deloitte, because the CFO has very strong risk management responsibility. Bryn suggested that future developments in the field will include more embedded risk return capabilities within corporates and more focus on strategic risk.
“In terms of improvements in the risk management approach of corporates we’ll see improvements both in terms of control infrastructure and from a decision making perspective,” he predicted.