At 192 respondents it is a decent sample size, though is US-centric and non-Finance organisations, so not a great all-rounder for you global readers. However, the central message that risk management programmes and frameworks remain in a state of flux (hence the aftershock motif) is a worrying one when one examines the stats behind it:
- 91% are reorganising and reprioritising approach to risk management in next 3 years, citing continued market volatility.
- Only 37% had plans to provide additional training in that respect
Centralisation cited as more efficent way of bubbling risks to the top - interested to know if that is everyone's experience?
- Around 50% retain primary responsibility for the "risk management approach" with CEO or CFO, with the CRO in third at 20% - should we be expecting that percentage to be moving up or down at this juncture (in particular, does a CRO need a seat at the top table to be responsible for ERM approach?).
- Example cited of ERM being managed in the corporate strategy department, which I thought was an interesting development.
- Biggest challenges included; 26% stating that incentives are not rewarding 'risk based decisions'; 22% struggling with the misalignment of the business operating model and the ERM model, and 23% suffering a lack of information to make risk based decisions. These three (there are of course more in the list!) struck me as common issues when preparing for Solvency II, so handy stats in that respect.
- Staggeringly, Social Media is equal fourth on the list of "most important risk sources over the next 5 years" - equal with Financial Risk! Not to underplay the emergence of social media and its multiplier effect on reputational risk, but seriously?
- Most "risk types" are monitored either periodically or continuously, though strategic and reputational risks seem to be most likely to be measured on an ad-hoc basis (something which you ORSA consultants out there will sympathise with!)