When Deloitte surveyed 192 executives in U.S. companies in a variety of industries on their enterprise risk management plans in early 2012, the vast majority agreed that they would not continue doing what they have been doing.
Ninety-one percent stated that they plan to reorganize and reprioritize their risk management approach during the next three years. And more than half, 55 percent, say those changes are coming within the year. At the highest level, continued market volatility risks are to be monitored, along with regulatory, technology and geopolitical/political situations. Within technology and communications, social media joined the list as one of the newest areas of risk to the enterprise.
We don’t know the details of the current approaches these responding executives oversee, but 77 percent employ a centralized model and 20 percent a decentralized model. Thirty-six percent will be moving toward a more centralized model, which Deloitte says makes it more likely that knowledge of key risks reaches top leadership. The methods by which current risk management approaches will be modified remain fairly high-level:
- Elevating the profile of risk management throughout the organization (52 percent)
- Reorganizing risk management processes (39 percent)
- Providing additional training for staff (37 percent)
- Incorporating new technology (31 percent)
- Integrating into strategic planning (28 percent)
Interestingly, one key section of the survey report is titled, “Risk Management Is Now a C-Suite Issue,” indicating that until recently, that wasn’t the case. Indeed, at companies like IBM and CDW, Deloitte found that executives reported moving away from a situation in which risk management responsibilities were spread throughout the enterprise, to one in which the reprioritization and reorganization tactics brought the responsibility to senior management. Again, keep in mind, this is a trend in some of the largest U.S.-based companies, not SMBs.
What role might CIOs play in the reorganization efforts? Respondents report a low frequency of monitoring, and a mix of manual and automated dashboard reporting for executives. New identification or focus on risks will lead to the need for more automated and organized reporting, and respondents expect analytics packages to play a larger role.
In order to get that work done, some survey respondents said budgets will be adjusted. Eight percent said strategic risk budgets will be increased by more than half. About the same number said budgets for technology risk would rise similarly. Around half said they will see “minimal” change. While more budget may be difficult to secure, in terms of positive impact on the company’s bottom line and ability to plan strategically, the high level of interest in improved risk management reporting and tools creates one of the most prominent opportunities for CIOs.