Looking to Bridge the Gap
There is a “growing gap” between the way risk managers and C-suite executives view risk management, according to Brian Elowe, managing director, U.S. client executive practice leader at Marsh.
Elowe co-authored the “Excellence in Risk Management” survey along with Carol Fox, of RIMS. The report was released on April 11 during the annual RIMS convention, held this year in San Diego.
“We expect risk managers to manage the known risks but what we really want to know is what is coming around the corner,” said Elowe.
“What organizations struggle with is how to deal with the here and now, and do they have the bandwidth to look down the road?” he said.
Cyber attacks, at 61 percent, was cited as the “next critical” risk faced by organizations, followed by regulations, at 58 percent. Talent availability was third, at 40 percent.
Six in 10 (60 percent) of the 700 risk executive survey respondents said they use claims-based reviews as one of the primary means to assess emerging risks, compared to 38 percent who said they use predictive analytics.
“There is absolutely a rising demand for more and more analytics,” he said, so that organizations can move from a retrospective approach to risk to a more predictive approach.
Nearly half of survey respondents (48 percent) said that forecasting critical business risks will be more difficult three years from now; with another 26 percent saying it would be the same.
Elowe said it would be “very hard, quite frankly,” for organizations to switch to a more forward-looking way of viewing risk.
A predictive analytics approach requires harnessing a depth of knowledge that transcends just one organization’s experience, he said.
“They need a giant database of information to help them understand what is happening in their own sectors,” he said.
In addition, there are often cultural or institutional barriers – such as a lack of collaboration across the organization – that prevent a full understanding of the risk landscape.
About half of risk executives are not members of their organization’s risk committee, he said. “They have input but they could do more to help risk committees.”
One way to help would be to add “emerging risks” to committee discussions. About two-thirds of those committees do not have “emerging risks” on their agendas, he said.
“We think that’s a big opportunity to increase discussions about broader threats, at least on a periodic basis in their risk committees, to be more effective going forward.”
He said it’s helpful to view risks in three buckets: those that are present “here and now;” those around the corner in one to three years; and those on the horizon, about five years out.
Still, he said, the role of risk management is growing in organizations. Five years ago, cyber security would probably only involve the chief technology officer.
These days, in most companies, the risk manager, chief technology officer and others are part of an interdisciplinary committee “and the risk management approach is being applied to how the organization is responding.”
“I see a growing trend where the expectation of risk management is definitely higher and the risk manager is rising to the occasion, not to say there isn’t the opportunity for continued growth,” he said. “I think they are definitely aware of that gap [with the C-suite’s expectations] and are trying to meet that gap.”