accenture risk management research for an era of greater uncertainty report

7/27/2019 Accenture Risk Management Research for an Era of Greater Uncertainty Report

1/40

Accenture 2013 Global Risk Management Study

Risk managementfor an era of greateruncertainty


2/40

2


3/40

3

Contents

Research and interviews were conducted by Accenture and Oxford Economics, who

collaborated to write this report.

About the research 4

Foreword 5

Executive summary 6

Key findings 9

Section 1: Current market pressures 11Perspectives from the global risk dashboard 13

Raising the profile of risk management 14

What sets Risk Masters apart? 15

Becoming a high-performance risk organization 16

Section 2: How firms are responding to current pressures 19

Risk management rises to the executive suite 21

Who should be accountable for risk? 23

An increasingly integrated risk management function 24

Section 3: Becoming a high-performance risk organization 27

Data analytics 30

Risk management talent 31

Compliance efficiency and effectiveness 32

Moving beyond compliance at Credit Suisse 33

Section 4: Four things to do differently 36

1. Treat risk management as a people game 36

2. Look ahead, as new risks are relentless 36

3. Manage compliance through a transformational lens 36

4. Focus on insight, not just data and analytics 37

Conclusion 37


4/40

This report is the third edition of theAccenture Global Risk Management Study,first published in 2009. It is based on aquantitative survey of executives from446 organizations carried out in 2013.Participants came from seven industriesand two public services subsectors(government administration and postalservices). All respondents were C-level

executives involved in risk managementdecisions. Surveyed respondents werefrom Europe (35%), North America (31%),Latin America (9%), and Asia Pacific(25%). About half the companies (46%)had annual revenues over $5 billion, and54% between $1 billion and $5 billion.Respondents included Chief Risk Officers(CROs, 25%), Chief Executive Officers(CEOs, 20%), Chief Financial Officers(CFOs, 25%), Chief Compliance Officers(CCOs, 22%), and Chief Operating Officers(COOs), risk controllers, and internal

auditors (combined 8%).

We also conducted in-depth interviewsin 2013 with senior leaders from 37leading organizations based in AsiaPacific, Europe, Latin America, andNorth America, and across our sevenfocus industries and two public servicessubsectors. These provide supportinginsights for our data-driven research,while further exploring lessons andperspectives from top organizations that

are setting the pace for risk managementin their sectors.

4

About the research

Note: Due to rounding, totals may not equal 100%Source: Accenture 2013 Global Risk Management Study

Regions

Count Percent

Europe 155 35%

North America* 140 31%

Asia Pacific 111 25%

Latin America 40 9%

* North America includes the US and Canada

Industry

Count Percent

Insurance 98 22%

Banking 63 14%

Energy 55 12%

Utilities 50 11%

Healthcare 46 10%

Capital markets 45 10%

Life sciences 42 9%

Governmentadministration

24 5%

Postal 23 5%


5/40

Welcome to Accentures 2013 Global RiskManagement Study.

At a time when we are all busy andthe rules of the game are increasinglychanging, it is important as risk leadersto take some time to gather our thoughtsand plan the course ahead.

This years research effort, titled Risk

management for an era of greateruncertainty, recognizes this need. I hopethat you will benefit from this effort tobring together our marketplace findingsand insights and be able to take awayactions for your organization.

One recurring theme from clientdiscussions and related research effortsover the past months has been that ofRisk and Connectivity. In 2009 we sawrisk management as moving beyond

compliance and in 2011 as a sourceof competitive advantage. Now weare seeing risk management becomeincreasingly connected in many differentways throughout organizations.

This connectivity theme is playing out inthe governance and leadership structures,in the analytics and reporting outputs, inthe integration and alignment with otherkey functions (e.g., Finance, Operations,IT), in the investment and decision-making processes, and importantly in

the talent agenda. From my vantagepoint, these levels of connection are astrong confirmation of the progress riskmanagement has made over recent yearsand is a positive leading indicator that riskcapabilities will have more permanenceeven when the complexities of todaysnew normal are tamed and business andconsumer confidence return.

Our findings for this report have beengathered through a global effort, acrossmultiple industriesand throughout thedocument we have tried to draw outcomparisons and contrasts betweendifferent sectors where relevant. Tosupplement our global report we havealso written a series of industry-specificreports that go into greater detail on our

risk management findings in a number ofindustries.

These industry reports, along witha host of additional complementarymaterials and information, areavailable at www.accenture.com/globalriskmanagementresearch2013. Iencourage you to visit the site from whereyou can easily share information withpeers and colleagues.

I hope that these materials can help

you and your teams address your riskmanagement challenges in an era ofgreater uncertainty.

5

Foreword

Steve Culp

Global Managing Director,Accenture Risk Management
http://www.accenture.com/globalriskmanagementresearch2013http://www.accenture.com/globalriskmanagementresearch2013http://www.accenture.com/globalriskmanagementresearch2013http://www.accenture.com/globalriskmanagementresearch2013


6/40

6

Executive summary

The global macro-economic environmentremains challenging without anyapparent signs of easing. Global operatingmodels can add a mixture of efficiencyand complexity to virtually everybusiness today. Technology continuesto connect us faster and with moreease, but maintaining volumes of dataand keeping levels of consistency is

ever harder. Regulatory requirementsare increasing, both in terms of sheernumber of regulations but also in levelsof specificity. Consumers are betterinformed and more demanding. Andcompetitors, both new and old, arelooking for ways to expand their marketshare at a time when growth remains low.

Against this backdrop, we surveyed nearly450 global risk professionals as part ofour 2013 Global Risk Management Study,1gathering their insights on how they

and their risk management function arehelping to respond to these challenges.

What we see in the marketplace and whatwe hear from the respondents is thatthe role of risk management is rapidlyevolving. According to the study, the vastmajority (98%) of surveyed respondentsreport an increase in the perceivedimportance of risk management at theirorganization. One phrase that resonatedwith us was Action is not optional.That is seen as true both for the broaderorganization and for the risk managementfunction.

At one time, risk management in manyorganizations could be described by someas the department that says no. Todaywe would characterize risk managementmore as the department that enablesexecution.

How organizations arerespondingHow do we see risk managementchanging? First, we see much moreconnectivity withand fromthe top.The proportion of surveyed organizationshaving a CRO, either with or without theformal title, has risen from 78% in 2011

to a near-universal 96% in 2013.

Second, from survey responses we seerisk management as being much moreintegrated and connected, playing a muchlarger role in decision-making across theorganizationparticularly in budgeting,investment/disinvestment, and strategy.

And third, survey respondents see riskmanagement as enabling growth andinnovation. In order to surviveandcertainly to growevery company should

strive to innovate and move its businessforward. Simply pushing forward withoutunderstanding and mitigating the risksahead could ultimately lead to disasterin some form. To enable growth andinnovation, effective and integratedrisk management capabilities should beimplemented early and throughout theprocess. And these capabilities are scarce both within the companies we talkedto in this research and also in the marketat large. So risk management capabilities

should be prioritized and focused on thethings that matter to move the needle forthe organization.

Challenges for the riskfunctionBe careful what you ask for you mayget it.

For many years the risk function hasseemingly pushed to be better heard andmore leveraged. Now that this appears

to be a reality for many organizations, adifferent set of challenges is emerging.

One of the central issues is the availabilityof talent. There is not enough overalltalent, and the existing risk team oftenmay lack many of the softer skills neededfor effectiveness in roles which are closerto the business and strategy execution.

In our 2013 research we found thatboth risk technologists and regulatorychange program managers are reported

as being in short supply. To developskills beyond the core risk disciplines wefound organizations increasingly usinginnovative techniques, such as rotationaltraining and combining risk and strategyroles, to help improve these qualities aswell as to help improve retention rates inan increasingly competitive talent market.

Research participants also cited thechallenge of improving the ability to turndata into insights. The volume of datais ever-increasing, as is the number ofsystems, reporting tools and end-user-applications.


7/40

7

Many organizations say they want tomake better use of analytics, but it isapparent that there is still plenty ofground to cover here. High-performancerisk management organizations are takinga focused approach to embed analyticsinto their management processes. Theyare doing so by, among other measures,improving data quality and developing

actionable dashboards for managementrelated to specific, focused issues. Theyare also cultivating risk technologyshuman element through training andother measures to help make findingsfrom risk analytics actionable andinsightful.

Regulatory concerns were, of course,high on the list of challenges for riskrespondents in the market today.Responding organizations seem to have,in general, improved their compliance

management effectiveness but continueto be challenged by the pace and scale ofregulatory change.

Many respondents said that theywere focused on improving therelationship with their regulatorsas a specific objective a muchmore explicit categorization thanwe saw in previous surveys.

Conclusion: Four things to dodifferentlySince publication of the first AccentureGlobal Risk Management Study in 2009,2it is clear that many organizations havemade great strides in developing riskmanagement functions, but others havebeen left behind.

Our 2013 Global Risk Management Studyfinds nearly all surveyed firms givehigher priority to risk management nowthan they did two years ago. But thereis still much room for improvement.

There appear to be large gaps betweenexpectations of the risk managementfunctions role in meeting broader goalsand its perceived performance for everyorganizational goal we surveyed.

In the following pages we have provideda wealth of data and many examples ofhow others are addressing the variouschallenges to more effectively managerisk in an era of greater uncertainty.

The Report lays out in more detail thecurrent market pressures, shares insightson how firms are leveraging the riskmanagement function to respond tothese challenges and provides data andexamples of what it can mean to be ahigh-performance risk function.

However, to provide some sign-postsas you read through the information, weidentified four of the more significantkey actions which are evidently helpingorganizations reach their risk capabilitygoals for 2015.

1. Treat risk as a people game,developing risk staff withbusiness acumen.

If the risk management functionis to play its elevated role moreeffectively, it increasingly will rely onrisk staff with a deep understandingof the broader business.

2. Look ahead, as new typesof risks are relentless, anddevelop capabilities that matchtomorrows risks.

Risk capability plans should aim to be atleast in concert with the organizationsbusiness development plans, and oftenshould be leading, rather than lagging.

3. Manage regulation through a

transformational lens.Many industries are being forced torethink their business models, processes,reporting and data structures to betterenable effective regulatory solutions.Seeking the opportunities to align theseefforts with the business change agendacan lessen future complexity.

4. Focus on insight, not justdata and analytics, and develop

the human element of risktechnology.

It is important not to miss the forest forthe trees: technology, data, and analyticscan only have value if their insights canbe put into action.


8/40

8


9/40

9

Extent that risk management is integrated withinother business functions.

What risks do executives see rising most overthe next two years?

Regulatoryrequirements

49%

Businessrisks

52%

Operationalrisks

46%

Legalrisks

62%

Marketrisks

47%

Creditrisks

46%

Emergingrisks

42%

Strategicrisks

46%

Organization

Reputationalrisks

38%

Politicalrisks

39%

98%

give a higher priorityto risk management

now than twoyears ago

81%of risk managers

discuss risk regularlywith the board

Strategicplanning

84%

New productdevelopment

63%Performancemanagement

64%

Budgeting

andforecasting

92%

Financingand M&Adecisions

87%

Compliance Managingreputation

Enabling long-term profitgrowth

Infusing riskculture

Reducinglosses

Managingeconomic/financialvolatility

Innovation &productdevelopment

17%

65%

21%

70%

22%

73%

26%

76%

29%

80%

28%

95%

29%

99%

Importance of riskorganization as

means of achieving

Current capability formanaging risk activities

are causing firms to give moreemphasis to risk management ...

... and integrate itinto decision-making

But there is still room forimprovement in managing risk

op external pressures ...

or more information, please visit: www.accenture.com/globalriskmanagementresearch2013

Key findings


10/40

10


11/40

11

Section 1Current market pressures


12/40

Many of the stresses associated withthe global financial crisis have largelyreceded, but if risk professionals wereexpecting space to catch a breath, theyare likely to be disappointed. A new

normal of weaker global economicgrowth and greater uncertainty iscontributing to a rise in business risks,such as pressures on margins, accordingto respondents. A regulatory landscapeof current and proposed legislation,including Basel III, Dodd-Frank in theUS, Solvency II in Europe, and tightercorporate governance requirements, suchas provided under the Sarbanes-OxleyAct, creates uncertainty and complexity.3Meanwhile, austerity pressures are

creating headaches for the public servicessector, and the threat of higher taxation isever-present.

Indeed, all risks covered in our survey areexpected to increase over the next twoyears, according to a sizeable share ofrespondents. Legal risks (62%), businessrisks (relating to changing volumes,margins, or demand, 52%), and regulatoryrequirements (49%) top the list (seeFigure 1). Market risks (47%), operationalrisks (relating to processes, people,

systems or external events, 46%), andcredit risks (46%) are also forecast to rise.

Figure 1. Top risks expected to rise over the next two years

How do you expect the following risks to change over the next 2 years? (Proportionsaying significantly rise or rise somewhat)

It is easy to say what therisks are, but if you do nothave the instruments tosee them or hear themcoming, that is a problem,says Sander van tNoordende, AccenturesGroup Chief Executive ofManagement Consulting.

62%

52%

49%

47%

46%

46%

46%

42%

Legal risks

Business risks

Regulatory requirements

Market risks

Credit risks

Operational risks

Strategic risks

Emerging risks

39%

Political risks

38%

Reputation and brand risks

36%

Liquidity risks

Source: Accenture 2013 Global Risk Management Study

Naturally, the specific risks varyaccording to company and industry.

Daniel Imhof, Risk Director of Hoffmann-La Roche, points to health-care reformin various countries as an example oflegal and regulatory pressures. Werealize now that we could have movedmore effectively in anticipating andadapting to regulatory changes, hesays. Specific developments relatedto regulatory issues triggered greaterrecognition that risk management isimportant, raising the profile of riskmanagement in our organization.

Business risks are being driven largely bycompetition for market share as market

growth slows due to the weak economicrecovery. We have entered an insurancemarket where financial products returnless profit, in a context of a sustainedslowdown in the European economy,argues Hlne Ndiaye, CRO of Generali.A significant focus on optimizingboth underwriting policy and portfoliomanagement will be needed, which is anew paradigm.

12


13/40

13

Perspectives from the global risk dashboard

Our global risk dashboard shows the topfive risks that each industry we surveyedexpects to rise over the next few years.Business risks, including pressures onvolumes or margins, is the only risktype to rank in the top five for eachindustry surveyed. This likely reflectsintensified competitive pressures in anenvironment of slower market growth.

Legal risks rank among the top fiverisks for all nine industries we surveyedwith the exception of capital markets.Regulatory requirements rank as atop five risk category for all surveyedindustries with the exception of energy,healthcare, and postal services. Industryrespondents are more sharply dividedin their perceptions of credit risks andmarket risks. The banking, capital markets,utilities, healthcare, and postal industriessee credit risks among the top five. In aclimate of continuing uncertainty over the

fate of the Eurozone, there seems to be asharp divide in perceptions by industry ofthe extent to which market risks will rise.

Figure 2. Industry respondents top five risks expected to rise over the next

two years

Based on responses to How do you expect the following risks to change over the next2 years? (Proportion saying significantly rise or rise somewhat)


Banking

Capital

markets

Energ

y

Government

administration

Healt

hcare

Insurance

Lifes

ciences

Posta

l

Utilities

Legal risks 1 1 1 1 1 1 1 3

Business risks 2 3 3 3 2 3 3 4 5

Regulatoryrequirements

5 1 4 5 4 1

Market risks 2 2 5 2

Credit risks 3 2 3 2 4

Operationalrisks

4 4 5 5

Strategic risks 2 4 4 3

Emerging risks 4 5 2

Political risks 5

Reputation andbrand risks

Liquidity risks 5


14/40

For many years, economic, financial,and regulatory shifts have tended todominate the risk map. The sudden riseof business risks underscores that firmsmust look ahead. Even as current risks

fall, new threats will appear. Identifyingrisk is one thing, but sensing that a risk ismaterializing is another, says Sander vant Noordende, Accentures Group ChiefExecutive of Management Consulting. Itis easy to say what the risks are, but ifyou dont have the instruments to see orhear it coming, that is a problem.

Raising the profile of riskmanagementTo cope with a more complex anduncertain business environment,companies are elevating the role of riskmanagement and integrating it intotheir corporate strategies. Organizationsrecognize that an effective riskmanagement function will most likelyhave a direct line to the top. As a result,96% of risk management owners nowreport directly to the CEO (see Figure 3).

As further indication of the risingimportance of risk management, our

survey shows greater involvementamong the board in understandingand addressing risk. We have seen anoticeable change in both the make-upand activity of boards as it relates to riskmanagement, says Steve Culp, ManagingDirector at Accenture Risk Management.Boards today are more actively engagedand better prepared to ask the questionspursuant to the risk agendalessfrequently pushing the discussion down tocommittees. More than eight out of 10

risk management owners report regularlyon risk to the board (see Figure 4).

Figure 3. Reporting to the CEO

Does the risk management owner report directly to the Chief Executive Off icer?

Figure 4. Reporting regularly to the board

Is the risk management owner required to report on and discuss risk issues regularlywith the board?



96%

4%

Yes

No

Organizations are also investing in staffand skills as part of their efforts to

elevate the risk management function.In fact, risk is one of the few functionswhere most reporting organizationssteadfastly have refused to cut staffing:only 3% of those surveyed reduced theirrisk staff; 58% increased their staff.

In many areas we find that companieshave achieved goals they reported inour 2011 Global Risk ManagementStudy. For instance, they have almostuniversally elevated the head of risk

to a senior executive role. They haveincreased the level of integration of therisk management function in businessdecision-making. They have not, however,

achieved all their goals. For instance, onearea where organizations continue to

struggle is in moving beyond compliance.Instead, as we shall see, compliancecapabilities appear to have improvedsignificantly, with much less improvementin other areas, particularly in relationto risk managements role in achievingbroader organization goals.

81%

Yes

17%

On an ad hoc basis

2%

No

14


15/40

Risk Masters are organizations withhighly developed risk capabilities,identified using our Risk Masterycapability scale. Masters scored at leastone standard deviation above the mean.They comprise approximately 8% of thesurvey population. They also generallyachieve financial performance above theindustry average.

Risk Masters include risk considerationsin the decision-making processacross strategy, capital planning, andperformance management. Masters alsobetter integrate their risk organizationinto operations, establishing risk policiesbased on their organizations appetitefor risk. And they delineate processes formanaging risks that are communicatedacross the enterprise. These activities aresupported by robust analytic capabilitiesthat reinforce efficient compliance

processes and provide strategic insight.

How else do RiskMasters differ from otherrespondents in the study?1. Masters are more likely to have a

CRO in charge of risk management:58%, compared with 42% for non-Masters.

2. The risk management owners

among Masters have more boardinvolvement: For Masters, 88% of riskmanagement owners communicateregularly on risk with their boards ofdirectors (vs. 80% of non-Masters).And 45% of Masters risk managementowners report to the board more oftenthan quarterly (only 36% of non-Masters).

3. Masters face fewer impediments

to the overall effectiveness of

their risk management functions.

Masters are far less hampered by lackof engagement on key risk issues bysenior management (42%, vs. 55% fornon-Masters). Insufficient talent in therisk management function impedes itsoverall effectiveness for just 33% of

Masters, compared with 42% for non-Masters. And Masters are less likelyto lack budget for making necessaryinvestments in the risk managementfunction (30%, vs. 38% for non-Masters).

4. Risk Masters have a more integrated

risk management function that plays

an elevated organizational role. Theyare more likely to report completeintegration of the risk managementfunction in their organizations

decision-making process for strategicplanning, capital projects, andbudgeting and forecasting. They alsoreport deeper involvement of the riskmanagement function in reach areassuch as performance managementand incentives, where 79% reportthe risk management function iscompletely or largely integrated(compared with 63% for non-Masters).

5. Masters also are more focused on

strategic and emerging risks: For

example, 48% of Masters considerthe risk organizations role as criticalin managing reputational risk,compared with 28% of non-Masters.Masters also see the risk managementfunction as critical in reducing thecost of capital (36%, vs. 20% ofnon-Masters). And 39% of Masterssee the risk management functionas critical in enabling long-termprofitable growth10 percentagepoints higher than non-Masters.

6. Masters are better at recruiting,

retaining, and training staff. Weakrecruitment strategy impedes theability to keep or obtain skills neededin the risk management function inonly 36% of Masters (51% of non-Masters). Weak retention strategies orprograms impede 24% of Masters inkeeping or obtaining skills necessary

for the risk management function (vs.42% of non-Masters). Insufficienttraining programs impede theorganizations ability to keep or obtainstaff in 39% of Masters and 51% ofnon-Masters. And high compensationrequired by staff with the requiredskills hampers Masters ability tokeep or attract the skills needed inthe risk management function inonly 15% of these organizations(vs. 40% of non-Masters).

7. Masters are ahead of the curve inusing Big Data and analytics. Non-Masters face many more challengesin using risk analytics. Only 36% ofMasters report they lack skilled staff todevelop analytical models, comparedwith 51% of non-Masters. Only 27%of Masters have difficulty embeddingrisk analytics in management processesand turning data into informationand insight (vs. 46% of non-Masters).Just under one-third of Masters haveoutdated legacy systems and limited

systems integration (compared withabout 45% of non-Masters). And, only18% of Masters have limited or poor-quality data (vs. 38% of non-Masters).

What sets Risk Masters apart?

15


16/40

And so, organizations continue to investheavily in risk capabilities. As many as53% of surveyed organizations plan toincrease investment over the next twoyears (see Figure 5). This shows an ongoing,

near-universal focus on risk. In 2011, wefound an overwhelming majority (83%)planning to increase risk investments.4 In2013, 45% plan to maintain investments atthese elevated levels, and only 2% of thosesurveyed expect their risk investments todecline in the years ahead.

Becoming a high-performancerisk organizationOne area where organizations continue

to struggle is in fulfilling broaderbusiness expectations for the role the riskmanagement function will play. Even whenrisk management functions succeed inmanaging risks on a day-to-day basis, theymay fail to meet expectationsas a resultof broad reporting requirements and otherpressuresto provide value to the rest of theorganization.

Indeed, the risk management functionsperceived accomplishments in achievingbroader organizational goals such as capitalallocation, risk-adjusted performancemanagement, reduction of operational,credit, or market risks, and managementof economic and financial volatility hasactually decreased for survey respondents(see Figure 6). The only area where a markedincrease is apparent is compliance. Thissuggests the focus of risk managementin some organizations may have becomeunbalanced, and risk managers may at timesbe prioritizing compliance requirementsahead of business value.

Figure 6. Changes in perceived risk management function achievement

since 2011

To what extent have risk capabilities helped your organization achieve the following?

A focus on regulatoryand legal risk may meanorganizations are notanticipating newer hazardssuch as digital security risks.

Figures indicate increase (+) or decrease (-) in perceived risk function achievement since 2011 inpercentage pointsSource: Accenture 2013 Global Risk Management Study

+10

Complying with regulations

+3

Managing reputation with stakeholders

+3

Reducing the cost of capital

+2Managing liquidity and cash flow

+2

Infusing a risk culture in the organization

+1

Enabling long-term profitable growth

-0

Improving capital allocation

-4

Risk-adjusted performance management

-4

Reducing operational, credit, or market losses

-7

Managing the increasing volatility of the

economic and financial environment

Figure 5. Risk management function investment plans: 2011 vs. 2013

How will the total level of investment to develop risk management capabilities evolvein the next 2 years?

Note: Due to rounding, totals may not equal 100%Source: Accenture 2013 Global Risk Management Study

Significant increase (more than 20% higher) Moderate increase (less than 20% higher)

No change Moderate decrease (less than 20% lower)

Significant decrease (more than 20% lower)

2011

62% 2% 1%21% 14%

2013

46% 45%2%7%

Don't know

2%

16


17/40

73%26%

Improving capital allocation

47

73%27%

Managing liquidity

46

70%20%

Managing economic/financial volatility

50

Total share of surveyed respondents who rated the risk organization as critical or important inachieving the goal

Total share of surveyed respondents who feel their risk capabilities have helped achieve the goalto a great extent

99%

29%

Compliance with regulations

70

95%

28%

Managing reputation

67

74%

22%

Risk-adjusted performance management

52

80%29%

Enabling long-term profit growth

51

73%

22%

Reducing operational, credit, market losses

51

76%

26%

Infusing a risk culture

50

70%20%

Reducing cost of capital

50

65%17%

Innovation and product development

48

Gap, in percentage points, between importance and achievement

Figure 7. Gaps between risk management function importance and achievement

To what extent have risk capabilities helped your organization achieve the following?vs. How would you rate the importance of your risk organization as a means ofachieving the following?

Comparing respondents perceptions ofachievement of organizational goals withthe level of importance of those goalsreveals more sobering news: for eachgoal surveyed, there is a gap of at least

46 percentage points (see Figure 7). Thissuggests that delivering business valueremains a challenge.

The largest gap (70 percentage points)is in the traditional area of regulatorycompliance. Risk management functionsare currently focused on closing thisgap, and achievement in compliancewith regulations has risen notably since2011.5 Compliance challenges continueto escalate, however, in the form ofnew, comprehensive, and overlappingregulation. Many geographic expansionplays were made at a time whenregulations were more principles-based,explains Accentures Mr. Sander van tNoordende. The long-term exposure toregulatory fragmentation was there, butnot accounted for.

A focus on regulatory and legal risk andcompliance may also mean organizationsare not anticipating newer hazardssuch as digital security risks. And gaps

for other goals, such as managingreputation, risk-adjusted performancemanagement, and enabling long-termprofitable growth, indicate that morework is needed to prevent the riskmanagement function from falling behindas new risks appear. For example, manyinterviewees report that reputational riskhas grown exponentially with the riseof social media, and management ofoperational risk and reputational risk isa challenge because it needs to involvecontributors beyond risk and f inance, asGrgory Erphelin, CFO of Crdit AgricoleAssurances, puts it.

Improving the role of risk managementis a primary goal for respondents. Whileimportant progress has been made todevelop the risk management functionand integrate risk management at theenterprise level, companies may wish tosharpen their focus on developing high-performing risk organizations.

Note: Numbers have been roundedSource: Accenture 2013 Global Risk Management Study

17


18/40

18


19/40

19

Section 2How firms are responding

to current pressures


20/40

In light of current market pressures,it is unsurprising that 98% of surveyrespondents report an increase in theperceived importance of risk managementat their organization (see Figure 8).

For some, this reflects the ongoingdevelopment of the risk managementfunction and increasing senior managementinvolvement, which began after theglobal financial crisis. Back in 2007, weexperienced some losses in asset-backedcommercial paper, said Ral Bellemare,Senior Vice-PresidentRisk Management ofDesjardins Group. In the period since, riskmanagement has been a lot more presentwithin the organization, he explains.

For others, the intensified focus on riskreflects entirely separate, industry-specificpressures. In terms of unsafe practicesand conditions, there is zero toleranceon such risk, notes RK Mehra, Head ofInternational Trade and Risk Managementat Bharat Petroleum, one of the largeststate-owned oil and gas companies inIndia. I have been working for 25 yearsin resources, and there has been a night-and-day change in the focus on risk,agrees Accentures Mr. van t Noordende.Risk incidents today impact your license

to operate, and if you have a bad enoughincident, you can be shut down.

In other cases, the rising importanceof risk management reflects regulatorypressures. A few years ago, the board ofdirectors decided to redesign the wholerisk management process and centralize it,basing it around financial measures of risk,explains Pascal Koradi, the CFO of SwissPost.

Overall, in light of this rising importance

of the risk management function,respondent organizations are enhancingtheir risk management capabilities. Theyare increasingly turning to initiativesaimed at developing risk managementcapabilities for risks associated with slowereconomic growth. Just under half of theorganizations surveyed are currentlyfocusing on enhancing capabilities tomanage business and strategic risks. Butaround 90% of surveyed organizations arecurrently enhancing or plan in the next

two years to enhance their capabilities formanaging these risks (see Figure 9).

Figure 8. The increasing importance of risk management

Is risk management a higher priority for your organization now than 2 years ago?

Figure 9. Current risk-capability enhancement and plans for the next two years

For which of the following risks are you intending to enhance your corporate risk-management capabilities?

36%

Yes, to a great extent

62%

Yes, to a limited extent

2%

No, less of a priority

98%

say 'yes'



Currently engaged in capability enhancement Planning to enhance in next 2 years

42%

Business risks

48%

40%

Strategic risks

47%

35%

Emerging risks

51%

36%

Operational risks

49%

39%

Market risks

44%

42%

Reputational and brand risks

39%

48%

Liquidity risks

34%

37%

Credit risks

43%

41%

Regulatory requirements

38%

39%

Legal risks

39%

39%

Political risks

31%

20


21/40

Risk management rises to theexecutive suiteA dramatic trend in the wake of the globalfinancial crisis has been the elevation

of risk management ownership intoan executive board-level position. Theproportion of organizations having a CRO,either with or without the formal title,has risen from 78% in 2011 to a near-universal 96% in 2013 (see Figure 10).Risk now has a senior seat, and moreimportantly, a voice at the executivetable, notes Accentures Mr. Culp.

An equally dramatic trend is thereassignment of risk management

ownership, from the CFO to the CRO andCEO roles (see Figure 11). Since the firstGlobal Risk Management Study in 2009,the share of organizations for whichthe risk owner is either the CRO or CEOhas risen from 46% to nearly 70%.6

Figure 10. The risk management owner is increasingly a senior executive

Does your organization have a Chief Risk Officer?

Figure 11. A shift in risk management ownership

Who owns risk management in your organization?

Once we decided to get intothe banking business, theboard of director decidedto redesign the whole riskmanagement process andcentralize it, basing it aroundfinancial measures of risk,explains Pascal Koradi, CFOof Swiss Post.

Not shown: A manager performs the role, no, dont knowSource: Accenture 2013 Global Risk Management Study

78%

96%

2011

2013

"Yes, someone has the title," or "Yes, a senior executive performs the role of the CRO"


2009 2011 2013

8%8%

Chief compliance officer

9%

6%

3%

Risk controller

8%

3%

5%

Chief operating officer

2%

3%

2%

Other/Don't know

3%

33%

45%

Chief risk officer

43%

34%

14%

Chief financial officer

9%

13%

23%

Chief executive officer

26%

21


22/40

Meanwhile, the total share of firms thatcurrently have enterprise risk management(ERM) programs or plan to put them inplace has risen continuously since 2009.About 58% of organizations surveyed

have ERM programs today, and 33%intend to put an ERM program in placewithin two years (see Figure 12), for atotal of 91% penetration of ERM, up from80% two years ago.

The proportion of organizations with anERM program is essentially unchangedfrom 2011.7 This may reflect the inclusionof sectors this year with comparativelylower rates of ERM adoption, such asthe public services sector (see Figure13). In addition, organizations that haveundertaken ERM on a compliance-drivenbasis may be seeking to move to an ERMprogram that produces greater businessvalue.

The concept of ERM as a stand-alone management system has fallenout of favor a little bit, explainsGeir Robinson, Head of Group Riskat BP. That said, most companiesI talk to all have some componentsof enterprise risk management

working within their organization atvarious stages of development.

The expected rise in ERM adoptionprojected to reach near-universal levels by2015also reflects the rising importanceof risk. Antonio Joao Queiroz Lima ofEletrobras explains how his firm is nowfinalizing a process begun more thanthree years ago, which first established arisk department in the holding companyand set up areas for risk and internal

Figure 13. Adoption of ERM by sector

Does your organization have an Enterprise Risk Management (ERM) program?

Not shown: No, dont know


Yes No, but we are planning to implement one in the next 1-2 years

26%

Banking, Capital markets

65%

21%

Energy, Utilities

62%

39%

Insurance

55%

42%

Healthcare, Life sciences

51%

47%

Public services

51%

controls within the utilitys generationand transmission companies. Thecorporate risk methodology establishedin the generation and transmissioncompanies was extended to the groupsdistribution companies in 2012, he notes.

While many organizations adopted ERMsome time ago, such extensions of ERMto create greater business value are

becoming widespread. We are starting topush this out into the organization, saysone head of risk at a US-headquarteredenergy company. Early-adopter functionshave developed a risk-dashboard process,which is delivered regularly to seniormanagement. This dashboard identifiesrisk ownership, current risk status, andefforts required to manage each risk.

Public services organization respondents,comprising the government administrationand postal subsectors, currently adoptERM less frequently than those in otherindustries: 51% currently have a program,against 65% among financial servicesrespondents. That said, the respondentsleast likely to have an ERM program todayare those most likely to say they will putone in place within two years (see Figure

13).

While many organizationsadopted ERM some time ago,extensions of ERM to creategreater business value arebecoming widespread.

Figure 12. Adoption of ERM

Does your organization have an Enterprise Risk Management (ERM) program?

Not shown: No, dont knowSource: Accenture 2013 Global Risk Management Study

Yes No, but we are planning to implement one in the next 1-2 years No, but it is in discussion

2013

4%33%58%

22


23/40

While ownership of risk management bya member of the executive board is allbut standard practice, the accountabilityfor specific risks is a different matter. TheCRO can be informed, but not necessarilyresponsible for all risks.

This is true at many organizations, wherethe risk management function is not theultimate risk owner. Risk managementis a second line of defense, says J-MPhilippe, Risk Director at Predica. Andrisk management responsibility lies withbusiness and operational managers.

One way to help accountability is toassign risk owners for the top riskson the ERM risk register. For majorrisks, the risk owner must be a memberof the board, notes Swiss Post s Mr.Koradi. According to Mr. Mehra of

Bharat Petroleum, each risk has a roleholder and a risk owner. The role holderhas to identify the risk and develop themitigation plan. The risk ownerwe callit the risk championhas oversight on therisk, he explains.

Some of the reasons for makingownership of risk explicit in this way maybe practical. But there is a widespreadsense that no risk management function,no matter how empowered, should bethought of as owning risk. The businessis responsible for riskas the first line ofdefense and the owner of the risk, arguesDesjardins Groups Mr. Bellemare.

Who should be accountable for risk?

23


24/40

2009 2011 2013

47%

Capital projects, evaluation throughout the entire project lifecycle

45%

45%

45%

Investment and disinvestment, or financing decisions

65%

33%

45%

Budgeting and forecasting

63%

48%

50%

Strategic planning

55%

36%

45%

Corporate process and/or system introduction

48%

27%

38%

Performance management process and incentives management

45%

This fact clearly illustrates the evolutionof ERM into a concept with almostuniversal appeal. Public servicesrespondents are projected to havenearly 100% adoption in two years,

ahead even of banking. Two years ago,our auditor general did a study with uson the introduction of ERM into thegovernment, says Phil Grewar, ExecutiveDirector of the Risk Management Branchand Government Security Office, Provinceof British Columbia. His office is now inthe phase of getting the information setup, and each ministry has a risk register.They are required to report into us, andwe put together an overall risk register forthe government.

An increasingly integratedrisk management functionOne of the most striking findings of ourstudy is the closer integration of the riskmanagement function with the rest ofthe organization. Risks are increasinglyassessed on an organization-wide basis,and other areas of the organizationincreasingly call on risk to assist indecision-making. Risk needs to bemanaged at all levels of the businessasan absolutely key part of operationalprocesses, product design, distribution,and underwriting, says Simon Gadd, CRO,Legal & General Group. Its important toset a framework to measure those risksin a consistent way, so you can aggregatethem up the organization and understandthe level of risk youre taking and howyoure managing it.

Figure 14. Integration of the risk management function with decision-making

To what extent is the risk management function currently included in yourorganizations decision-making process for the following areas? (Proportion saying toa great extent)

Setting up an organization-widerisk framework does not mean allresponsibility for risk is transferred tothe risk management function. Rather,integrating the risk function hasbenefits of improving risk managementperformance for the rest of the business.Risk management can be a value-addto the organization in areas such ashedging strategy, and risk evaluationfor M&A, says Joseph Celentano, CROof Pacific Life Insurance Company.

The risk management function is mostlikely to be integrated with budgeting andforecasting, with 92% reporting a majorrole. In our 2013 survey, nearly 29% ofrespondents report the risk managementfunction being completely involved indecision-making in this area. A further63% say it is involved to a great extent,up from less than half in 2009 (see Figure14). All Risk Masters show integrationwith budgeting and forecasting, eithercompletely or

Risk needs to be managedat all levels of the businessas an absolutely key part ofoperational processes, productdesign, distribution, andunderwriting, saysSimon Gadd, Legal & General

Groups CRO.

Note: Scale changed from 3-point scale to 4-point scale between 2011 and 2013. Comparing responseto a great extent over the 2009-11 period (2011-13 only for capital projects).Source: Accenture 2013 Global Risk Management Study

24


25/40

Exchanging information at anearlier stage, before businessplans are even drafted, iscrucial to having input intostrategic decisions, saysDaniel Imhof, Risk Director atHoffmann-La Roche.

to a great extent. Given increasinginteraction of the risk managementfunction in discussions with the board,this rising integration into high-levelplanning processes is unsurprising.

Even though it is much less commontoday for the CFO to be the riskmanagement owner, the risk and f inancefunctions must have a strong partnership.Risk management is fully embeddedin the budgeting process, because risksare interpreted as a deviation from theplan, says Harald Kirschner of RWE. Ineffect, the risk management function isresponsible for evaluating how secure thebudget is.

The vast majority (87%) of riskmanagement functions in 2013 have amajor role in investment decision-making;this includes just under 22% who saythey are fully included. Comparingprogress over 201113 directly, theshare of respondents indicating thatrisk is involved in decision-making inthis area to a great extent rose fromless than half to just above 65%. Riskis obviously involved in investments,and above a certain threshold, group

risk control must be involved, explainsMr. Kirschner. Mr. Robinson of BP alsoreports that the Group risk functionmust be consulted during the Groupsinvestment and appraisal process.

A large majority (84%) of surveyparticipants this year say that the riskmanagement function is fully (29%) orclosely (55%) integrated with strategicplanning in decision-making. For Risk

Masters, the figure is still higher (88%).When a company asks should I put mydollar here or there, risk is now a moreexplicit part of the equation, notesAccentures Mr. van t Noordende.

The nature of this integration appearsto vary substantially, however. In manyorganizations, the role of risk in strategyis limited to supporting analysis. Modelresults are considered as a factual basisfor management discussion, says theGroup CRO of a European-based insurerwith widespread global operations. Andthere is discretion on the pros and cons ofbusiness decisions, he adds.

This limited strategic role for the riskmanagement function as primarily ananalysis provider may explain our findingsthat risk management functions are leastlikely to be integrated in decision-makingaround new product development (63%)and geographic expansion (60%). Thesemajor strategic decisions may not, in

the first instance, depend on the kindsof information provided by standard riskmodels.

Some risk managers feel that providingmodel-based analytical input intostrategic decisions is not enough.Exchanging information at an earlierstage, before business plans areeven drafted, is a crucial input intostrategic decisions, argues Mr. Imhof ofHoffmann-La Roche. He observes thatrisk management input into the strategic

decisions of major importance oftencomes after the strategy has already beenformulated.

Moving further down the scale, only 64%report inclusion of the risk managementfunction fully or to a great extent inthe performance-management decisionarea. Integrating risk with operations

also appears to be a challenge. We areworking to deepen the direct presenceof risk in core functional areas such asclaims, underwriting, and distribution,says the CRO of a global insurance player.Philippe Trainar, Group CRO at SCOR,reports the next step is to integrate riskat the operational level, by defining andconsistently implementing risk standardsrelevant to operational processes.

In the final analysis, the goal is to infuserisk management comprehensively intobusiness processes. Weve been puttinga big focus on integratingand pushingdownthe risk management process,explains Jonathan Stein, CRO and VPof the Hess Corporation. So the riskmanagement process really becomes partof the operational process and the fabricof our decision-making.

25


26/40

26


27/40

27

Section 3Becoming a

high-performance riskorganization


28/40

Despite their progress, many organizationsare striving to build advanced capabilitiesto cope with an increasingly uncertainrisk landscape. In particular, organizationsacross industries can take further action

to integrate risk management withintheir organization, break down silos thatimpede progress, and enhance risks rolein strategy.

In every area surveyed, the differencebetween the proportion of organizationsthat consider themselves highly developedin terms of risk capabilities today andthose that wish to be highly developed in2015 is more than 20 percentage points.In nine out of ten areas probed, it is 25percentage points or more (see Figure 15).

Unsurprisingly, the most developedareas of risk capability today are riskand finance integration, and complianceefficiency. The least developed area isrisk organization and governance, whereonly 23% consider themselves advanced.But the fact that even in the mostwell-developed areas only 35%37%of organizations see themselves at anadvanced level of capability underscoresthe need for continued progress in risk

development.

Figure 15. Top risk capability goals for 2015

Proportion indicating a two-year target rating at 4 or 5 on the 5-point capabilitydevelopment scale, less the proportion indicating a current rating at this level.(Please indicate where your risk management function performs on each of thefollowing:)

Respondents with highly developed capabilities in 2013

Respondents intending a high degree of capability development by 2015

31%60%

Emerging risks29

23%

52%

Risk organization and governance28

34%

62%

Risk management processes28

34%

61%

Risk analytics27

37%63%

Risk and finance integration25

33%

57%

Risk policy, appetite, and culture24

Proportion intending to leap from moderate to high capability development

34%

61%

Performance management and reporting27

28%

62%

Risk technology and data management34

1

33%

66%

Risk talent32

2

35%

65%

Compliance efficiency30

3

1 Top capability development goals

Note: Numbers have been roundedSource: Accenture 2013 Global Risk Management Study

Unsurprisingly, the mostdeveloped areas of riskcapability today are risk andfinance integration, andcompliance efficiency.

28


29/40

Comparing current capabilities onthe risk-mastery scale with desiredcapabilities for 2015 allows us to identifythree key areas of focus: (1) improving anorganizations ability to analyze data and

create insights, (2) finding and retainingtalent, and (3) becoming more efficientin handling compliance and regulatorychange.

While the desire to develop riskcapabilities is strikingly comprehensive,the priorities of every organization will bedifferent. Those wishing to improve focusin other areas will find further relevantreading on our website atwww.accenture.com.8

Eighty-nine percent of our surveyrespondents wish to improve theircapabilities in at least one area; for eachof the top three goals, roughly 50%of respondents wish to improve theircapabilities (see Figure 16). Eighty-threepercent wish to improve in at least twoareas, and 63% wish to improve in five ofthe ten areas. This is powerful evidence ofthe rising importance of risk managementtoday.

Figure 16. Proportion wishing to improveto any degreein each area

of capability

Proportion whose two-year target rating is above their current rating for Pleaseindicate where your risk management function performs on each of the following


52%

Risk technology and data management

51%

Risk talent

50%

Risk analytics

50%

Risk management processes

49%

Compliance efficiency

48%

Emerging risks

48%

Risk and finance integration

47%

Performance management and reporting

46%

Risk organization and governance

46%

Risk policy, appetite, and culture

Improving the way riskmanagers leveragetechnology and data is analmost universal concernacross industries.

29


30/40

Data analyticsRisk managers seeking to improve analyticscapabilities must not only use the latesttechnologies to improve analytics, but take

steps to have the right people on the job toembed analytics in management processes,turning data into information and insight.

Building an effective data analyticsprocess doesnt happen overnight. Lack ofskilled staff is the top challenge, accordingto half of respondents. Risk managers alsocite difficulty in embedding risk analyticsin management processes (44%), outdatedlegacy systems (44%), and lack of systemsintegration (42%) as key hurdles (seeFigure 17).

Where risk data are concerned, the naturalfocus is on systems and technology.The regulators expectation is that theregulatory systems and all the banksystems should talk seamlessly to eachother, says the head of risk at an India-headquartered financial institution. Toachieve this, there is a project to furtherautomate and organize the data withoutmanual intervention.

But while technology obviously hasa critical role to play in analytics,the human element is equally if notmore crucialand is often overlooked.High-performance risk managementorganizations focus on the people skillsneeded to make data analytics successful.Risk Masters are significantly less likelyto report impediments to risk analyticseffectiveness arising from a lack of skilledstaff.

Figure 17. Obstacles to effective risk analytics

To what extent do each of the following challenges impede the effectiveness of yourorganizations use of risk analytics? (Proportion saying to a great extent or to someextent)


50%

Lack of skilled staff to develop the analytical models

44%

Difficulty in embedding risk analytics in management processes

44%

Outdated legacy systems

42%

Lack of systems integration

37%

Unavailability of, or poor quality of, internal or external data

Training is essential to developing thestaff skills necessary for successfulanalytics. This includes training beyondthe risk management function. Peoplein other units have to know how tocollect the right data and put it inthe system, says Mr. Koradi of SwissPost. This challenge is particularlyacute among financial services-sector

respondents, where risk managementincreasingly revolves around a modeldeveloped specifically by or for aparticular financial institution. Wehave specific communities of actuariesand risk managers and a global trainingframework, explains the Group CRO of aEuropean-based insurer with worldwideoperations. This includes a specificonboarding process for actuaries toensure they fully understand the modelsthat are being used.

Naturally, data analytics means littleif the quality of the data is poor. Whileweaknesses in data are not one of themost frequently reported obstacles, theimpact of poor data can be significant,given that good data is the foundationfor other analytics tasks. As Mr. Gaddof Legal & General notes, there is nopoint in having a good model if the datagoing into it are not robust. He addsthat good data also makes productionof management information simpler,

by reducing the manual data cleansingwork required.

Risk Masters generally understandthis, and get the data element right.Almost 60% of Masters report noimpact from challenges relating toweaknesses in risk data, compared withonly 25% of non-Masters (implyingthat about 75% still face data-relatedchallenges). Risk Masters have alreadymade much of the leap up the risk

technology/data capability curvethat other respondent organizationscite as their top goal for 2015.

While technology obviouslyhas a critical role to playin analytics, the humanelement is equally if notmore crucialand is oftenoverlooked: 50% of surveyedfirms lack skilled staff to

develop analytical models.

30


31/40

Figure 18. Greatest shortages in risk management talent

Where do you see the biggest shortage in risk management talent? (Proportion sayingyes for each risk staffing area)


61%

Risk business and data analysts

60%

Risk technologists

58%

Regulatory change program managers and PMO

46%

Pricing and risk quantitative skills

41%

Risk operations specialists

18%

Senior risk leaders

16%

Risk managers

Risk management talentHigh-performance risk managementorganizations have a people strategyfor identifying, attracting, training, and

rewarding risk management talent.

While risk management talent ranksas another top three capability goalfor 2015, it can also be fundamentalto effective operation of the riskmanagement function. Our analysis showsthat risk skills and talent issues are theprimary obstacle inhibiting developmentof data analytics. Survey respondentsmost frequently report shortages of riskdata analysts (61% of respondents) andrisk technologists (60%), followed by

regulatory change program managers(58%). See Figure 18.

Survey participants report significantobstacles with regard to developing riskmanagement talent. At 54%, the topchallenge is the shortage of personnelwith appropriate skills. Weak recruitmentstrategies, a challenge cited by half of allrespondents, certainly do not help. Thesame percentage of respondents say thattraining programs are insufficient (see

Figure 19).

The numbers show that the risingimportance of risk management hasbeen both a blessing and a curse. Onthe one hand, risk management is nowan increasingly high-profile career. Thedownside is that the rising importance ofrisk has set off a fierce and specific warfor talent. Demand for risk management,regulation management, and compliancespecializations has become so intenseover the past several years in banking

that attracting and retaining talenthas become a very important part ofour business, says Luis Nio de Rivera,President and CEO at Banco Azteca. TheGroup CRO of a global insurer based inEurope agrees, adding: It takes roughlytwo years to train for the requirementsof the Solvency II framework, so there isfierce competition for employees with theright skills profile.

Figure 19. Obstacles to risk management talent development

To what extent do each of the following challenges impede your organizations abilityto keep or obtain the skills needed in the risk management function? (Proportionsaying to a great extent or to some extent)


54%

Shortages of personnel with the necessary skills

50%

Weaknesses in recruitment strategy

50%

Insufficient training programs

41%

Weaknesses in retention strategy or programs

38%

High compensation required by personnel with the necessary skills

31


32/40

Indeed, as other industries seek to followthe financial services sector in developingrisk and compliance capabilities, riskprofessionals are increasingly hired awayfrom this sector, according to Rodrigo

de Barros Nabholz, Risk ManagementConsulting at Accenture. The war fortalent in risk expertise in the banking andinsurance industries is therefore spreadingto other industries, adds Rodrigo.Organizations that succeed in developingrisk staff seem to focus on recruitingand training risk management staff withbusiness expertise. This is importantbecause of the growing integration ofthe risk management function in businessdecision-making.

One approach to developing a riskmanagement function with businessexpertise is to change the staff profile.Mr. Bellemare of Desjardins Group notesthat his firm made some changes inthe risk management function to dothisbringing in a lot of people from thebusiness side into risk management. Mr.Imhof of Hoffmann-La Roche describes asimilar approach: In the past, I focusedon people who were educated in riskmanagement and then tried to give them

business skills, he says. But these daysI approach it the other way around byhiring people, say, from research anddevelopment, marketing, or projectmanagementpeople who really knowhow the business is runand thenteaching them risk management.

Risk Masters understandthat risk is a people gameand have focused heavilyon risk-talent challenges:Masters are far less likely toreport that weaknesses inrecruitment strategy impinge

on development of risk talent.

Other high-performance risk managementorganizations rely on rotational programsto tackle this challenge. Having business

people in the risk management functionfor a number of years and then goingback into the business is a way to improvethe companys risk management DNA,says Mr. Culp of Accenture. It also meansthey work better together and do nothave an us vs. them type of approach.

Risk Masters appear to understand thatrisk is a people game and have focusedheavily on solving risk management talentchallenges, using methods like thosedescribed above. Masters are far lesslikely than non-Masters to report thatweaknesses in recruitment strategiesimpinge on their development of riskmanagement talent. Non-Masters arealso far more likely to report a negativeeffect of insufficient talent in the riskmanagement function generally.

Compliance efficiency andeffectivenessOrganizations may want to be proactiveand participate in the regulatoryagenda, leveraging regulation to driveenhancements in risk capabilities.

The second most frequently reportedcapability goal for 2015 is to improve theefficiency and effectiveness of regulatorycompliance. Risk Masters generally useregulatory requirements to promotean internal risk-development agenda,and compliance management takes the

requirements of the overall organizationinto account. Risk Masters are alsoproactive in engaging with regulators,and operate integrated programs meetingmultiple compliance needs. Approximately35% of all respondents place themselvesat or near this level today. A further 30%seek to reach this level by 2015.

The most frequently reported obstacles inthis area are an insufficiently proactiveapproach to working with regulators,noted by 57% of respondents (see Figure

20), a lack of an integrated response(48%), and the inherent difficulty inresponding to overlapping regulatoryrequirements (47%).

Figure 20. Obstacles to achieving compliance efficiency

To what extent do the following challenges impede the effectiveness of yourorganizations response to regulatory change in your industry? (Proportion saying to agreat extent or to some extent)


57%

Insufficiently proactive engagement of the organization with regulators and governments

48%

Lack of integrated response to regulatory reform by business units or senior management

47%

Difficulty of responding to multiple and overlapping regulatory reform programs

40%

Lack of alignment between regulatory reform and long-term strategy for the

business units or senior management

33%

Insufficient budget to deliver an effective response

32


33/40

People think if you have a sophisticatedmodel that produces a number, then thatnumber is correctcorrect in a senseof good and meaningful, says TobiasGuldimann, CRO of Credit Suisse. Butmany investment banks that had moresophisticated models than we did at thetime were hit very hard in 2007.

The existence of models does not implythe end of personal responsibility and

judgment. As the CRO I am acting as therisk conscience of the bank, he notes.Whenever you have a model that tellsyou you have zero risk the red lightshould go on.

That said, in the wake of the globalfinancial crisis, Credit Suisse hasmoved forward in developing risktools and capabilities. One area ofcapability development is the increasing

operationalization of the banks riskappetite statement. While this statementexisted before the crisis, matchingthe banks risk appetite against itsinvestment activity on a one-to-onebasis would have been challenging,given the complexity of the institution.

Turning the risk appetite into anoperational tool meant integratingEconomic Risk Capital (ERC) limits,

Value-at-Risk (VAR) limits, and high-level country limits. We integrated

those into one statement and called itthe risk appetite statement, says Mr.Guldimann. We then expanded it to alsocover liquidity, funding, and treasury.

The result of this endeavor is that ameaningful high-level view of risk can bepresented to the boardand integratedwith strategic planning. This processwas developed in a series of stages. Thefirst was to create the risk-appetitestatement signed off by the board. Thenext phase was to create a process suchthat when the divisions prepared and

reviewed their strategic plans, they alsohad to make explicit risk statementsthat were then adopted into the RiskAppetite Statement. The final stagewas to add a high-level view of marketconditions, which would be the basisof the banks thinking on both risk andstrategy, with sign-off at the board level.

Of course, these and other capabilityenhancements have been expensiveat times. There was a lot of costinvolved, notes Mr. Guldimann. But these

investments have produced advantagesbeyond compliance. For instance, thebanks loss-provision numbers have fallencontinuously over the past five years.Now, some people might argue this wasluck, but I would say, no, he says. This isan outcome of a conscious risk decisionmade several years ago.

Moving beyond complianceat Credit Suisse

33


34/40

Organizations that succeed in takinga proactive approach to regulationoften make an effort to increase seniormanagement involvement in complianceand regulation. In the energy and utilities

industries, respondents note that topmanagers often play an ambassador role,meeting directly with regulators. Thereare signs this approach is spreading toother industries. You want to have seniormanagement involved because they havethe skill set and seniority to get to theright people, notes Mr. Gadd of Legal &General.

Other organizations have establishedprocesses and structures that involvesenior executives. At a global insuranceplayer, the Executive Risk ManagementCommittee (ERMC) chaired by the CEOmeets on a quarterly basis, says the CRO.The working group reviews a heat mapof regulatory developments to identify,analyze, and track regulations, and thenassigns responsibility among participants.

Navigating the complex regulatoryframework requires support staff with theunderlying knowledge of the business andthe regulations. For example, marketing

natural gas requires understanding thevarious regulations that govern thatbusiness including whether or not aphysical sale is considered a swap underDodd-Frank, explains Jonathan Steinof Hess. To have the understanding toconnect the dots, you need embeddedresources who work inside the businessand who understand the business.

We created a small teamwithin the risk team towork as an interface withthe regulatory authority,says Mr. Bellemare ofDesjardins Group.

Engaging more effectively with regulatorscan also be achieved by developing theright skill sets within the risk managementfunction. Mr. Imhof notes that becausewe have much more interaction now with

regulatory bodies, we have to make surewe have the right people down in theorganization to deal with this.

Approaches to address the lack of anintegrated approach and overlappingregulation are inherently related.Overlapping regulation can be addressedby centralizing compliance management,so areas where compliance requirementsoverlap can be assessed and managed.

This type of centralization can enable

the development of a capability-enhancement strategy that leveragesregulatory requirements to transformthe risk management function. Withsuch a plan, organizations can help toensure that capability-developmentinitiatives undertaken in the name ofcompliance will contribute to enablingthe risk management function to assistthe organization in meeting its broaderstrategic goals.

An integrated response can also enablean organization to speak to regulatorswith one voice. We created a smallteam within the risk team to work as aninterface with the regulatory authority,says Mr. Bellemare of Desjardins Group.We want to make sure that when theregulatory authority asks for something,we respond with information at a level ofdetail consistent with what other areas ofthe business have provided.

High-performance risk management

organizations use compliancemanagement strategically, creating valuefor the organization. Risk Masters aremore likely to report that regulatoryreform aligns with long-term strategy,as they view compliance through atransformational lens.

34


35/40

35


36/40

36

Since 2009, successive editions of theAccenture Global Risk ManagementStudy have tracked an increase in theimportance of risk management, anexpanding organizational role for risk, anda dramatic growth in risk managementfunction capabilities of the averageorganization. Many organizations havemade great progress in developing risk

management functions that can play anelevated organizational role effectively.Some have been left behind, however;there is a long tail of survey respondentswho have not moved with the rest ofthe pack in developing their capabilities.Companies that wish to reach their riskcapability goals for the long term shouldconsider the following actions.

1. Treat risk management as apeople gamePerhaps the most surprising finding ofour study is that the main obstaclesto both risk analytics deployment andbetter management of regulatory changerelate to skills and human capital. Theseobstacles include shortages of risktechnologists, analysts, regulatory changemanagers, and risk managers generally.Risk managers report a lack of staff tobuild analytical models and difficultyembedding risk analytics in managementprocesses. It is therefore unsurprising that

risk management talent is one of the topcapability development goals for 2015.

In a way, this finding should not be such asurprise. Globally coordinated regulatorychange has resulted in simultaneous andintense battles for talent around specificskill sets, and the effect is felt amongcompanies as well as the regulatorsthemselves.

There are many other reasons why riskmanagement is a people game. Seniormanagement is increasingly involved inrisk decisions. Risk culture is a broad andsomewhat intangible but increasinglyimportant area of capability development.Incentives and rewards are crucial inaligning the interests of executives withthe interest of the organization.

It is also increasingly crucial that riskprofessionals understand the operationsof the broader business. Without thisunderstanding, they cannot play enhancedorganizational rolessuch as protectingcorporate brands and reputationseffectively. Nor can they provide the inputinto decision-making in strategic andother areas that is increasingly expectedof the risk management function.

2. Look ahead, as new risksare relentlessCompanies can develop a plan for riskcapability that is forward-looking andaddresses tomorrows risks. This plan canleverage regulatory requirements to drivea business change agenda.

There is an inevitable tendency to fightthe last war in risk management.Organizations and regulators are focusedon effectively managing liquidity risks

and financial shocks partly becausethe traumatic events of 2007 and 2008threatened the viability of the globalfinancial system. But the next risk eventsto emerge may be entirely unrelated tothe last. Focusing on the next wartherisk capabilities that will be needed fiveyears from nowis a significant challenge.It may require a strategic plan for therisk management function, an integratedapproach to risk capabilities, and thedirect involvement of senior management.

3. Manage compliancethrough a transformationallensThe intention of much recent regulation isto improve organizations risk capabilities,particularly in the financial servicessector (for instance, Basel III and SolvencyII). The cost of such transformativeregulatory initiatives is such that they canoverwhelm risk staff, potentially resultingin a focus on minutiae with limited realvalue in enhancing capabilities.

It is important to take a step backfrom the process and make sure therequirements of regulators are leveragedto build a risk management function thatcan better meet organizational goals.Organizational priorities are establishedfor risk that span multiple years, with

annual initiatives developed to supportthese priorities, says Sarah Williams,

VP Risk Analytics & Governance at TheHartford.

And companies should consider howto bring senior executives into the riskdevelopment process in an integratedway. If organizations address regulatorycompliance in this way, they have thepotential to develop far greater riskcapabilities. As this is the end goal ofmany regulators themselves, regulators

should be supportive.

Section 4

Four things to do differently


37/40

37

4. Focus on insight, not justdata and analyticsThe aim to improve risk data andtechnology is the most frequentlyreported capability goal by surveyrespondents. It is an issue that impactsall industries to some degree, becausedata quality is fundamental to the

successful operation of a modern riskmanagement function. It is also an acuteissue in industries where regulatorsare demanding more sophisticatedrisk models, such as insurance andbanking. Additionally, developingprocesses and systems such as theuse of data warehouses is inherentlytime-consuming, so progress may lagother areas. Finally, risk-data qualityis a foundational capability on whichother capabilities will be based. Prior toimplementing a risk model, obstaclessuch as data quality must be overcome.

The main insight regarding this capabilitythat comes from our research is not tomiss the forest for the trees: technology,data, and analytics are only valuable ifthe insights they produce are actionable.Analytics are most useful when integratedinto management processes. To make thispossible, insights gleaned from analyticsmust be presented in a straightforwardway, or senior management must be

trained in their interpretation. Alternately,management processes can be adapted sosophisticated risk data can be reviewedby subject-matter experts. One suchapproach is the establishment of boardrisk committees.

ConclusionIn 2013, the transformation of risksstatus in the organization is all butcomplete. Surveyed organizations havecontinued to elevate the importancethey give to risk management. The riskmanagement owner is almost universallya senior executive and overwhelminglyreports directly to the CEO. The riskmanagement owner is overwhelminglyrequired to report directly on risk to theboard. The risk management function isalso playing a significantly larger role indecision-making in areas such as strategyplanning and budgeting. A set of RiskMasters stands apart from the pack, withenhanced risk management capabilitiesand performance results to show for it.

At the time of our first risk managementstudy in 2009, in contrast, risk

management looked more like crisismanagement than a forward-looking,enterprise-wide approach to risk.9 Twoyears later, in 2011, expectations wererising. There was more pressure on therisk management function to play a muchlarger role in achieving fundamentalorganizational aims such as enablinglong-term profitable growth andperformance management.10 But our 2011study found that it was not yet playingthis role effectively.

While risk management functions stillstruggle to meet broader organizationalexpectations, respondents reported in2013 that they have improved compliancecapabilities dramatically. In other areas,such as managing reputational risk andachieving risk-adjusted performancemanagement, some still grapple withfulfilling their required role.

What will we find when we conduct ournext Global Risk Management Study, in2015? We see organizations today, havinginvested heavily in risk management, nowexpecting a return on their investments.We see them endeavoring to turncapabilities into results, by building a riskmanagement staff that understands thebroader business, delivering actionable

insight from analytics, and taking aproactive approach to compliance. Andwe expect to find risk managementfunctions playing their newly elevatedorganizational role with greaterconfidenceand delivering on thesehigher expectations.


38/40

38

We would like to thank the senior executives with global organizations who tookpart in our qualitative interview discussions and participated in our survey. We aregrateful for the inputs of senior staff at each of these organizations:

Banco Azteca

Bharat Petroleum

BNP Paribas Cardif

BP

Caixa Economic Federal

Central Bank of Brazil

CNP Assurances

Crdit Agricole Assurances

Credit Suisse

Desjardins Group

Eletrobras

Euler Hermes

Eurofarma

Generali

Great-West Life

The Hartford

Hess

Hoffmann-La Roche

ING Group

Legal & General

Liberty Mutual

Manulife Financial

Pacific Life

Ple Emploi

Predica

Province of British Columbia

Repsol

RWE AG

SCOR

Swiss Post

Tractebel

University of California

We would like to thank the following senior leaders from Accenture who providedexpert direction on the research, and insight on the issues covered:

Sander van t Noordende, Group ChiefExecutive, Management Consulting at

Accenture

Steve Culp, Managing Director,Accenture Risk Management

Thanks to the following Accenture executives, who also contributed ideas andguidance on this effort:

Laura Bishop

Ben Cattaneo

Amit Gupta

Margarita Jannasch

Eric Jeanne

Luther Klein Tales Lopes

Rodrigo Nabholz

Isabelle Pelletier

Samantha Regan

Haralds Robeznieks

Greg Ross

Ferko Spits

Prasanna Varadan Kent Tianshi Xu

Acknowledgements


39/40

39

1 Accenture, Global Risk ManagementStudy 2013: Risk management foran era of greater uncertainty.September 2013. Accessed at:http://www.accenture.com/globalriskmanagementresearch2013

2 Accenture, Global Risk ManagementStudy 2009: Managing risk for highperformance in extraordinary times.2009. Accessed at: http://www.accenture.com/fr-fr/Documents/PDF/Accenture_Managing_Risk_for_High_Performance_in_Extraordinary_Times.pdf

3 For Basel III, see http://www.bis.org/bcbs/basel3.htm; for Solvency II seehttps://eiopa.europa.eu/activities/insurance/solvency-ii/index.html; forDodd-Frank see http://www.sec.gov/about/laws/wallstreetreform-cpa.pdf;

for Sarbanes-Oxley see http://www.gpo.gov/fdsys/pkg/PLAW-107publ204/pdf/PLAW-107publ204.pdf.

4 Accenture, Global Risk ManagementStudy 2011: Risk management as asource of competitive advantage andhigh performance. 2011. Accessedat: http://www.accenture.com/GlobalRiskManagementResearch2011

5 Accenture, Global Risk ManagementStudy 2011: Risk management as a

source of competitive advantage andhigh performance. 2011. Accessedat: http://www.accenture.com/GlobalRiskManagementResearch2011

6 Accenture, Global Risk ManagementStudy 2009: Managing risk for highperformance in extraordinary times.2009. Accessed at: http://www.accenture.com/fr-fr/Documents/PDF/Accenture_Managing_Risk_for_High_Performance_in_Extraordinary_Times.pdf; and Accenture, 2011. Accenture,Global Risk Management Study

2011: Risk management as a sourceof competitive advantage and highperformance. 2011. Accessedat: http://www.accenture.com/GlobalRiskManagementResearch2011

7 Accenture, Global Risk ManagementStudy 2011: Risk management as asource of competitive advantage andhigh performance. 2011. Accessedat: http://www.accenture.com/GlobalRiskManagementResearch2011

8

See http://www.accenture.com/us-en/outlook/Pages/outlook-

journal-articles-finance-and-performance-management.aspx

9 Accenture, Global Risk ManagementStudy 2009: Managing risk for highperformance in extraordinary times.2009. Accessed at: http://www.accenture.com/fr-fr/Documents/PDF/Accenture_Managing_Risk_for_High_Performance_in_Extraordinary_Times.pdf

10 Accenture, Global Risk ManagementStudy 2011: Risk management as asource of competitive advantage andhigh performance. 2011. Accessedat: http://www.accenture.com/GlobalRiskManagementResearch2011.

References


40/40

About AccentureManagement Consulting

Accenture is a leading provider ofmanagement consulting servicesworldwide. Drawing on the extensiveexperience of its 16,000 managementconsultants globally, AccentureManagement Consulting works withcompanies and governments to achievehigh performance by combining broadand deep industry knowledge withfunctional capabilities to provideservices in Strategy, Analytics, CustomerRelationship Management, Finance &Enterprise Performance, Operations, RiskManagement, Sustainability, and Talentand Organization.

About Accenture Risk