They are:
1. Risk culture
2. Risk management processes
3. Technology.
To attack the first, companies are not being balanced in their risk culture. During a survey that KMPG conducted in 2008, they found that 58% of the companies they surveyed did not have a clue on how risk exposures should be assessed and 33% of the companies reported that they did not have a risk management training or teaching. This is a disadvantage because without proper knowledge (training) of how to first, minimize or avoid some risks in our daily work routines, and second, be able to properly handle activities with an exposure to risk, companies are setting themselves up for a failure. It's important for every member, management and lower level workers, to know the risk tolerance of that particular company. This will in turn help them develop risk management techniques to coincide with that level of tolerance they have.
For the second area, risk processes, the survey discovered that most companies are not doing a sufficient job of creating an accurate process to assess their risks. In fact, 33% said they do not even have a risk management process in effect, 13% said they have a risk process, and only 14% of companies have a governance (i.e. risk management committee). However, Farrell has stated that companies should be doing more. Committees and departments focused on this area is necessary for companies to stay in line with management and their risk tolerance. It's all a part of the never ending circle and connection between the top and bottom.
Lastly, companies are lacking in the area of technology. Only 25% of the surveyed companies have applied technology to their ERM area. Of course, this is a hindrance. In our society today, technology drives and aids essential activities. To better assess a company's risk, various systems aided with technology is necessary.
Overall, there is much that can be done to fix this problem. KMPG has listed a few key starting points.
"1. Get strategic: Align ERM to the company's strategic objectives to drive business value, taking into account the needs of all constituencies.
2. Rationalize and simplify: Establish a single-view of risk, with a common risk language (e.g., risk context and categories, evaluation factors [e.g., likelihood, consequence], treatment options and monitoring/internal auditing allocation) to be leveraged across the organization.
3. Consider "three lines of defense": Build upon a thorough "vertical" risk management structure with independence and clear accountability.
4. Formalize and standardize (with practicality): Create a sustainable risk management process (e.g., risk assessment, risk management and risk reporting).
5. Influence behavior through building competencies: Embed risk management competency in the business and operating philosophy.
6. Get proactive: Continuously improve the risk management and monitoring process to anticipate evolving market conditions and business objectives (e.g. risk quantification, risk appetite)."
It's not a process that will done overnight, but with much work and determination, it can and will be done. ERM will be done and done efficiently.
(The post above is a paraphrase of information found in the following source. All statistics are accurate according to the website. ALL information was provided by the source as well.
KMPG LLP. "Many Enterprise Risk Management Programs Lack Fundamentals, According to KPMG's Survey of Internal Auditors and Boards". The Earth Times. 20 January 2009. 23 January 2009 <http://www.earthtimes.org/articles/show/many-enterprise-risk-management-programs,685355.shtml>.)
.jpg)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.