Poor risk management creates more risks*

Canadian companies think they are doing much better with their risk management than they really are

* This is an expanded version of a summary that originally appeared in the December 2006 issue of CAmagazine.

By Robin Hutchinson

When it comes to risk management in Canada, aspiration trumps reality. In an Ernst & Young report, Risk Management in Canada: Moving Beyond Assessment, released this summer, Canadian companies expressed high confidence in their risk management performance, but the report suggests they’re overconfident. Essentially, companies are struggling to move beyond assessing risk to managing it. The report concludes that the typical Canadian risk management framework is underdeveloped, lacks rigour, and is generally not aligned with overall business strategy.

The report finds that half of Canadian companies have a documented risk management strategy and just a third have a formal process to decide how much risk to take on. More than one in three decision-makers says some key risks are not being actively managed at all.

What does this mean for Canadian businesses? They could run afoul of the investment community, regulators and rating agencies, which are applying increased pressure for companies to adhere to high standards of governance. A formal, rigourous approach to risk management is part and parcel of good governance, and investors are demanding no less. From an earlier Ernst & Young survey of institutional investors, we’ve learned they are willing to pay a premium for companies with strong risk management and are just as willing to walk away from an investment found lacking. Nearly half say they’ve done just that.

Increasingly, risk management forms part of rating agencies’ credit evaluations. The use of metrics is a critical market development for agencies such as Standard & Poor’s, Institutional Shareholder Services and Moody’s, which are attributing governance scores to companies.

Regulations such as the Sarbanes-Oxley Act, which addresses financial statement fraud, and the Basel II Accord, which addresses risks in the financial services industry, are driving much of the focus on risk management from a financial control perspective. The challenge, though, is for companies to create a richer, more layered picture of risk, one that balances risks and opportunities.

An embedded risk culture that stretches across functions and line management is the ultimate goal in risk management. Eighty-nine per cent of respondents to the Ernst & Young survey say they have achieved such a culture, yet only 11% of Canadian executives admit having an understanding of risk throughout the organization and a mere 2% believe their companies can clearly identify who owns risk. Furthermore, when it comes to communicating risk to the investment community, a paltry 2% believe they manage their communication well. Here again, the investment community is calling for more transparency about risk profile and risk management systems.

Considering 70% of those surveyed say their risk levels have increased over the previous two to three years, with nearly 32% reporting a significant increase, Canadian companies may unwittingly be setting themselves up for potentially serious problems. One of the report’s few bright spots is that 94% of companies plan to increase their current risk management spending in the coming years. However, without an integrated, focused approach, companies might not derive the full benefits from their investments.

Without a company-wide view of risk management, departments tend to assess how risk affects them, not necessarily the entire company. People are often unaware of the domino effects of risks. For example, human resources might be concerned with succession planning, the IT department with data integrity and reliability, and the tax group with the company’s profit position in light of changes within the company or the industry. Do these risks fit together? If so, how? Conclusions can be reached only when a formal broad-based program is in place. A lack of integration might also mean money is being spent in the wrong places.
One factor that could be impeding Canadian companies from moving forward with their risk management is their relative reluctance to bring in outside advisers. A significantly smaller proportion (24%) have had their risk management approach evaluated by an independent third party, compared with 52% of companies globally. Most companies have the essential components in place to identify and manage risk, and their existing infrastructures can be leveraged to create overall alignment, consistency and efficiency, while eliminating gaps and overlaps.

By failing to actively manage risks or link risk management to business strategy, many Canadian businesses may not be capitalizing on the upside potential of risk. Risk is inherent to all businesses. While poor risk management can derail a company, taking the right risks can spur growth and success, and create value. Globalization is creating increased business opportunities, but without a formal approach to risk management, Canadian businesses might miss opportunities—for example, to enter new markets or pursue a key merger or acquisition—or fail to fully assess and manage the risks involved in seizing opportunities.

So how can Canadian businesses make more efficient use of their time and money? For some, it might mean creating new risk management infrastructures and functions, such as a dedicated risk management department. The caveat here is that an overly bureaucratic or over-engineered approach could push such a department into its own silo. Rather, the risk management function should provide the frameworks, analysis and collection of data that allow alignment across the organization. For others, it might be a matter of simply increasing and formalizing the communication flow between boards, senior executives and functional leaders. Executives need to work closely with each function to ensure that risks are understood and reported, that controls are in place and are working as intended.

Companies that align their goals, risks and risk management activities have much to gain: better management of the risks that matter, the ability to act on opportunities to gain competitive advantage, the achievement of real growth and the creation of value.

Robin Hutchinson is a partner and Canadian leader of Ernst & Young’s risk advisory services practice.

To view Ernst & Young’s Risk Management in Canada report, visit ey.com/ca.