A mature risk culture operates on a commonly understood taxonomy for aggregating, tracking, and predicting risks, leveraging data analytics and other technologies for optimal coverage.
In assessing risk culture maturity, we questioned companies about 11 practices that are hallmarks of highly developed risk cultures. To grade cultural maturity, we awarded respondents one point for each practice their organization has in place. Low-maturity respondents scored 0–2 points, medium maturity 3–5 points, high maturity 6–8 points, and very high maturity 9–11 points. In examining industry sectors to determine their comparative risk maturities, we reached the expected result: The most-highly-regulated industries have the most-highly-evolved risk management practices, with financial services and healthcare organizations posting the highest overall scores.
Across the organization, a risk-aware culture follows consistent global norms that prioritize doing the right thing over simply meeting a required standard. Exemplifying an aspirational tone from the top, 61% of our Front Liner respondents say their leadership prioritizes doing the right thing, compared with just 50% of non–Front Liner respondents.
Front Liners also lead in other measures that define a strong, organization-wide risk culture. For instance, they’re more likely to communicate proactively with external stakeholders following a negative risk event (49% vs. 37%) and to encourage a culture in which the second line of defense can effectively challenge the first line (55% vs. 45%).
In an ecosystem that integrates risk management into first-line decision making, risk and compliance functions need to see the big picture, understanding broad operational processes from a strategic, operational, and financial perspective. By doing so, they amplify their value as key partners in the risk-focused culture.
The acquisition and use of leading risk management tools and techniques is key to maintaining a sound risk culture. On this measure, Front Liners outpace other respondents by wide margins. They are, for example, more likely to use a risk rating system (81% vs. 67%) and carry out stress-testing or reverse stress-testing (50% vs. 38%).
Supporting their strategic shift of risk ownership toward the first line of defense, we saw gains across our full sample in the use of certain leading risk management tools and techniques. For instance, 55% of 2017 respondents reported that they’ve defined their risk appetite/tolerance across key risk categories (vs. 42% in 2015) and 51% of 2017 reported that they have a well-defined and well-communicated risk appetite statement/framework (vs. 38% in 2015).
Also, compared with 2016 results, significantly more CROs say their senior leaders understand the value of strong risk management (72% vs. 58%), and that the second line of defense is seen as a catalyst for growth (43% vs. 36%).
The differences are stark. And so are the benefits.
Front Liners’ responses on the topic of past risk events suggest their confidence is based on a track record of success. Though negative risks are equal-opportunity afflictions, threatening all companies on a level playing field, a significantly larger percentage of Front Liners reported having addressed a negative risk event effectively. This held true across all causes of business disruption on which we surveyed.
Among companies that suffered a disruption due to changes in business models or strategy, 66% of Front Liners reported recovering effectively, versus 49% of other respondents. Among companies disrupted by operational risk, 63% of Front Liners reported effective recovery, compared with 46% of non–Front Liners. And among companies that suffered a business disruption due to geopolitical upheaval, 56% of Front Liners said their company recovered effectively, versus 39% of other respondents.
Perhaps that is one of the reasons why the majority of our survey respondents overall feel that managing risks from the first line makes them better at not only anticipating but also mitigating risks.
GRC Technology Enablement Leader, Financial Services Internal Audit, Compliance and Risk Management Solutions Leader
Tel: +1 (202) 729 1627
Global Risk Assurance Leader
Tel: (+852) 2289 2316