Resilience Ninja

Coaching and ideas to help build agile and resilient practices.

You are here: Home / Literature Reviews / … risk & compliance reality vs maturity of perceptions

… risk & compliance reality vs maturity of perceptions

A few weeks back I received an email from the Economist Intelligence Unit announcing a new report they had published and suggesting I may like to post a review.

The report is entitled “Ascending the maturity curve. Effective management of enterprise risk and compliance”.

The report is the result of sponsored research, in this case by the software company SAP. I admit this initially encouraged me to stop reading (hence the delay in publishing this), but it is not the kind of blatant product promotion I posted about in … feeling lost? Try EGRC. In fact there is no specific promotion of SAP at all.

Here are some interesting points that struck me – it is a fairly brief report so I encourage others to read it and form your own perspectives.

The survey was meant to focus on “perception versus reality: how executives view their risk mitigation capabilities versus what they are actually doing.” I think this is a growing and expanding gap in many organizations.

  • This capability gap applies to a range of risk-related areas such as BC and especially IT DR. The report provides some information about this gap, but not as much as I hoped.

One reason being that this appears to be a survey of Executives who own the organisational frameworks of Risk Management and Compliance, not those who manage the risk of doing business.

  • The Executives being surveyed came from Finance (which included Audit), Risk, Compliance and Legal areas.

These are the Executives who are often the communicators of the perception. It would be interesting to compare the findings to a similar survey of line of business Executives who do the real management of risk.

Secondly, this is not for the Small/Medium sector. 63% of respondents work for companies with annual revenue greater than US$500million, 25% greater than US$5billion annually.

Despite this there are some really important findings that can (and should) be recognized by all organisations;

  • Companies may be underestimating the extent of their risk and compliance failures
    • The survey data indicates that finance may consistently under-estimate the number of failures.
    • It also goes hand in hand with the later point about not learning from failures.
      • We cannot improve our ‘risk intelligence’ unless we use our experience to learn about the nature of the risks we face.
  • Risk and compliance management processes may appear to work well – until something goes wrong.
    • Put another way, companies are successful until they are not. We continue to be surprised when this happens, and we shouldn’t be.
    • This message is clear in the literature I have reviewed recently, especially the posts relating to Hamel and March.
    • Interesting difference on the response to question about how well risk and compliance practices rate when controlled for those who admit a failure;
      • 46% of non-failure say their practices are consistent with best practice, only 27% who have had a failure
  • Companies may not be learning the broader lessons from risk failure
    • The failure of organizational learning has been another issue I have addressed over recent months.
    • Look at the literature on High Reliability Organisations to see the need for learning from these failures and near misses.
    • Survey response highlights that we are not learning;
      • 72% resort to the ‘Illusion of Control’, more policies and procedures
      • 26% cover it up in the sub-unit, no external scrutiny
      • Only 34% report they publicise the failure or near-miss and their response
  • High-performing companies are more likely to have a consistent risk appetite across the organisation
    • I would translate this finding in two ways,
    • First, it is about culture and world views.
      • Successful organisations appear to have a better shared culture. In this case they have broken down the silos where culture is often dictated by external ‘professional’ reference groups.
    • Secondly, the survey polled the groups that are traditionally the most risk averse areas of the organisation.
      • This is the perception or risk appetite, the reality is the risk appetite in the operational areas (like Sales and Marketing).

47% of respondents did not think their business Executive saw them (Chief Risk Officers) as always helpful or essential to achieving business objectives

Risk and Compliance (or GRC if you must) is emerging as a challenge of enterprise data and information management. In this context it is a space where large-scale information technology tools will be deployed as a panacea.

The biggest challenge of deploying these technological behemoths is neatly summarised in the report.

Boards do not always know the outcomes they want to achieve with these GRC initiatives, nor do thety know exactly what information they need.

It is also a challenge of crossing silos, not just of information but of professional turf.  The report suggests a technique that would be helpful in any risk, BC or resilience initiative.

A top-down initiative, with cross-silo activity facilitated by a representative from Senior Management with “the authority and credability to tear down the walls”.

Thanks to Annabel at EIU for reading, and drawing this report to my attention.

How often do we stop and try to assess the gap between perception and reality in our own programs?

Are you asking the right people?

Leave a Reply

Your email address will not be published. Required fields are marked *