If there's one area that one would hope has benefitted from additional resources following the global financial crisis, it is risk management. But according to a new report from the Economist Intelligence Unit, risk management is suffering from the same squeeze as other functions – with potentially disastrous consequences.
The report, Beyond Box-ticking: A new era for risk governance, reveals that risk management efforts are being undermined and improvements postponed as companies slash expenditure, cancel investment and cut headcounts.
Asked about the main barriers to effective risk management in their organisation, the 364 risk professionals questioned as part of the study complained about poor data quality, inadequate technology and a lack of expertise.
But rather than tackling these issues head-on, companies are avoiding making changes that carry a hefty price tag and are instead opting for quick wins and process improvements while trying to do more with less.
"Companies are facing a difficult dilemma in the current environment," acknowledged Rob Mitchell, editor of the report.
"On the one hand, they recognise the need to allocate greater time and resources to risk management so that serious shortcomings with their current approach can be addressed. But, on the other hand, they are facing huge pressures to keep costs under control. Satisfying these competing objectives poses something of a conundrum, and this could prevent necessary fixes to risk management from being made."
Compounding this lack of resources is a lack of risk expertise at the top of companies. The report found that more than half of respondents have no plans to recruit a chief risk officer, and slightly fewer than half don't intend to recruit a board-level executive with overall responsibility for risk management.
But with a high proportion of respondents saying that a "risk culture" depends on strong direction from the top, an absence of expertise at board level suggests that many companies will find it difficult to embed a greater awareness and understanding of risk into their business.
An excessive focus on compliance is another problem raised in the report. Respondents pointed to the identification of new risks as the most important role and responsibility of risk management. But, asked how they allocate their time, it is compliance, controls and monitoring that consume the lion's share of their resources.
More also needs to be done to ensure that risk information is reaching the right people. Only around a third of respondents said that their organisation was effective at ensuring information about risk is reaching the right people, while seven out of 10 felt that risk information wasn't properly tailored to its audience
But perhaps most concerning, the report highlights just how far most companies need to go to integrate a risk perspective into their core decision-making. In the majority of companies questioned for the research, chief risk officers play no role in major strategic initiatives. Astonishingly, just 44 per cent are actively involved in M&A activity, for example, and just 36 per cent in product development
As Oliver Engels, head of enterprise risk management Europe for KPMG, who sponsored the research, pointed out, linking risk management to decision-making in the boardroom will be vital for future success. "This will require more knowledge of the risk appetite, the risk profile and the control environment compared with the past."