Strategic Risk Management Survey
Strategic Risk Management Survey A survey of contemporary strategic risk management practices in Australia and New Zealand
A DV I S O RY
Contents
Executive summary
3
About this survey
5
Risk policy and strategy
6
Risk structure
8
Risk optimisation
11
Risk portfolio
13
Measuring and monitoring risk
16
Further information
19
Contacts
20
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
2 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Foreword
High profile corporate failures and increasing regulatory pressures are forcing many organisations to reassess their risk appetite, management systems and controls. KPMG has conducted this survey to gauge the current “state of play” and emerging trends in strategic risk management. Our survey confirms that boards are embracing risk management as a key component of effective corporate governance. While directors see strategic risk management as critical there is real concern risk management practices will become overly focused on compliance, which may detract from improving business performance. The challenge is obviously to find a balance between compliance and improved business performance. Risk management is definitely not about completely eliminating risk, or not taking risks, which is a strategic dead end. Rather, it's about intelligent risk taking to generate value and business confidence. The fact that nearly half of our survey respondents believed their organisations' risk management strategies were not well aligned with business goals, suggests that the practice of strategic risk management has yet to be fully integrated into many organisations. A key area for improvement identified in this survey is the need for organisations to clearly define their “risk appetite”. This will help to clarify and align an organisation’s strategic direction with its risk management policy in terms of its willingness to pursue high, medium or low risk strategic options. We trust you will find this report of value when it comes to evaluating your own organisation's risk management culture, structure and practices. Compiling the report was certainly an enlightening experience for us at KPMG. Finally, KPMG thanks those organisations and individuals that took the time to participate in this survey.
JoAnne Stephenson
Jeremy Bendall
National Partner in Charge
Partner
Risk Advisory Services
Risk Advisory Services
Australia
New Zealand
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 3
Executive summary
Strategic risk management involves directors and executives in building
Figure 1: Achieving Improved Risk
organisational resilience and flexibility in an environment of uncertainty. It is about
Management and Business Performance
leadership, making informed choices and intelligent risk taking. Sustainable Value and Confidence
This report seeks to illuminate contemporary strategic risk management practices in major commercial and public sector entities in Australia and New Zealand. Its findings are derived from an online survey of directors and senior executives in
Integrated Risk management
July 2004. Over 80 responses were received from leading organisations.
Improved Controls
and increasing regulatory pressure associated with the introduction of more stringent regulation, including the ASX Corporate Governance Guidelines (notably Principle 7) and the CLERP 9 legislation in Australia, and the Sarbanes-Oxley Act in the US.
Risk Management
Current attitudes to risk management reflect concerns arising from corporate failures
Process Transformation
Compliance
Improved Processes
Given these compliance pressures, it is vital that directors and executives develop a clear sense of their organisations' risk appetites. Strategic risk
Business Performance
management requires organisations to balance improving business performance and driving value with regulatory compliance. (see Figure 1). A risk management strategy which reflects a balanced approach to business improvement and compliance can lead organisations to the achievement of sustainable value and greater business confidence. The survey confirms that directors see strategic risk management as a critical component of good corporate governance. However, it highlights several “red flags” suggesting current levels of confidence may be misplaced. In many instances, risk management practices do not support the level of confidence expressed by respondents concerning contribution to effective corporate governance. The following is a summary of the major findings:
Risk policy and strategy • Eighty five percent of respondents reported that their organisation's current risk management practices supported strong corporate governance, and that they believed an effective risk management strategy was either critical or very important to the achievement of business goals and objectives. However: - nearly half of respondents indicated that their organisation's risk management strategy was only partially aligned, or not aligned at all, to business goals; - forty six percent of survey respondents did not perform any risk/ return analysis; - one-third of respondents answered negatively or were unsure when asked whether their organisation's risk appetite and tolerance was clearly set out in the risk management policy; - only 44 percent of respondents organisations performed a formal evaluation of the effectiveness of existing risk management controls and the cost of these controls;
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
4 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Executive summary
- only 40 percent of respondents had developed integrated risk management systems; and - thirty five percent of respondents did not perform entity wide strategic risk assessments. • The standard most commonly used as a basis for organisations' risk management strategies was AS/NZS 4360 Risk Management. Followed by the 1
US inspired COSO Internal Control - Integrated Framework.
• Two-thirds of respondents had developed early warning reporting to escalate material risks to the board.
Risk structure and optimisation • Over half of internal audit functions reported directly to the board audit committee. This is consistent with other KPMG client experiences and the hardening of this reporting line through auditor independence requirements. • The survey highlighted a high incidence of board risk committees - a development consistent with KPMG's experience with clients. Over half the respondents had established such a committee, 70 percent of which were integrated with the board audit committee, and 55 percent of which included independent directors. • Risk management policy and strategy appeared to have attracted the attention and commitment of boards and CEOs, with respondents reporting the highest level of commitment and ownership to drive a risk management culture at the board level. • Despite the commitment of the board, organisations appear to have experienced more difficulty in driving “integrated” risk management systems through the business. Ownership of risk management processes was reported as being lowest at the line manager level.
Measuring, monitoring and reporting risk • Risk impact assessments are most commonly focused on financial, compliance and reputation criteria. • Measuring and monitoring of the performance of risk management programs relied heavily on management certification, internal audit, legal and regulatory compliance certification. Robust assessment processes are required to ensure the validity of the certifications being provided, generating intense challenges for internal audit. • Survey respondents planned to increase their annual report disclosure of risk management information, in terms of approach taken, risks identified and board/CEO declarations.
1 COSO Enterprise Risk Management - Integrated Framework Committee of Sponsoring Organisations of the Treadway Commission 2004
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 5
About this survey
In July 2004 KPMG Internal Audit Services conducted an online strategic risk
Annual revenue of respondent’s organisations
management survey (‘the survey’). Its purpose was to benchmark strategic risk management structures and processes in Australia and New Zealand. The survey targeted directors and senior executives of Top 200 ASX/NZSX companies as well as government and private organisations. Over 80 survey responses were received from leading organisations. Those surveyed were asked questions covering five areas of risk management. • Risk management policies and frameworks • Risk management structure • Risk optimisation
$501m - $1b - 12%
• Portfolio risk management
More than $1b - 32%
• Measuring and monitoring risk exposures
Less than $25m - 14% $25 - $50m - 11%
Over half the respondents were from publicly listed organisations. Seventy percent of respondents were located in Australia with the balance in New
$51 - $100m - 6% $101m - $250m - 11%
Zealand. Nearly a quarter of survey respondents were US Securities and Exchange Commission (SEC) registrants, or subsidiaries subject to Sarbanes-
$251m - $500m - 14%
Oxley Act compliance requirements, including Section 404 concerning Internal Control over Financial Reporting. Survey participants
Number of employees in respondent’s organisations
Chief Financial Officer / Chief Risk Officer
43%
Directors
20%
Operational Management
27%
Head of Internal Audit
10%
Type of organisation Publicly listed
52%
Government
15%
Private
14%
Other
10% Over 1000 - 49% Less than 50 - 9% 50 - 100 - 7%
Industry profile of respondents Energy and natural resources - 17%
101 - 500 - 21%
Finance and property - 30%
501 - 1000 - 14%
Government and health services - 12% Manufacturing and distribution - 24% Other - 6% Retail / wholesale trade - 7% Communication services - 2% Construction - 2% and natural resources - 17% © 2005 KPMG, anEnergy Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. Finance and property - 30%
6 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Risk policy and strategy
Who provided the final approval of your
Determining a risk management strategy and defining it in a policy lies at the
organisation’s risk management policy?
heart of an effective enterprise-wide risk management system. The policy should establish the internal environment, including the “tone from the top”. It should
80 70
Board
67%
Audit Committee
60 50
CEO
46%
Risk Committee
40 30
24%
management philosophy and risk appetite. The survey revealed that more than 80 percent of respondents had a formally approved risk management policy. This indicates a high level of acceptance of risk management principles. Nevertheless, it is concerning that one in five respondent
16%
20
define how risk is viewed and addressed by an entity's people, including risk
organisations did not possess a formal risk management policy.
10 0
In obtaining approval for the risk management policy, the survey showed multi-
Has your organisation’s appetite and
levels of review and approval as outlined in the table at left.
tolerance for risk been clearly specified in your risk management policy?
The survey disclosed that nearly 70 percent of risk management policies clearly specified the organisation's appetite and tolerance for risk. Still, further work is required to close this gap. A clear understanding of the board's risk appetite is a fundamental factor in determining how the organisation is going to handle its risks. It guides the organisation in deciding how much risk it can accept, manage 2
and optimise effectively . Where risk appetite and tolerance is defined, the survey showed that almost 80 percent of respondents indicated that risk was assessed on a combination of financial and non-financial indicators. Seventy four percent of all respondents No - 29% Don’t know - 3% Yes - 68%
reported that their organisation's risk management strategy was based on a comprehensive profile of business risks. This response is not consistent, however, with the low percentage of
Is your organisation’s risk management
respondents performing entity wide strategic risk assessments, referred to later
strategy based on a comprehensive profile
in this paper.
of business risks likely to impact the business in the next 2-3 years?
Eighty five percent of the survey respondents believed their organisation's current risk management practices supported strong corporate governance. An identical proportion of respondents indicated that an effective risk management strategy was either critical or very important in achieving the organisation's goals or objectives. However, 46 percent of respondents said their organisation's risk management strategy was either partially aligned, or not aligned at all, with the organisation's goals, objectives and strategies.
No - 21% Don’t know - 5% Yes - 74%
2
Risk from the CEO and Board perspective Mary Pat McCarthy and Timothy P Flynn 2004 KPMG
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 7
This finding is of particular concern given that the goal of risk management effort
Do you believe that your organisation’s
is to highlight those uncertainties that may hinder the achievement of the
current risk management practices support
organisation's goals and strategies. The alignment of risk appetite and risk
strong corporate governance?
management processes to the organisation's business objectives is a vital element of effective strategic risk management. The survey also indicated that most organisations were using more than one recognised risk framework as the basis of their risk management programs. The AS/NZ 4360 Risk Management Standard was the most common framework used, with 50 percent of all respondents indicating their organisations made use of this standard. The other three most commonly used frameworks were COSOIntegrated Control Framework, Sarbanes-Oxley Act and the UK's Turnbull Combined Code. The prevalence of these frameworks possibly reflected the
No - 13%
number of subsidiary companies and SEC registrants included in the survey.
Don’t know - 2% Yes - 85%
Risk frameworks used by organisations as the basis of their risk management program:
How important is an effective risk
% of respondents AS/NZ 4360
50
COSO - Integrated Control Framework
36
Other
14
management strategy in achieving the goals and objectives of your organisation? 60
54%
We anticipate that the recently released COSO Enterprise Risk Management Integrated Framework will become an important benchmark, particularly for larger entities.
Very Important
40
Marginally important 31%
Unimportant
30
20
15%
While the survey showed that a wide variety of risk management frameworks are being used as reference points, we welcome the introduction of the common language and common definitions proposed by the COSO Enterprise Risk Management - Integrated Framework.
Critical
50
10
0% 0
Is your organisation’s risk management strategy aligned with the organisation’s goals, objectives and strategies?
60
Fully
53% 50
Partially
43% 40
Not Aligned
30
Don’t know
20
10
3% 0
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
1%
8 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Risk structure
Our survey revealed that most respondent organisations had multiple accountabilities for risk management processes. Who has overall responsibility for risk management processes in your organisation? Top 5 responses % Board of directors
70
Chief Executive Officer
70
Audit Committee
62
Chief Financial Officer
48
Chief Risk Manager
31
Over half of the respondents indicated their organisations had implemented a board risk committee. Has your organisation implemented any of the following risk committees? % of respondents Risk committee of board
54
Executive risk management committee
40
Project steering committee
35
Where a board risk committee was established, 70 percent were combined with the board audit committee. Eighty percent of respondents also indicated that their board risk committee was responsible for the oversight of legal and regulatory compliance. Responses about the membership of the board risk committee disclosed a healthy composition, with over half the relevant respondent organisations having non-executive or independent directors on the committee Who are the members of the Board Risk Committee? % of respondents Non-executive directors
55
Independent directors
53
Chairman
53
CEO
57
Executive Management
30
Just over half these risk committees shared a chairman with the board audit committee.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 9
Who chairs the Board Risk Committee? % of respondents Audit Committee Chair
51
Independent Non-Executive Director
20
Board Chairperson
15
Other (including CEO or Director)
14
Over 60 percent of board risk committees met on a quarterly basis to review the risk profile, risk mitigation strategies and risk tolerance and appetite of the business. Eighty percent of respondents with a board risk committee believed that the committee's responsibilities had been clearly defined and documented. Forty percent of respondents indicated that they had an executive risk management committee. The reported composition of these committees is outlined below: Who are the members of your organisation's executive risk management committee? % of respondents Chief Financial Officer
87
General Management
83
Chief Executive Officer
81
Chief Risk Manager
55
Head of Internal Audit
39
The lower percentage of Chief Risk Manager in the executive risk management committee may reflect the lower representation of this role in the organisations surveyed and/or executive management's desire to oversee Chief Risk Manager’s performance. Seventy percent of respondents reported that the responsibilities of the executive risk management committee had been clearly defined and documented.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
1 0 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Risk structure
Which of the following statements best apply to your organisation in relation to the responsibilities of the executive risk management committee? % of responses The risk committee's responsibilities have been clearly defined and documented
70
The risk committee's responsibilities have not been defined clearly
23
The risk committee's responsibilities have been documented but not defined clearly
7
Whilst most board risk committees met on a quarterly basis, 60 percent of executive risk committees met on a monthly basis. The accompanying table below highlights the reported usage of risk management systems or processes by survey respondents. It shows that two-thirds of respondents surveyed had “early warning” processes embedded in their risk management systems to effectively escalate material risks to the board. However, only 40 percent of respondents had “integrated” risk management systems in place. Reported usage of risk management systems and processes % of responses Regular reporting to the board on risk management activities and incidents
86
Business unit risk assessments
78
Compliance audit function
73
Audit Committee
Internal audit function
71
CFO
Early warning reported to escalate
CEO
material risks to the board
66
Integrated risk management systems
40
Direct reporting line for internal audit function 60
57%
50
40
Other
30
21% 20
The survey also underlined the important role of internal audit in the risk
13% 10
0
9%
management process and the hardening of the reporting line to the Audit Committee, most likely due to auditor independence requirements.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 1 1
Risk optimisation
The survey revealed that a significant number of organisations were focused on
Does your organisation perform a
risk treatment and the reduction of risk, rather than seeking to balance exposure
risk/return analysis to help determine
and opportunity within the risk portfolio based on their organisation's willingness
the risk tolerance and appetite?
and capacity to accept risk. Under half of all respondents reported that their organisations did not undertake a risk/ return analysis to help determine their risk tolerance and appetite. One-third of the organisations undertaking risk/ return analysis repeated the exercise at least every six months. The majority of respondents who indicated “other” frequencies indicated that the analysis was undertaken on a project or “as required” basis. No - 46%
The survey indicated that 44 percent of respondents did not formally evaluate the
Don’t know - 8%
effectiveness of risk management controls and the cost of these controls.
Yes - 46%
Does your organisation formally evaluate the effectiveness of existing risk Frequency of risk/return analysis
management controls and the cost of controls? % of respondents
35
Yes
52
No
44
30
4
25
Don't know
31%
31%
Monthly Quarterly Six monthly
20
18%
A variety of validation processes have been adopted. Survey respondents were
15
asked to record the frequency with which they used these processes and to rate
10
the level of reliance placed on them. The results are outlined in the table on the page following.
Yearly 11%
9% 5 0
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
Other
1 2 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Risk optimisation
Validation processes implemented
Level of reliance High 92%
External Audit
Medium 42%
44%
Risk Management Reviews
81%
46%
Management Certification
80%
56%
37%
56%
44%
58%
36%
Internal Audit
75%
Regulatory Compliance Certification
71%
Control Risk Self Assessment
67%
Independant Quality Audits
Independent Agency Ratings
19%
30%
0
20
40
32%
60
80
7%
6% 11%
54%
41%
49%
5%
49%
35%
52%
Consultant Reviews
Low 14%
8%
51%
12%
69% 36%
32%
100
As the chart shows a high percentage of respondents were subject to external audit - not surprising given the mix of respondent organisations. However, in terms of the level of reliance respondents placed on these processes, management certification, internal audit and legal and regulatory compliance certification were seen to provide higher levels of validation. Eighty percent of respondents indicated that their organisation required management to certify the effectiveness of risk management controls. A high level of reliance was placed on this process by 56 percent of respondents. The same proportion placed a high reliance on internal audit to validate the effectiveness of controls. Legal and regulatory compliance certification was used by 71 percent of respondent organisations, and this was seen to offer the highest level of assurance. Fifty nine percent of respondents who had implemented this certification process placed a high level of reliance on such certifications. The challenge exists for management, internal audit and legal advisors to ensure robust assessment processes are in place and appropriate skills and resources are applied.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 1 3
Risk portfolio
The survey looked at how organisations assessed their approach to risk management. The survey showed that the level of ownership required to drive the organisation's risk management culture was considered highest at the board level and lowest at the line management level. Fifty two percent of respondents reported ownership of risk management by the board as “excellent”, with only one percent reporting it to be “unsatisfactory”. Forty one percent indicated that ownership at the executive level was excellent, with six percent reported it to be unsatisfactory. At the line management level only 17 per cent indicated ownership to be excellent, with five percent reporting it to be unsatisfactory. How satisfied are you with the level of ownership at board, executive and line management levels to drive a risk management culture? Board 52%
32%
12%
1%
Executive 41%
32%
21%
6%
Line management 17%
0
36%
20
40%
40
60
5%
80
100
Excellent Satisfactory Good Unsatisfactory Don’t know
Despite respondents' views that the lowest level of ownership of risk management was at the line management level, operational risk assessments were the most popular form of assessment undertaken by the survey group (94 percent of respondents).
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
1 4 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Risk portfolio
Which one of the following risk assessments does your organisation perform? % reported usage Operational risk assessment
94
Financial risk assessment
85
Information Technology risk assessment
81
Project risk assessment
69
Legal / regulatory risk assessment
69
Entity wide strategic risk assessment
65
Business contingency risk assessment
65
Environmental risk assessment
58
Fraud risk assessment
52
Program risk assessment
22
Transition / change risk assessment
27
Financial risk and information technology risk assessments were undertaken by 85 and 81 percent respectively of respondents. Also of note was the reported usage of entity-wide strategic risk assessments and business contingency risk assessments. Both of these had a reported usage in the survey of 65 percent, which is reasonably low given an earlier response asserting comprehensive risk profiling and risk management systems are seen to support strong corporate governance. The lower reported usage of fraud risk assessment is consistent with the findings of KPMG's Fraud Risk Survey. Seventy eight percent of survey respondents reported that a risk assessment was conducted as part of business case justification for key strategic projects and initiatives. However, the lack of enterprise wide risk assessment highlighted above would suggest that these risk assessments were not being undertaken as part of an integrated and holistic risk management system. The survey results showed that whilst risk assessments were widely performed, the use of scenario planning was less prevalent. Only 41 percent of respondents indicated that scenario planning was a big component of the risk management program.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 1 5
Which of the following statements apply to your organisation when assessing its approach to risk management? % reported approach Risk assessment is conducted as part of business case justification for key strategic projects initiatives e.g. mergers, acquisitions, divestments, major capital expenditure etc
78
Scenario planning is a key component of the risk management program
41
Other methods used in assessing risk
12
Other methods reportedly used by respondents in assessing risk were many and varied. They included “what if analysis”, Monte Carlo simulation/residual risk, KT potential problem analysis, barrier analysis, forcefield analysis, case studies, industry failures, event and fault trees, quantification of unexpected losses and allocation of economic capital, workshops and facilitation sessions, and process mapping. Respondents indicated that the methods used varied according to the range of work being undertaken and the level of investment required. When questioned about which criteria their organisation used to assess the impact of its risks, three clear front-runners emerged: financial, regulatory/compliance and brand/ reputation. Financial being the single most commonly used criterion. 99%
Financial
Regulatory/compliance
91%
Reputation/brand
85%
26%
Political
Other
19%
Other criteria included environment, health and safety, impact on people, customer service performance, management effort and interruption to core services. As expected, some of these other criteria used were industry specific, e.g. clinical impact. The survey also showed that the use of technology tools or software had not been widely accepted in driving the risk management process. Sixty five percent of respondents reported that no software was used for this purpose.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
1 6 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Measuring and monitoring risk
Multiple methods were employed to measure and monitor risk and assess the performance of risk management programs. Sixty three percent of respondents reported that internal audit monitored the performance of their organisation's risk management program. Given that, as reported elsewhere in the survey, risk management processes were considered necessary to promote strong corporate governance, it is of some concern that over 40 percent of respondents indicated that strategic risk issues were not frequently on their board agendas for independent oversight. This may, however, reflect the strength of the Audit/Risk Committee. The use of key performance indicators to measure the performance of the risk management process was also lower than expected, with 55 percent of respondents reporting their use. This supports the view that risk management frameworks have not been fully embedded and integrated into management and board processes. Which of the following methods is used by your organisation in measuring and monitoring risk? % method used Internal audit is used to monitor the performance of your risk management program
63
Strategic risk issues are frequently on the Board agenda for independent oversight
59
Key risk indicators are used to measure the performance of the risk management process
55
Other methods
20
Of the respondent organisations reporting the use of internal audit in monitoring the performance of the risk management program, two thirds monitored it at least annually. Given the increased regulatory environment and the increasing impact of the Sarbanes-Oxley Act, we expect the role of internal audit and the frequency of review of the risk management process will increase. With regard to the reporting of risk management activities in organisations, the survey showed that the annual report was the most common method used to communicate the organisation's risk management policy and processes. However, 21 percent of respondent organisations had no reference to risk management in their annual reports.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 1 7
Communication Methods 64%
Annual Report ASX/NZSX Continuous Disclosure Media briefings Institutional presentations
20% 10% 14%
Not reported
21%
Not applicable
16%
Other method
15%
Survey respondents indicated that the level of disclosure in the annual report was limited, the most common disclosure being a description of the organisation's risk management approach. The least common disclosure was a risk management declaration by the board and/or CEO. The survey found that many respondent organisations were planning to disclosure further information in the future, as shown in the table below. Risk information included in annual report most recent (% of respondents)
future (% of respondents)
A description of the risks faced by the organisation
39
57
45
67
22
48
A description of the strategic risk management approach taken by the organisation A risk management declaration by the Board and / or CEO
The planned increase in the Board/CEO declaration is not surprising given the requirements for sign-off associated with CLERP9, Sarbanes-Oxley Act and ASX Corporate Governance Principle 7. Overall KPMG expects that directors will develop more explicit performance criteria for Chief Executive, Chief Financial Officers, Audit Committees and Risk Committees in relation to risk management practices, compliance and performance.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
1 8 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Conclusion
A risk management strategy which reflects a balanced approach (explicitly considering risk appetite and tolerance) to business performance and compliance management can lead organisations to the achievement of sustainable value and greater business confidence. (See Figure 1) Figure 1: Achieving Improved Risk Management and Business Performance
Sustainable Value and Confidence Integrated Risk management
Risk Management
Improved Controls Process Transformation
Compliance
Improved Processes
Business Performance
Source: The Compliance Journey: Balancing Risk and Controls with Business Improvement KPMG 2004 Ultimately, this survey highlights the need for directors and executives to critically review risk management practices and their contribution to effective corporate governance and business performance.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 1 9
Further information
If you would like to obtain more information on how KPMG can assist you in implementing or developing risk management systems or adopting a strategic approach to risk management, please contact your nearest KPMG office.
Key Contacts Sydney
Auckland
*Maurice Pagnozzi
*Jeremy Bendall
Partner
Partner
(02) 9455 9129
(09) 363 3672
Adelaide
Christchurch
Laurie Kozlovic
Bruce Loader
Director
Partner
(08) 8236 3167
(03) 363 5751
Brisbane
Wellington
Mitchell Petrie
Souella Cumming
Partner
Partner
(07) 3233 3164
(04) 381 8029
Melbourne
Hamilton
Sally Freeman
Murray Dunn
Partner
Partner
(03) 9288 5389
(07) 858 6512
Perth
Tauranga
Travis McAuliffe
Glenn Keaney
Partner
Partner
(08) 9263 7271
(07) 571 1784
*National Leader, Enterprise Risk Management
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
kpmg.com.au
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. Printed in Australia. The KPMG logo and name are trademarks of KPMG. February 2005. VIC8820RAS.
A DV I S O RY
Contents
Executive summary
3
About this survey
5
Risk policy and strategy
6
Risk structure
8
Risk optimisation
11
Risk portfolio
13
Measuring and monitoring risk
16
Further information
19
Contacts
20
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
2 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Foreword
High profile corporate failures and increasing regulatory pressures are forcing many organisations to reassess their risk appetite, management systems and controls. KPMG has conducted this survey to gauge the current “state of play” and emerging trends in strategic risk management. Our survey confirms that boards are embracing risk management as a key component of effective corporate governance. While directors see strategic risk management as critical there is real concern risk management practices will become overly focused on compliance, which may detract from improving business performance. The challenge is obviously to find a balance between compliance and improved business performance. Risk management is definitely not about completely eliminating risk, or not taking risks, which is a strategic dead end. Rather, it's about intelligent risk taking to generate value and business confidence. The fact that nearly half of our survey respondents believed their organisations' risk management strategies were not well aligned with business goals, suggests that the practice of strategic risk management has yet to be fully integrated into many organisations. A key area for improvement identified in this survey is the need for organisations to clearly define their “risk appetite”. This will help to clarify and align an organisation’s strategic direction with its risk management policy in terms of its willingness to pursue high, medium or low risk strategic options. We trust you will find this report of value when it comes to evaluating your own organisation's risk management culture, structure and practices. Compiling the report was certainly an enlightening experience for us at KPMG. Finally, KPMG thanks those organisations and individuals that took the time to participate in this survey.
JoAnne Stephenson
Jeremy Bendall
National Partner in Charge
Partner
Risk Advisory Services
Risk Advisory Services
Australia
New Zealand
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 3
Executive summary
Strategic risk management involves directors and executives in building
Figure 1: Achieving Improved Risk
organisational resilience and flexibility in an environment of uncertainty. It is about
Management and Business Performance
leadership, making informed choices and intelligent risk taking. Sustainable Value and Confidence
This report seeks to illuminate contemporary strategic risk management practices in major commercial and public sector entities in Australia and New Zealand. Its findings are derived from an online survey of directors and senior executives in
Integrated Risk management
July 2004. Over 80 responses were received from leading organisations.
Improved Controls
and increasing regulatory pressure associated with the introduction of more stringent regulation, including the ASX Corporate Governance Guidelines (notably Principle 7) and the CLERP 9 legislation in Australia, and the Sarbanes-Oxley Act in the US.
Risk Management
Current attitudes to risk management reflect concerns arising from corporate failures
Process Transformation
Compliance
Improved Processes
Given these compliance pressures, it is vital that directors and executives develop a clear sense of their organisations' risk appetites. Strategic risk
Business Performance
management requires organisations to balance improving business performance and driving value with regulatory compliance. (see Figure 1). A risk management strategy which reflects a balanced approach to business improvement and compliance can lead organisations to the achievement of sustainable value and greater business confidence. The survey confirms that directors see strategic risk management as a critical component of good corporate governance. However, it highlights several “red flags” suggesting current levels of confidence may be misplaced. In many instances, risk management practices do not support the level of confidence expressed by respondents concerning contribution to effective corporate governance. The following is a summary of the major findings:
Risk policy and strategy • Eighty five percent of respondents reported that their organisation's current risk management practices supported strong corporate governance, and that they believed an effective risk management strategy was either critical or very important to the achievement of business goals and objectives. However: - nearly half of respondents indicated that their organisation's risk management strategy was only partially aligned, or not aligned at all, to business goals; - forty six percent of survey respondents did not perform any risk/ return analysis; - one-third of respondents answered negatively or were unsure when asked whether their organisation's risk appetite and tolerance was clearly set out in the risk management policy; - only 44 percent of respondents organisations performed a formal evaluation of the effectiveness of existing risk management controls and the cost of these controls;
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
4 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Executive summary
- only 40 percent of respondents had developed integrated risk management systems; and - thirty five percent of respondents did not perform entity wide strategic risk assessments. • The standard most commonly used as a basis for organisations' risk management strategies was AS/NZS 4360 Risk Management. Followed by the 1
US inspired COSO Internal Control - Integrated Framework.
• Two-thirds of respondents had developed early warning reporting to escalate material risks to the board.
Risk structure and optimisation • Over half of internal audit functions reported directly to the board audit committee. This is consistent with other KPMG client experiences and the hardening of this reporting line through auditor independence requirements. • The survey highlighted a high incidence of board risk committees - a development consistent with KPMG's experience with clients. Over half the respondents had established such a committee, 70 percent of which were integrated with the board audit committee, and 55 percent of which included independent directors. • Risk management policy and strategy appeared to have attracted the attention and commitment of boards and CEOs, with respondents reporting the highest level of commitment and ownership to drive a risk management culture at the board level. • Despite the commitment of the board, organisations appear to have experienced more difficulty in driving “integrated” risk management systems through the business. Ownership of risk management processes was reported as being lowest at the line manager level.
Measuring, monitoring and reporting risk • Risk impact assessments are most commonly focused on financial, compliance and reputation criteria. • Measuring and monitoring of the performance of risk management programs relied heavily on management certification, internal audit, legal and regulatory compliance certification. Robust assessment processes are required to ensure the validity of the certifications being provided, generating intense challenges for internal audit. • Survey respondents planned to increase their annual report disclosure of risk management information, in terms of approach taken, risks identified and board/CEO declarations.
1 COSO Enterprise Risk Management - Integrated Framework Committee of Sponsoring Organisations of the Treadway Commission 2004
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 5
About this survey
In July 2004 KPMG Internal Audit Services conducted an online strategic risk
Annual revenue of respondent’s organisations
management survey (‘the survey’). Its purpose was to benchmark strategic risk management structures and processes in Australia and New Zealand. The survey targeted directors and senior executives of Top 200 ASX/NZSX companies as well as government and private organisations. Over 80 survey responses were received from leading organisations. Those surveyed were asked questions covering five areas of risk management. • Risk management policies and frameworks • Risk management structure • Risk optimisation
$501m - $1b - 12%
• Portfolio risk management
More than $1b - 32%
• Measuring and monitoring risk exposures
Less than $25m - 14% $25 - $50m - 11%
Over half the respondents were from publicly listed organisations. Seventy percent of respondents were located in Australia with the balance in New
$51 - $100m - 6% $101m - $250m - 11%
Zealand. Nearly a quarter of survey respondents were US Securities and Exchange Commission (SEC) registrants, or subsidiaries subject to Sarbanes-
$251m - $500m - 14%
Oxley Act compliance requirements, including Section 404 concerning Internal Control over Financial Reporting. Survey participants
Number of employees in respondent’s organisations
Chief Financial Officer / Chief Risk Officer
43%
Directors
20%
Operational Management
27%
Head of Internal Audit
10%
Type of organisation Publicly listed
52%
Government
15%
Private
14%
Other
10% Over 1000 - 49% Less than 50 - 9% 50 - 100 - 7%
Industry profile of respondents Energy and natural resources - 17%
101 - 500 - 21%
Finance and property - 30%
501 - 1000 - 14%
Government and health services - 12% Manufacturing and distribution - 24% Other - 6% Retail / wholesale trade - 7% Communication services - 2% Construction - 2% and natural resources - 17% © 2005 KPMG, anEnergy Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. Finance and property - 30%
6 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Risk policy and strategy
Who provided the final approval of your
Determining a risk management strategy and defining it in a policy lies at the
organisation’s risk management policy?
heart of an effective enterprise-wide risk management system. The policy should establish the internal environment, including the “tone from the top”. It should
80 70
Board
67%
Audit Committee
60 50
CEO
46%
Risk Committee
40 30
24%
management philosophy and risk appetite. The survey revealed that more than 80 percent of respondents had a formally approved risk management policy. This indicates a high level of acceptance of risk management principles. Nevertheless, it is concerning that one in five respondent
16%
20
define how risk is viewed and addressed by an entity's people, including risk
organisations did not possess a formal risk management policy.
10 0
In obtaining approval for the risk management policy, the survey showed multi-
Has your organisation’s appetite and
levels of review and approval as outlined in the table at left.
tolerance for risk been clearly specified in your risk management policy?
The survey disclosed that nearly 70 percent of risk management policies clearly specified the organisation's appetite and tolerance for risk. Still, further work is required to close this gap. A clear understanding of the board's risk appetite is a fundamental factor in determining how the organisation is going to handle its risks. It guides the organisation in deciding how much risk it can accept, manage 2
and optimise effectively . Where risk appetite and tolerance is defined, the survey showed that almost 80 percent of respondents indicated that risk was assessed on a combination of financial and non-financial indicators. Seventy four percent of all respondents No - 29% Don’t know - 3% Yes - 68%
reported that their organisation's risk management strategy was based on a comprehensive profile of business risks. This response is not consistent, however, with the low percentage of
Is your organisation’s risk management
respondents performing entity wide strategic risk assessments, referred to later
strategy based on a comprehensive profile
in this paper.
of business risks likely to impact the business in the next 2-3 years?
Eighty five percent of the survey respondents believed their organisation's current risk management practices supported strong corporate governance. An identical proportion of respondents indicated that an effective risk management strategy was either critical or very important in achieving the organisation's goals or objectives. However, 46 percent of respondents said their organisation's risk management strategy was either partially aligned, or not aligned at all, with the organisation's goals, objectives and strategies.
No - 21% Don’t know - 5% Yes - 74%
2
Risk from the CEO and Board perspective Mary Pat McCarthy and Timothy P Flynn 2004 KPMG
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 7
This finding is of particular concern given that the goal of risk management effort
Do you believe that your organisation’s
is to highlight those uncertainties that may hinder the achievement of the
current risk management practices support
organisation's goals and strategies. The alignment of risk appetite and risk
strong corporate governance?
management processes to the organisation's business objectives is a vital element of effective strategic risk management. The survey also indicated that most organisations were using more than one recognised risk framework as the basis of their risk management programs. The AS/NZ 4360 Risk Management Standard was the most common framework used, with 50 percent of all respondents indicating their organisations made use of this standard. The other three most commonly used frameworks were COSOIntegrated Control Framework, Sarbanes-Oxley Act and the UK's Turnbull Combined Code. The prevalence of these frameworks possibly reflected the
No - 13%
number of subsidiary companies and SEC registrants included in the survey.
Don’t know - 2% Yes - 85%
Risk frameworks used by organisations as the basis of their risk management program:
How important is an effective risk
% of respondents AS/NZ 4360
50
COSO - Integrated Control Framework
36
Other
14
management strategy in achieving the goals and objectives of your organisation? 60
54%
We anticipate that the recently released COSO Enterprise Risk Management Integrated Framework will become an important benchmark, particularly for larger entities.
Very Important
40
Marginally important 31%
Unimportant
30
20
15%
While the survey showed that a wide variety of risk management frameworks are being used as reference points, we welcome the introduction of the common language and common definitions proposed by the COSO Enterprise Risk Management - Integrated Framework.
Critical
50
10
0% 0
Is your organisation’s risk management strategy aligned with the organisation’s goals, objectives and strategies?
60
Fully
53% 50
Partially
43% 40
Not Aligned
30
Don’t know
20
10
3% 0
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
1%
8 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Risk structure
Our survey revealed that most respondent organisations had multiple accountabilities for risk management processes. Who has overall responsibility for risk management processes in your organisation? Top 5 responses % Board of directors
70
Chief Executive Officer
70
Audit Committee
62
Chief Financial Officer
48
Chief Risk Manager
31
Over half of the respondents indicated their organisations had implemented a board risk committee. Has your organisation implemented any of the following risk committees? % of respondents Risk committee of board
54
Executive risk management committee
40
Project steering committee
35
Where a board risk committee was established, 70 percent were combined with the board audit committee. Eighty percent of respondents also indicated that their board risk committee was responsible for the oversight of legal and regulatory compliance. Responses about the membership of the board risk committee disclosed a healthy composition, with over half the relevant respondent organisations having non-executive or independent directors on the committee Who are the members of the Board Risk Committee? % of respondents Non-executive directors
55
Independent directors
53
Chairman
53
CEO
57
Executive Management
30
Just over half these risk committees shared a chairman with the board audit committee.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 9
Who chairs the Board Risk Committee? % of respondents Audit Committee Chair
51
Independent Non-Executive Director
20
Board Chairperson
15
Other (including CEO or Director)
14
Over 60 percent of board risk committees met on a quarterly basis to review the risk profile, risk mitigation strategies and risk tolerance and appetite of the business. Eighty percent of respondents with a board risk committee believed that the committee's responsibilities had been clearly defined and documented. Forty percent of respondents indicated that they had an executive risk management committee. The reported composition of these committees is outlined below: Who are the members of your organisation's executive risk management committee? % of respondents Chief Financial Officer
87
General Management
83
Chief Executive Officer
81
Chief Risk Manager
55
Head of Internal Audit
39
The lower percentage of Chief Risk Manager in the executive risk management committee may reflect the lower representation of this role in the organisations surveyed and/or executive management's desire to oversee Chief Risk Manager’s performance. Seventy percent of respondents reported that the responsibilities of the executive risk management committee had been clearly defined and documented.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
1 0 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Risk structure
Which of the following statements best apply to your organisation in relation to the responsibilities of the executive risk management committee? % of responses The risk committee's responsibilities have been clearly defined and documented
70
The risk committee's responsibilities have not been defined clearly
23
The risk committee's responsibilities have been documented but not defined clearly
7
Whilst most board risk committees met on a quarterly basis, 60 percent of executive risk committees met on a monthly basis. The accompanying table below highlights the reported usage of risk management systems or processes by survey respondents. It shows that two-thirds of respondents surveyed had “early warning” processes embedded in their risk management systems to effectively escalate material risks to the board. However, only 40 percent of respondents had “integrated” risk management systems in place. Reported usage of risk management systems and processes % of responses Regular reporting to the board on risk management activities and incidents
86
Business unit risk assessments
78
Compliance audit function
73
Audit Committee
Internal audit function
71
CFO
Early warning reported to escalate
CEO
material risks to the board
66
Integrated risk management systems
40
Direct reporting line for internal audit function 60
57%
50
40
Other
30
21% 20
The survey also underlined the important role of internal audit in the risk
13% 10
0
9%
management process and the hardening of the reporting line to the Audit Committee, most likely due to auditor independence requirements.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 1 1
Risk optimisation
The survey revealed that a significant number of organisations were focused on
Does your organisation perform a
risk treatment and the reduction of risk, rather than seeking to balance exposure
risk/return analysis to help determine
and opportunity within the risk portfolio based on their organisation's willingness
the risk tolerance and appetite?
and capacity to accept risk. Under half of all respondents reported that their organisations did not undertake a risk/ return analysis to help determine their risk tolerance and appetite. One-third of the organisations undertaking risk/ return analysis repeated the exercise at least every six months. The majority of respondents who indicated “other” frequencies indicated that the analysis was undertaken on a project or “as required” basis. No - 46%
The survey indicated that 44 percent of respondents did not formally evaluate the
Don’t know - 8%
effectiveness of risk management controls and the cost of these controls.
Yes - 46%
Does your organisation formally evaluate the effectiveness of existing risk Frequency of risk/return analysis
management controls and the cost of controls? % of respondents
35
Yes
52
No
44
30
4
25
Don't know
31%
31%
Monthly Quarterly Six monthly
20
18%
A variety of validation processes have been adopted. Survey respondents were
15
asked to record the frequency with which they used these processes and to rate
10
the level of reliance placed on them. The results are outlined in the table on the page following.
Yearly 11%
9% 5 0
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
Other
1 2 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Risk optimisation
Validation processes implemented
Level of reliance High 92%
External Audit
Medium 42%
44%
Risk Management Reviews
81%
46%
Management Certification
80%
56%
37%
56%
44%
58%
36%
Internal Audit
75%
Regulatory Compliance Certification
71%
Control Risk Self Assessment
67%
Independant Quality Audits
Independent Agency Ratings
19%
30%
0
20
40
32%
60
80
7%
6% 11%
54%
41%
49%
5%
49%
35%
52%
Consultant Reviews
Low 14%
8%
51%
12%
69% 36%
32%
100
As the chart shows a high percentage of respondents were subject to external audit - not surprising given the mix of respondent organisations. However, in terms of the level of reliance respondents placed on these processes, management certification, internal audit and legal and regulatory compliance certification were seen to provide higher levels of validation. Eighty percent of respondents indicated that their organisation required management to certify the effectiveness of risk management controls. A high level of reliance was placed on this process by 56 percent of respondents. The same proportion placed a high reliance on internal audit to validate the effectiveness of controls. Legal and regulatory compliance certification was used by 71 percent of respondent organisations, and this was seen to offer the highest level of assurance. Fifty nine percent of respondents who had implemented this certification process placed a high level of reliance on such certifications. The challenge exists for management, internal audit and legal advisors to ensure robust assessment processes are in place and appropriate skills and resources are applied.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 1 3
Risk portfolio
The survey looked at how organisations assessed their approach to risk management. The survey showed that the level of ownership required to drive the organisation's risk management culture was considered highest at the board level and lowest at the line management level. Fifty two percent of respondents reported ownership of risk management by the board as “excellent”, with only one percent reporting it to be “unsatisfactory”. Forty one percent indicated that ownership at the executive level was excellent, with six percent reported it to be unsatisfactory. At the line management level only 17 per cent indicated ownership to be excellent, with five percent reporting it to be unsatisfactory. How satisfied are you with the level of ownership at board, executive and line management levels to drive a risk management culture? Board 52%
32%
12%
1%
Executive 41%
32%
21%
6%
Line management 17%
0
36%
20
40%
40
60
5%
80
100
Excellent Satisfactory Good Unsatisfactory Don’t know
Despite respondents' views that the lowest level of ownership of risk management was at the line management level, operational risk assessments were the most popular form of assessment undertaken by the survey group (94 percent of respondents).
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
1 4 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Risk portfolio
Which one of the following risk assessments does your organisation perform? % reported usage Operational risk assessment
94
Financial risk assessment
85
Information Technology risk assessment
81
Project risk assessment
69
Legal / regulatory risk assessment
69
Entity wide strategic risk assessment
65
Business contingency risk assessment
65
Environmental risk assessment
58
Fraud risk assessment
52
Program risk assessment
22
Transition / change risk assessment
27
Financial risk and information technology risk assessments were undertaken by 85 and 81 percent respectively of respondents. Also of note was the reported usage of entity-wide strategic risk assessments and business contingency risk assessments. Both of these had a reported usage in the survey of 65 percent, which is reasonably low given an earlier response asserting comprehensive risk profiling and risk management systems are seen to support strong corporate governance. The lower reported usage of fraud risk assessment is consistent with the findings of KPMG's Fraud Risk Survey. Seventy eight percent of survey respondents reported that a risk assessment was conducted as part of business case justification for key strategic projects and initiatives. However, the lack of enterprise wide risk assessment highlighted above would suggest that these risk assessments were not being undertaken as part of an integrated and holistic risk management system. The survey results showed that whilst risk assessments were widely performed, the use of scenario planning was less prevalent. Only 41 percent of respondents indicated that scenario planning was a big component of the risk management program.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 1 5
Which of the following statements apply to your organisation when assessing its approach to risk management? % reported approach Risk assessment is conducted as part of business case justification for key strategic projects initiatives e.g. mergers, acquisitions, divestments, major capital expenditure etc
78
Scenario planning is a key component of the risk management program
41
Other methods used in assessing risk
12
Other methods reportedly used by respondents in assessing risk were many and varied. They included “what if analysis”, Monte Carlo simulation/residual risk, KT potential problem analysis, barrier analysis, forcefield analysis, case studies, industry failures, event and fault trees, quantification of unexpected losses and allocation of economic capital, workshops and facilitation sessions, and process mapping. Respondents indicated that the methods used varied according to the range of work being undertaken and the level of investment required. When questioned about which criteria their organisation used to assess the impact of its risks, three clear front-runners emerged: financial, regulatory/compliance and brand/ reputation. Financial being the single most commonly used criterion. 99%
Financial
Regulatory/compliance
91%
Reputation/brand
85%
26%
Political
Other
19%
Other criteria included environment, health and safety, impact on people, customer service performance, management effort and interruption to core services. As expected, some of these other criteria used were industry specific, e.g. clinical impact. The survey also showed that the use of technology tools or software had not been widely accepted in driving the risk management process. Sixty five percent of respondents reported that no software was used for this purpose.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
1 6 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Measuring and monitoring risk
Multiple methods were employed to measure and monitor risk and assess the performance of risk management programs. Sixty three percent of respondents reported that internal audit monitored the performance of their organisation's risk management program. Given that, as reported elsewhere in the survey, risk management processes were considered necessary to promote strong corporate governance, it is of some concern that over 40 percent of respondents indicated that strategic risk issues were not frequently on their board agendas for independent oversight. This may, however, reflect the strength of the Audit/Risk Committee. The use of key performance indicators to measure the performance of the risk management process was also lower than expected, with 55 percent of respondents reporting their use. This supports the view that risk management frameworks have not been fully embedded and integrated into management and board processes. Which of the following methods is used by your organisation in measuring and monitoring risk? % method used Internal audit is used to monitor the performance of your risk management program
63
Strategic risk issues are frequently on the Board agenda for independent oversight
59
Key risk indicators are used to measure the performance of the risk management process
55
Other methods
20
Of the respondent organisations reporting the use of internal audit in monitoring the performance of the risk management program, two thirds monitored it at least annually. Given the increased regulatory environment and the increasing impact of the Sarbanes-Oxley Act, we expect the role of internal audit and the frequency of review of the risk management process will increase. With regard to the reporting of risk management activities in organisations, the survey showed that the annual report was the most common method used to communicate the organisation's risk management policy and processes. However, 21 percent of respondent organisations had no reference to risk management in their annual reports.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 1 7
Communication Methods 64%
Annual Report ASX/NZSX Continuous Disclosure Media briefings Institutional presentations
20% 10% 14%
Not reported
21%
Not applicable
16%
Other method
15%
Survey respondents indicated that the level of disclosure in the annual report was limited, the most common disclosure being a description of the organisation's risk management approach. The least common disclosure was a risk management declaration by the board and/or CEO. The survey found that many respondent organisations were planning to disclosure further information in the future, as shown in the table below. Risk information included in annual report most recent (% of respondents)
future (% of respondents)
A description of the risks faced by the organisation
39
57
45
67
22
48
A description of the strategic risk management approach taken by the organisation A risk management declaration by the Board and / or CEO
The planned increase in the Board/CEO declaration is not surprising given the requirements for sign-off associated with CLERP9, Sarbanes-Oxley Act and ASX Corporate Governance Principle 7. Overall KPMG expects that directors will develop more explicit performance criteria for Chief Executive, Chief Financial Officers, Audit Committees and Risk Committees in relation to risk management practices, compliance and performance.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
1 8 S t r a t e g i c R i s k M a n a g e m e n t S u r vey
Conclusion
A risk management strategy which reflects a balanced approach (explicitly considering risk appetite and tolerance) to business performance and compliance management can lead organisations to the achievement of sustainable value and greater business confidence. (See Figure 1) Figure 1: Achieving Improved Risk Management and Business Performance
Sustainable Value and Confidence Integrated Risk management
Risk Management
Improved Controls Process Transformation
Compliance
Improved Processes
Business Performance
Source: The Compliance Journey: Balancing Risk and Controls with Business Improvement KPMG 2004 Ultimately, this survey highlights the need for directors and executives to critically review risk management practices and their contribution to effective corporate governance and business performance.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
S t r a t e g i c R i s k M a n a g e m e n t S u r vey 1 9
Further information
If you would like to obtain more information on how KPMG can assist you in implementing or developing risk management systems or adopting a strategic approach to risk management, please contact your nearest KPMG office.
Key Contacts Sydney
Auckland
*Maurice Pagnozzi
*Jeremy Bendall
Partner
Partner
(02) 9455 9129
(09) 363 3672
Adelaide
Christchurch
Laurie Kozlovic
Bruce Loader
Director
Partner
(08) 8236 3167
(03) 363 5751
Brisbane
Wellington
Mitchell Petrie
Souella Cumming
Partner
Partner
(07) 3233 3164
(04) 381 8029
Melbourne
Hamilton
Sally Freeman
Murray Dunn
Partner
Partner
(03) 9288 5389
(07) 858 6512
Perth
Tauranga
Travis McAuliffe
Glenn Keaney
Partner
Partner
(08) 9263 7271
(07) 571 1784
*National Leader, Enterprise Risk Management
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG.
kpmg.com.au
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2005 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. Printed in Australia. The KPMG logo and name are trademarks of KPMG. February 2005. VIC8820RAS.
