Editor: I understand that the topic of Risk and Controls Management is one that is climbing toward the top of the corporate agenda. Why is this the case?
Nolan: Quite simply, today's global organizations have to ask themselves some pretty serious questions, such as: how can we transform an expensive compliance obligation into a real business advantage? Is risk a key consideration in making strategic decisions, and are we forward-looking in addressing emerging risks? In terms of their risk and control processes, organizations want to move from value protection and preservation to one of value creation, and that's why the topic is becoming of increasing interest at the board level.
I think organizations that will succeed in this area will be those that have a strategic vision to see that sophisticated risk and controls management has the capability to deliver beyond the basic goals of reducing potential financial losses and meeting regulatory and compliance requirements. We at KPMG have seen companies taking this issue much more seriously. In 2007, KPMG International decided to investigate risk and control management trends further by enlisting the Economist Intelligence Unit to survey 435 senior executives in organizations around the world, including CEOs, CFOs, heads of internal audit and chairs of audit committees.
Editor: What did the survey tell you about the current status of risk management and how seriously companies are now taking it?
Nolan: Because of the increasing regulatory requirements, companies are taking more seriously the need for good risk and controls management. However, there is also impetus at the board level with 53 percent of survey respondents feeling that the development of risk and control is being driven by a heightened focus from senior management and the board. A further statistic from the survey indicated that 85 percent expect to see increased investment in this area in the next three years.
Editor: What factors do you believe prompted such interest on the part of boards and top management?
Nolan: I think there are three major factors. The first would be increased regulatory requirements, the second is the general expansion in terms of geography and markets and third is the emergence of new types of risks. Senior management is taking this more seriously and thus their risk and controls professionals have to contribute more to the strategic decision-making process. Already KPMG member firms are seeing institutional investors and rating agencies assessing organizations' appetite for risk and their capacity to control it. This is consistent with our survey findings - when asked what factors are expected to have the biggest impact on risk and controls management at their companies, 54 percent of respondents cited increased regulatory pressures, 35 percent cited new business risks and 32 percent mentioned an increased focus from shareholders and investors.
Editor: Not only do you cite increased focus by management, you have also talked earlier about increased investment in risks and controls operations. Presumably, it would be fair to say that management is going to be looking for a return on this investment, so is that how you come to the point about moving from value preservation to value creation?
Nolan: Yes, that's right. Why make an added investment in this area if all it achieves is compliance? The possibility has always been there for risk management to progress from just score keeping to adding value. What senior management wants to see is this value-added component. Whereas risk and controls management has been focused on dealing with the here and now, it now needs to start looking forward and contributing to strategic decision-making. This was reflected in the survey, with 52 percent of respondents wanting risk and controls management to take on more of a strategic role. Forty-nine percent wanted more integration into business units and 48 percent wanted a more forward-looking perspective.
Editor: It sounds like board level executives and senior management know what they want. What are the biggest barriers to ensuring a more efficient risk-management operation?
Nolan: The most significant barrier is a lack of awareness of risk. And while there's a better understanding of financial risks as a result of Sarbanes-Oxley and other regulations around the world, that understanding falls short when considering how risk permeates the rest of the business, such as reputational or operational risks. A second concern is having the right resources in the right place. As all companies strive to come to terms with these issues, professionals who can help in this whole endeavor are increasingly in short supply. This was reflected in the survey, with 22 percent of respondents citing limited awareness of risk or a lack of a risk culture as the main barrier and 17 percent citing both a shortage of resources as well as a poor understanding of risk issues.
Editor: Let's talk about this lack of resources because obviously it's the internal audit function in a business that often has the task of managing this process. If all of this extra focus is falling on risk and controls management, is it placing a hefty strain on the internal audit function? How is the role of a typical employee in such a function changing?
Nolan: I think resources are undoubtedly in short supply, and many companies will decide that they need to source with a third-party provider to plug the gaps. This decision is often balanced with the desire to maintain control over the internal audit function. It's clear that the role of the internal auditor is evolving as the scope of their business becomes even wider. This was reflected in the survey, with 57 percent of respondents seeing the advantages of internal audit outsourcing because it provides them with skills that are not available in the in-house internal audit department.
Editor: Returning to the main barrier to more efficient risk management, which is this point about limited awareness of risk or the lack of a risk culture, is it fair to say that for many companies risk management just isn't part of their everyday life or their corporate culture?
Nolan: That's correct. Risk management seriously needs to raise its profile within the business. High-level support is one thing, but a risk-aware culture has to permeate the organization. A consideration of risk has to form part of the everyday decision-making process, and that would include the three lines of defense when it comes to risk - at the business unit level, at the central risk management level, and at the internal audit level. However, companies do need to avoid taking this too far and creating a risk-averse culture - one where no opportunistic decisions are made. At the end of the day it all comes down to optimizing risk management, and we saw this in the survey, with 35 percent wanting to see risk and controls taking a higher profile in their organization and 30 percent wanting to see more innovative approaches to risk management.
Editor: Considering that this is an area of the business that has suddenly been thrust to the forefront of board thinking, presumably it is an area that's ripe for innovation.
Nolan: Absolutely, and after creating a risk-aware culture, innovation is the second most important consideration in dealing with the barriers that we previously discussed. Innovative approaches used thus far include continuous auditing and monitoring, controls transformation, enterprise risk management and effective executive dashboards. That was also supported in the survey, with 36 percent of respondents saying that continuous auditing and monitoring would most improve their company's risk and controls management, followed by 27 percent who would like to see enhanced controls transformation in terms of process.
Editor: It sounds like a lot will be going on in the internal audit function, so what's your vision of the future for risk and controls management over the next five to ten years?
Nolan: There's definitely an appetite for change. Many companies are now paying internal audit the attention it deserves, and there's a new-found energy sweeping the market. If companies are able to maintain this level of energy and deliver some real changes, there's no reason why risk management cannot become the fourth key platform of a company's performance. That would be alongside people, process and technology. We would also see risk indicators functioning in the same way as performance indicators, both in a qualitative and quantitative way. The goal is to unlock the potential of risk management to drive business value. The will is certainly there, but the tools, the competencies and the culture needs to continue to evolve.
Editor: Excellent. Anyone who's interested in finding out more about this topic and seeing the results of the KPMG research can access the report to which Mike was referring. It's entitled "The Evolution of Risk and Controls" and can be accessed via the podcast feed in your media player. It is also available on KPMG's U.S. website, www.us.kpmg.com.
The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of KPMG International or KPMG member firms. The information contained is of a general nature and is not intended to address the circumstances of any particular individual or entity. The materials used herein were the output of the first in a series of podcasts on the topic of Risk and Controls Management. Subsequent podcasts will examine in greater depth issues such as the changing risk environment, the case for co-sourcing, innovation, continuous auditing, controls transformation and the future challenges.