Briers suggests the second reason as: “Risk management is incorrectly positioned as a compliance function or a governance obligation. Management will go along with a one-day workshop on risk, but the whole exercise is seen as a paper chase.” He states that risk management is regarded as a mechanism for describing risks and communicating them to the Board, but it is not seen as a strategic function, and is not part of the business planning cycle. According to Briers: “It is not considered an essential piece of strategy formulation. It exists in a parallel universe.”
View larger chart image
Risk management, therefore, needs to be brought down to earth. Paolo Mantovano, Partner, KPMG in Italy, believes that: “Given the fast-changing environment, it is essential that the risk function is embedded in the business and is always kept updated about organizational, strategic, business changes or decisions, as well as about external changes that could expose the company to emerging unknown risks."
There is no doubt that executives are aware of the need to manage risk; it is clearly seen as a high priority among ENR companies surveyed, however, only 65 percent of respondents build it into strategic planning decisions often or constantly. “Things are done intuitively, but not systematically,” says Wilson. “The process should be about presenting options and monitoring the hurdles faced in reaching strategic objectives.”
Briers states that: “Companies mistakenly think they can gradually implement a program of enterprise risk management and do so in a piecemeal fashion.” But instead, he thinks they should try to get all the pieces of the risk management puzzle in place in 12 months or less. “Companies assume that the more difficult things, like measuring risk in dollar terms, can wait until some other time, but there has to be a complete system of enterprise risk management put in place right away,” he adds.