Key Themes Organizational Alignment Risk Management Effectiveness Organizational Dynamics and Effective Risk Management Data, Analytics, and Technology Building a Cyber Risk Framework 1
Organization: Where Risk Management Reports WHERE DOES THE RISK MANAGEMENT FUNCTION AT YOUR ORGANIZATION CURRENTLY REPORT INTO? 5% 7% 11% 2% 5% 8% 12% 50% Chief Financial Officer/Treasurer General Counsel Other C-Suite Chief Risk Officer Internal Audit Operations Human Resources Other 2
79% of respondents said their senior leaders are aligned regarding reporting structure. 3
Organization: What Reports to Risk Management WHICH RISK-RELATED FUNCTIONS CURRENTLY REPORT INTO THE RISK MANAGEMENT DEPARTMENT? Insurance management 1% 7% 92% Enterprise risk management 3% 21% 67% Environmental risk management 7% 30% 63% Business continuity/crisis management 8% 31% 61% Safety management 7% 34% 59% Compliance management 5% 40% 55% IT risk management 7% 37% 56% Supply chain risk management 5% 29% 66% Internal audit 4% 26% 70% Direct / "Dotted" Line Report Does Not Report Does Not Report, But Should 4
Risk Management Priorities OVER THE NEXT 12 MONTHS, WHICH OF THE FOLLOWING AREAS OF RISK MANAGEMENT WILL BE PRIORITIES FOR YOUR ORGANIZATION?* Cyber security 43% Identifying / improving RM best practices Risk training and awareness Insurance program optimization 33% 32% 36% Claims management Identifying emerging risks facing our organization Analytics to support strategic decisions Using RM practices to improve strategy execution Risk management staffing levels 27% 27% 23% 19% 17% Supply chain vulnerabilities 12% *Respondents were allowed to choose three from the list. 5
Investment in Risk Management PLEASE INDICATE THE CHANGES, IF ANY, TO THE LEVEL OF INVESTMENT IN THE FOLLOWING OVER THE NEXT TWO YEARS: 70% 70% 51% 47% 57% 42% 61% 37% 27% 25% 2% 1% 3% 3% 5% Training others in organization on risk management issues/ practices Risk analytics Risk management staff training Risk management software Risk management staffing levels Remain Flat Increase Decrease 6
27% of respondents said that identifying emerging risks would be a priority in 2015. 7
Impact of Global Risks We picked out 11 of the risks that the WEF Global Risks 2015 report listed as top concerns in terms of impact and likelihood. For each one, respondents were asked for the time frame in which they expected it to impact their organization. The top three choices for each time frame were: IS CURRENTLY A RISK FOR THE ORGANIZATION WILL BE A RISK WITHIN THREE YEARS WILL BE A RISK IN MORE THAN THREE YEARS WILL NEVER BE A RISK FOR THE ORGANIZATION Cyber Energy Water crises State collapse Natural catastrophe Natural catastrophe State collapse Climate change Infectious disease Fiscal crises Fiscal crises Water crises 8
One of the things I would identify as being a large risk is the fact that we aren t aligned as well as we d like to be. RISK EXECUTIVE AT A METROPOLITAN PORT AUTHORITY 9
Collaboration on Risk Management Protocols HOW INVOLVED ARE VARIOUS PARTS OF THE ORGANIZATION IN FOUR KEY RISK MANAGEMENT PROTOCOLS? Risk Committees Risk Management Strategy Development Safety management, business continuity / crisis management, and legal were the functions most widely represented in all four protocols. Risk Assessments Risk Response 10
Risk Management Effectiveness HOW WOULD YOU RATE YOUR ORGANIZATION'S EFFECTIVENESS IN REGARD TO THE FOLLOWING RISK-RELATED ACTIVITIES? TOP FIVE Ensuring risk management staff understands the business. Hiring and retaining high quality personnel with risk management responsibilities. Providing relevant risk information to the board. Identifying emerging risks. Allocating resources (technology, personnel, finances) to risk management. BOTTOM FIVE Making high-quality risk analytics available to stakeholders. Planning for emerging risks. Using risk information systems/ technology. Measuring the effectiveness of risk management. Managing risks across multiple global geographies. 11
I wish there was some way we could measure success by thought leadership or by the value we bring to our business partners. But I can t figure out a metric for that. DIRECTOR OF INSURANCE AT A LEADING HEALTH FIRM 12
Measuring Performance and Effectiveness WHICH OF THE FOLLOWING DOES YOUR ORGANIZATION USE TO MEASURE THE EFFECTIVENESS OF THE RISK MANAGEMENT FUNCTION?* Insurance budget management Timely risk identification, assessment Effective claims management 74% 74% 72% Timely claims resolution Litigation outcomes Integration with operations 50% 57% 54% Impact on strategy development and execution Optimized balance of insurance and corporate capital 35% 35% Other KPIs 18% *Respondents were allowed to choose as many as they felt applied. 13
Developing Effectiveness Measures: Ideas from the Excellence Focus Groups Starting point for conversations aimed at developing appropriate measurements: Achieve EBITDA targets, based upon agreed, weighted contribution from risk management. Measure outcomes against high priority risks. Conduct customer satisfaction surveys with business units. Create goals and measure performance based upon self-assessments. Measure activity tied to specific goals. Incorporate analytical decision frameworks into risk finance strategies and measure outcomes against desired thresholds. Measure claim recovery timeliness as a contributor to corporate liquidity. Evaluate risk finance structures on volatility reduction in addition to other measures. 14
It confuses some of our executives when they get basically the same metric reported a slightly different way by four different groups with four different numbers. RISK EXECUTIVE AT A GLOBAL ENERGY FIRM 15
Data and Analytics Use MY ORGANIZATION WOULD BENEFIT BY IMPROVING ITS USE OF DATA AND ANALYTICS IN THE FOLLOWING AREAS* Quantifying risk 39% Identifying risk 34% Risk reporting to the board and other stakeholders Understanding risk tolerance Understanding organization's risk-bearing capacity Developing risk action plans Optimizing risk financing and insurance programs Informing and supporting strategic risk decisions Informing decisions on specific risks 30% 28% 27% 27% 26% 25% 24% Identifying supply chain vulnerabilities 15% Other (please specify) 3% *Respondents were allowed to choose three from the list. 16
Cyber scares us to death. RISK EXECUTIVE AT AN INTERNATIONAL FOOD COMPANY 17
Steps Taken to Address Cyber Risk TOP FIVE 82% Conducted risk assessment(s) to determine vulnerabilities. 79% Allocated cybersecurity resources for prevention, preparation, response. 78% Reviewed insurance policies for cyber coverage and gaps. 76% Identified, classified data at risk. 69% Adopted formal data breach plan. BOTTOM FIVE 51% Reviewed vendor and business partner cybersecurity posture. 47% Conducted tabletop exercises to test organizational preparedness. 41% Put in place a formal cyber event public relations plan. 38% Modeled potential losses. 30% Prepared for cyber extortion event. 18
59% of respondents have no formal cyber event communication plan. 19
Considerations Develop strategies to increase alignment regarding risks and risk management across the organization. Work within your organization and through networking outside your organization to explore performance measurements that more closely reflect the risk management function s strategic value. Form and evaluate risk committees for potentially missed opportunity for operational leaders to add value. Build a broader framework around cyber risk. Use this report and others, such as the WEF Global Risks series, to help stimulate and guide discussions about the future of risk management. 20
21