Identification of Major Risk by Region and Company Size

Our research shows that companies continue to rely on a range of methods to identify risk, and boards are actively involved through a number of activities. In 2019 and again in 2021, 50 percent of respondents, on average, said their boards conduct formal risk assessments. Another 39 percent said their boards discuss risk during annual planning, and 34 percent said their boards discuss risk at other times.

The percentage of respondents, on average, who said their company relies on senior management judgment and experience jumped from 52 percent in 2019 to 57 percent in 2021; in North America that percentage rose from 67 percent to 72 percent. This increase may have also been due to the unprecedented uncertainty and disruption caused by the COVID-19 pandemic, which required decisive leadership in unusual times.

Identification of Major Risks by Region

Although board and senior leadership involvement in risk identification is extremely beneficial, it must be balanced with other internal and external sources of risk information. Companies that formulate their risk profile with input primarily from a few senior leaders — perhaps overlooking a more diverse source of risk information from those working on the ground in the business, their customers, communities and society as a whole — are more apt to fall victim to groupthink or suffer from cognitive bias.

In a different part of the survey, 60 percent of global respondents said their boards of directors or board committee had formally established policies on risk oversight and management. Yet only 40 percent of respondents said their companies have a structured, enterprise-wide process for risk identification. Without a structured process in place to implement and monitor those risk policies, they are unlikely to achieve their intended objectives.

Lack of a structured process also calls into question the reliability of risk information publicly shared in financial reports such as 10-Ks and may even cause risk departments to overly focus too much on the risk of the moment rather than on risks that truly matter most. Companies that don’t have a structured process in place are also more likely to be surprised by every emerging risk and to operate in reactive mode rather than getting ahead of risks.

Internal audit (IA) processes are another key source of information used to identify risks, with 52 percent of respondents indicating they rely on them for this purpose — an increase of 8 percent over last year. Although risk functions and IA need to work together on committees and share information with one another, the functions need to be separate to retain independence. From a risk perspective, IA is naturally more focused on internal controls. Moreover, IA can’t be expected to reasonably audit a risk assessment in which it was heavily involved.

Ultimately, risks can’t be avoided or mitigated unless they are identified. The more diverse the methods used to identify risks, the more likely it is that risks will be discovered before it’s too late. Certain categories of risk, such as changes in market demand or increased competition, can be longer term and speculative in nature, and therefore require external perspectives and data. For risks such as these, companies will not have access to traditional and historic data sets from which to size the exposure. Adopting a multipronged approach to risk identification will bolster resilience and protect companies from all manner of harm. According to our survey results, companies still have work to do in this area.

Excluding companies with less than $1 billion in revenues, reliance on various approaches to identifying risks is similar across revenue bands. We continue to see the heaviest reliance on risk information from internal audit processes to identify risks despite the limitations of this approach.

This year’s survey showed a marked increase within certain revenue bands in the percentage of respondents saying their companies have a structured process for risk identification. For example, among companies with $15 billion to $19.9 billion in revenue, the percentage jumped to 63 percent from 41 percent, while among companies with revenues of $10 billion to $14.9 billion, it rose 20 percent to 66 percent. This demonstrates a move by many organizations to formalize risk management in response to more volatile trading conditions and to assure stakeholders that the company runs a resilient operation. In general, companies are becoming more risk mature.

Companies with over $25 billion in revenues increased their board involvement in assessments and discussions compared with 2019, likely due to regulator and stakeholder pressure. The number of respondents reporting that their boards were involved in risk assessments rose by 5 percent to 57 percent. The number of respondents from the largest companies who reported that their boards included risk in their annual planning cycle or similar process increased 7 percent and 9 percent, respectively. In a post-pandemic world, with many companies looking to reshape their corporate strategies, operations and people, understanding the risks associated with such changes will be paramount.

Identification of Major Risks by Revenue (in $)

Back to top >