Approach to Risk Management, Risk Assessment and Cross-Functional Collaboration

Risk Management Oversight

Globally, 60 percent of respondents said their boards of directors or board committees have formally established policies on risk oversight and management, up from 58 percent in 2019; another 27 percent have informally and partially done so. The total — 87 percent — is the same as in 2019 and mirrors the results in Aon’s Risk Maturity Index, which shows that around 82 percent of global companies have formal or informal board oversight for risk.

The Middle East saw a significant jump, from 66 percent in 2019 to 75 percent in 2021, in respondents saying their companies have formal policies with a corresponding decline in informal policies — a sign the region is continuing to enhance its overall risk maturity. Latin America and North America improved slightly, while Europe remained steady. Asia Pacific lost ground; 83 percent of 2021 respondents said they have formal, informal or partial policies in place, compared with 89 percent in 2019. Again, these regional variations in results could be explained by differences in company size, rather than a backwards trend in risk management capabilities.

Policies on Risk Management Oversight by Region

When viewed through a revenue lens, larger companies are more likely to have a board of directors or board committee with formally established policies on risk oversight. Perhaps the most surprising finding was the number of respondents who were not able to report on whether or not they had established risk policies — up to one in 10 in some cohorts. In some cases, this could be because the company has separated the management of insurable risk, often in an insurance department, from management of business or strategic risk.

Policies on Risk Management Oversight by Revenue (in $)

Identification of Major Risk by Region and Company Size

Our research shows that companies continue to rely on a range of methods to identify risk, and boards are actively involved through a number of activities. In 2019 and again in 2021, 50 percent of respondents, on average, said their boards conduct formal risk assessments. Another 39 percent said their boards discuss risk during annual planning, and 34 percent said their boards discuss risk at other times.

The percentage of respondents, on average, who said their company relies on senior management judgment and experience jumped from 52 percent in 2019 to 57 percent in 2021; in North America that percentage rose from 67 percent to 72 percent. This increase may have also been due to the unprecedented uncertainty and disruption caused by the COVID-19 pandemic, which required decisive leadership in unusual times.

Identification of Major Risks by Region

Although board and senior leadership involvement in risk identification is extremely beneficial, it must be balanced with other internal and external sources of risk information. Companies that formulate their risk profile with input primarily from a few senior leaders — perhaps overlooking a more diverse source of risk information from those working on the ground in the business, their customers, communities and society as a whole — are more apt to fall victim to groupthink or suffer from cognitive bias.

In a different part of the survey, 60 percent of global respondents said their boards of directors or board committee had formally established policies on risk oversight and management. Yet only 40 percent of respondents said their companies have a structured, enterprise-wide process for risk identification. Without a structured process in place to implement and monitor those risk policies, they are unlikely to achieve their intended objectives.

Lack of a structured process also calls into question the reliability of risk information publicly shared in financial reports such as 10-Ks and may even cause risk departments to overly focus too much on the risk of the moment rather than on risks that truly matter most. Companies that don’t have a structured process in place are also more likely to be surprised by every emerging risk and to operate in reactive mode rather than getting ahead of risks.

Internal audit (IA) processes are another key source of information used to identify risks, with 52 percent of respondents indicating they rely on them for this purpose — an increase of 8 percent over last year. Although risk functions and IA need to work together on committees and share information with one another, the functions need to be separate to retain independence. From a risk perspective, IA is naturally more focused on internal controls. Moreover, IA can’t be expected to reasonably audit a risk assessment in which it was heavily involved.

Ultimately, risks can’t be avoided or mitigated unless they are identified. The more diverse the methods used to identify risks, the more likely it is that risks will be discovered before it’s too late. Certain categories of risk, such as changes in market demand or increased competition, can be longer term and speculative in nature, and therefore require external perspectives and data. For risks such as these, companies will not have access to traditional and historic data sets from which to size the exposure. Adopting a multipronged approach to risk identification will bolster resilience and protect companies from all manner of harm. According to our survey results, companies still have work to do in this area.

Excluding companies with less than $1 billion in revenues, reliance on various approaches to identifying risks is similar across revenue bands. We continue to see the heaviest reliance on risk information from internal audit processes to identify risks despite the limitations of this approach.

This year’s survey showed a marked increase within certain revenue bands in the percentage of respondents saying their companies have a structured process for risk identification. For example, among companies with $15 billion to $19.9 billion in revenue, the percentage jumped to 63 percent from 41 percent, while among companies with revenues of $10 billion to $14.9 billion, it rose 20 percent to 66 percent. This demonstrates a move by many organizations to formalize risk management in response to more volatile trading conditions and to assure stakeholders that the company runs a resilient operation. In general, companies are becoming more risk mature.

Companies with over $25 billion in revenues increased their board involvement in assessments and discussions compared with 2019, likely due to regulator and stakeholder pressure. The number of respondents reporting that their boards were involved in risk assessments rose by 5 percent to 57 percent. The number of respondents from the largest companies who reported that their boards included risk in their annual planning cycle or similar process increased 7 percent and 9 percent, respectively. In a post-pandemic world, with many companies looking to reshape their corporate strategies, operations and people, understanding the risks associated with such changes will be paramount.

Identification of Major Risks by Revenue (in $)

Effectiveness of Risk Management and Assessment Processes

The actions companies take to determine the effectiveness of risk management and assessment processes are generally consistent across regions; we see no major outliers here.

In a promising sign, across the board a higher number of respondents than in 2019 said that they compare past risk events to risk management efficacy; however, this approach is insufficient preparation for so-called grey swan events — potential events that companies pay less attention to because there is less precedent for them. The insignificance of the risk of pandemic in most corporate risk registers prior to COVID-19 is probably the best modern-day example of the limitations of using historical data alone to inform predictions for the future. Other forms of evaluation need to be considered to anticipate events, especially those that happen much less frequently.

Methods to Evaluate Effectiveness of Risk Management Programs by Region

Overall, 42 percent of respondents said they evaluate risk management considerations in investment and strategy decisions, another sign of a maturing approach that also reflects the most recent Committee of Sponsoring Organizations of the Treadway Commission (COSO) guidance aimed at better linking risk management to strategy and performance. North America leads other regions in comparing safety-and-loss control results, likely a result of companies in the region having greater access to workers’ compensation and other data needed to conduct this analysis.

Taking actions to lower the total cost of risk (TCOR) is by far most prevalent in North America, with 40 percent of respondents saying their companies do so. This may be because the region has a more sophisticated approach to risk, a greater concentration of insurable risk or access to higher-quality data.

As with regions, across revenue bands we see a consistent approach to comparing past risk events to risk management efficacy. As expected, larger companies are more likely to evaluate risk management considerations in investment and strategy decisions, likely because they follow more sophisticated processes, driven by shareholder requirements and deal sizes. We also see many more of the largest companies — those with more than $20 billion in annual revenue — taking action to lower their TCOR; smaller companies may limit the definition of TCOR to simply the cost of risk transfer or insurance.

Methods to Evaluate Effectiveness of Risk Management Programs by Revenue (in $)

Key Controls and Mitigation

Have a question? Contact us

©2021 Aon plc. All rights reserved | Privacy Policy | Legal