Risk Management Department and Function

Who is Handling Risk?

A large majority of companies with over $1 billion in annual revenues have formal risk management or insurance departments. A considerably higher number of respondents in North America and the Middle East and Africa said they have a formal department (84 percent and 82 percent, respectively), than respondents in other regions. The high number of North American companies that have formal risk departments is unsurprising given the region’s notable insurable risk challenges, such as catastrophic events and workers’ compensation. Companies in the Middle East continue to invest heavily in their risk departments as they look to build governance frameworks that align with those in more established risk management territories.

Formal Risk Management Departments by Region

Formal Risk Management/Insurance Department by Revenue (in $)

The number of respondents who report to a chief risk officer (CRO) function is almost immaterial at 9 percent. Notwithstanding the fact that some respondents were themselves chief risk officers reporting further up the organization, formal CROs continue to be the exception rather than the norm. According to this year’s respondents, more risk management departments (43 percent) report to finance, treasury or the CFO than to any other department. Given that most risk management departments focus on risk financing, there is a certain logic to this structure; however, it also increases the likelihood that wider strategic or nonfinancial issues — in such areas as reputation, people and compliance — will receive insufficient attention or be overlooked altogether. In North America, 52 percent of risk management departments report to finance, again reflecting the necessary focus of many of these teams on insurable risk.

Organizational Reporting for Risk Management by Region

In a positive trend, almost no respondents said their risk departments report to internal audit. Most stock-exchange guidance to listed firms recommends the separation of risk and audit to ensure true independence. That said, there must be collaboration across functions, with the business always operating as the first line of defense; the risk function working collaboratively with the front line on risk oversight, support, policies and mitigation; and internal audit operating as the last line of risk defense.

Globally, 22 percent of respondents said that risk reports to the CEO or president. Most companies with this structure either have less than $1 billion in revenues or are based in regions — such as Asia Pacific, Latin America, or the Middle East and Africa — in which risk management is still a newer discipline and receives considerable executive attention.

Organizational Reporting for Risk Management by Revenue (in $)

The Size of the Risk Management Department

Across all regions, 40 percent of respondents indicated that their organizations have one or two people working in risk; another 32 percent said they have three to five employees dedicated to risk.

Companies operating in more highly regulated industries or industries where risk and compliance are often consolidated — such as financial services, energy and professional services — are most likely to be included in the 23 percent of $25 billion-plus companies with risk teams of 41 people or more.

There is an interesting debate as to whether larger risk management teams are always more effective. Recognized international standards for risk management, such as COSO and ISO31000, stress the importance of embedding risk disciplines and behaviors into day-to-day operations. The existence of a larger, centralized risk team may create the impression that the central team is “responsible” for risk management, rather than risk being the responsibility of all. That said, many multinational companies need a centralized team of 10 to 12 people to harmonize policies and otherwise help to achieve risk objectives across the board.

Size of Risk Management Department by Revenue (in $)

As expected, respondents from highly regulated industries or sectors that tend to consolidate risk and compliance teams into one unit — including financial institutions (16 percent), insurance (19 percent) and professional services (11 percent) — were most apt to say they had over 40 employees working in risk functions. By contrast, 82 percent of those working in hospitality, travel and leisure said they have risk teams of eight or fewer people; in the tech industry, that figure is 81 percent.

Size of Risk Management Department by Industry

Planned Investment Changes in Risk Management Resources

For the first time in 2021, the survey included a question about planned investment in risk management resources. Sixty-three percent of respondents across the globe and 64 percent across all revenue bands said they expect their companies to maintain consistent investment levels in risk management resources over the next 12 months. Respondents from smaller companies, those with less than $1 billion in revenue, expressed a slightly greater interest in hiring more risk staff, perhaps because they are now recognizing the value of such investments or are simply in the position of playing catch-up. External services providers have an opportunity to develop offerings targeted to small- to medium-size companies, as this segment also strongly expects to use more external advisors.

Although very few respondents said their companies intend to cut risk resources, risk teams invariably will be required to do more with less given the continually expanding scope of their activities and the general state of the global economy and employment markets.

Planned Investment Changes in Risk Management Resources by Region

Planned Investment Changes in Risk Management Resources by Revenue (in $)

People Risk

Have a question? Contact us

©2021 Aon plc. All rights reserved | Privacy Policy | Legal