Most Financial Services Companies Still Don’t Have End-to-End Enterprise Risk Management – In the 2020s?

By Steven Strickman, LSSMBB and Gary Preysner, CPCU, ARM, LSSBB

This will be the first post in a series where I bring you findings, questions and insights related to Enterprise Risk Management (ERM), derived from an extensive ERM survey conducted by the AICPA in conjunction with NC State University.? I highly recommend reviewing the findings, which are available in the “2023 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices - 14th Edition” by AICPA and NC State University, found at https://erm.ncsu.edu/library/article/2023-risk-oversight-report-erm-ncstate-lp.

?

In each post, we’ll focus on a theme, and reveal what the survey showed.? We’ll generally keep these posts focused on the Financial Services findings, although the study itself was quite broad in nature.? Let’s begin with Financial Services companies’ views on their own Enterprise Risk Management capabilities.?

?

Key findings:

·???????? Overall State of Risk Management Maturity:? End-to-End Risk Management Remains Elusive

·???????? Only 34% of respondents felt that their ERM processes were “end-to-end.”

·???????? 33% of Financial Institutions were “Very Immature” or “Developing.”

The first observation is that roughly two thirds of heavily regulated Financial Institutions feel that they do not have solid, end-to-end Risk Management.? Given the turbulent state of world and industry affairs, this is pretty shocking.? One would have thought that companies had been paying more attention to this function and upgrading steadily over the last decade.?

This raises several critical questions, some of which we’ll address in subsequent posts:

?

·???????? Why hasn’t there been a strong enough impetus to develop this capability, especially in light of the expectations of stakeholder groups such as Board Risk Committees, Regulators, and Ratings Agencies, among others?

·???????? Which ERM capabilities do they feel good about (if any), where are there gaps, and how far away are they from attaining an integrated process?

Why have they failed? It wasn’t a major corporate objective? It started and stopped? They couldn’t find the right talent, etc.?? When a company decides to improve its risk management, it must first gain an understanding of the organizational, budgetary and leadership constraints it must overcome, and be brutally honest about removing or working around those constraints.

The company must then do an inventory of their actual risk management abilities.? There are a number of critical ERM capabilities such as Risk Governance, ERM Skill and Talent, and Internal/External Audit, just to name a few.? The first step in the journey toward ERM competence, and eventual excellence, is a Risk Management Maturity Assessment.? This can be done either as a self-assessment or third party-assisted assessment.? Whichever way you choose, the goals are to gain a firm understanding of your current strengths and weaknesses, acquire the necessary processes and skills, and then link them into a coherent Business Process called Enterprise Risk Management.

Steven Strickman is a development partner with Strategic Risk Associates, LLC, as well as a Founding Partner in the Ironwood Consulting Group, LLC, where he specializes in Risk, Operations and Expense Consulting for the Insurance industry. He can be reached at [email protected].

Gary Preysner, CPCU, LSSBB Gary Preysner, CPCU, LSSBB, is the Insurance Enterprise Risk Practice Leader with Strategic Risk Associates and President of The Ironwood Consulting Group. He works with insurance companies across the globe to improve their insurance-specific processes and implement new technologies, while simultaneously strengthening their risk management capabilities. Contact Gary to discuss how he has developed creative and novel solutions to some of the most difficult process and risk challenges that insurance companies face. He can be reached at [email protected].

Strategic Risk Associates (SRA) is a technology solution provider and risk management consulting practice serving the Financial Services, Insurance and Technology Industries. SRA's proprietary technology and methodology was designed and built by industry experts to enable clients to navigate risk and drive growth. SRA Watchtower is an intuitive risk intelligence and performance management platform built to continuously inform, enlighten, and empower executives and boards. SRA has helped hundreds of banks effectively navigate through significant risk events since the 2008 financial crisis. Learn more here.

?