PwC’s latest Risk In Review study makes some very interesting points. It carries the title of “Managing risk from the front line” and I recommend downloading and reading it.
I like how it begins (with emphasis added):
Today a collaborative approach to risk management with risk accountability sitting squarely in the first line of defence can be the key to greater organisational resiliency and growth. That means an engaged first line that makes risk decisions in alignment with strategy. It means a proactive second line that influences decision making through effective challenge and timely consultation and collaboration. And it means a diligent, independent third line focused on its core missions of protecting the organisation and delivering value.
This recognizes that risk is being taken every hour of every day by decision–makers across the extended organization.
This is emphasized in a quote:
Melissa Lea, SAP AG chief global compliance officer, says that at her organisation, that direct connection is paramount. “We’re very first–line heavy. The more we can get risk responsibility out into the field—first into management’s hands and then to employees to make sure they’re armed with the right expectations to make the right decisions—the more successful we’ll be. We try to get people—either on the ground, in-country, or with the best lines of sight into how a particular risk might materialise—to really own that mitigation approach.”
Is the report perfect? No. For example, they still seem to believe that a risk appetite statement can drive the business decisions that take risk at all levels of the organization. I don’t.
They also don’t emphasize reporting to top management and the board the likelihood of achieving each and all enterprise objectives (i.e., the aggregate effect of risk, positive and negative in terms of the likelihood of success).
But let’s give them some credit for the pieces they got right and hope the emphasis on decision–making extends to the update of the COSO ERM Framework.
I welcome your thoughts.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
- Do smaller companies manage risk better than larger ones? - May 18, 2022
- Is there an effective risk culture? - April 20, 2022
- The future of internal audit is assurance - March 16, 2022
