AICPA: The State of Risk Management
In the fall of 2020, the American Institute of Certified Public Accountants (AICPA)surveyed 420 members of the AICPA’s Business and Industry group who serve in chief financial officer or equivalent senior executive positions representing different sizes and types of organisations— resulting in The 2021 State of Risk Oversight report.
Let’s review its key findings.
First, to ensure a clear understanding of our starting point, let’s review the drivers.
The report states that “risk volumes and complexities are at their highest level in 12 years, increased by significant events tied to COVID-19, social unrest, national elections, extremely low-interest rates, and a host of other risk triggers – no type of organization is immune”.
The supply chain disruptions brought on by the global pandemic changed the nature of top risks, with core operations having been significantly impacted by risk events, highlighting the need for improved risk management and continuity of business plans.
Organisations are also facing further pressures from stakeholders to provide more information on risk and mitigation strategies.
Despite the well-accepted need to better prepare for the unforeseen, only 30% of respondents report they are “mostly satisfied” or “very satisfied” with their organization’s Key Risk Indicators (KRIs).
From JIT to JIC— When in Doubt, Stock
It’s been said that a companies shortcomings can be seen in its safety stocks. Safety stocks or increased inventory levels have their time and place and are a legitimate mitigation tactic. However, companies are often quick to jump from JIT to JIC in place of evaluated, strategic decision making where trade-offs are consciously made based on organisational objectives and values.
Although there is a growing trend towards increasing safety stocks and buffering supply chains, the report states that the majority of organisations have not taken the extra step of aggregating risk information to an enterprise-level inventory of top risks. Organisations continue to struggle in integrating a more formal risk management approach and implement strategic action plans.
Financial services aside, most companies are not considering risk exposure when evaluating possible strategic initiatives or making capital allocations. i.e., risk is not even considered when making some of the business’s most important decisions.
Critically for Procurement, who are often in the position of having to make those critical tradeoffs, most organisations do not formally articulate tolerances for risk-taking as part of their strategic planning activities.
The report also highlights that there is considerable room for improvement when it comes to mitigating reputation and brand risk.
ERM— We’ve come some of the way, baby…
- • While progress has been made in implementing complete ERM processes, more than two-thirds of organizations surveyed still cannot claim they have “complete ERM in place.”
- • Public companies and financial services organisations exhibit the biggest move towards ERM in 2020.
- • With the exception of non-profit organizations, most types of organisations believe their risk management oversight is more robust or mature than any of the prior four years. But we aren’t quite there yet...
- • Fewer than half of respondents describe their organisation’s approach to risk management as “mature” or “robust.”
The Impact Culture on Risk
Some organisations believe other priorities stand in the way of more advanced risk management and that risk is managed in more informal ways, impeding the move to ERM.
The report also indicates that most organisations fail to provide training or guidance on risk management. This can potentially lead to a lack of understanding of the imperativeness of proactive risk management efforts and their ability to improve a companies performance.
Furthermore, risk management is not incentivised, with few organisations embedding risk management incentives into performance compensation arrangements.
There seems to be a misalignment between a companies tolerance for risk and its risk management actions. Despite the majority of organisations describing their risk culture as “strongly risk-averse” to “risk-averse”, only a minority of respondents describe their risk management processes as “mature” or “robust.”
So, it would seem, organisations are aware of the heightened need for risk management, consider themselves to be “risk-averse”, even perhaps strongly so, yet have immature risk management processes and a culture that impedes progress.
The question remains, what, if anything, will companies do about it?
For a detailed analysis that provides helpful perspective and benchmarking on risk management, download the 2021 State of Risk Oversight report.
The Art of Procurement— The Soft Side of Business
I was talking to a new “potential suitor” last night when he mentioned his three “deal breakers”. I immediately went quiet as I broke two of the three. I can’t lie— part of me was disappointed. We seemed to have a lot in common, and I was for the first time in a while, allowing myself to get just a little bit hopeful. But part of me was also proud. I’ve carried my scars a long time; I’ve learned to now wear them with pride for the lessons that they taught me and the character that they built.
And that’s exactly my point, and what led me to overshare on this post. We establish our lists, build our frameworks in order to set a minimum standard and “weed out” the bad. And yes, we all have the right to do exactly that. No harm, no foul. But what I question is the efficacy.
We establish protocols in an attempt to simplify, to keep us safe, and create a formula for success. But more often than not, it seems to me, what we end up doing is rather than mitigating our risks, we’re limiting our potential to find greatness. Because life isn’t that simple.
The soft side of life, and of business, brings great value and has long been undermined. Yes, the hard is more concrete and therefore easier to scale, most especially in the absence of trust. But just as yoga teaches you that real strength requires flexibility, the better you are at leveraging the soft side of business, the better results you’ll see on the hard side.
The Talent Gap
Creating a list of credentials we require from potential candidates is so much easier than having the tough conversations that unearth someone’s true potential, or perhaps even widen our limited viewpoints.
But the true art of supply chain and procurement lies in leveraging the soft side of business to get to the hard numbers. It’s a dance of highly tuned intuition, refined conversation skills that build trust and nurture value extracting partnerships. It’s having the instincts to know when to push and when to give a little.
In the June edition of Procurement Magazine Bronwen Hann, President and Senior Partner at Argentus Supply Chain Recruiting spoke to us about reskilling Procurement to address the changing needs of business.
“These changes are really driving the growth of the procurement function, and that’s definitely changing the hiring landscape. As procurement delivers more to companies -- including innovation, diversity in supplier bases, sustainability, and strategic value -- the skills needs are greater.
“Front-line procurement skills are still important, but they’re now table stakes. For example, people should know how to make a purchase order, run an RFP, develop an effective contract, and how to use fairness and transparency in the procurement process. But to deliver all those added benefits you mentioned, individuals need other skills as well. In our conversations with leaders across the field, there’s a huge emphasis on soft skills. Written and verbal communication, the ability to present insights to stakeholders across the business, but even more importantly the ability to build real relationships with stakeholders and suppliers and build mutual value. Companies need people with exceptional emotional intelligence to build these relationships, and the overall business acumen to identify those ways of adding extra value.
“In short, this makes it harder to hire. Companies need to be more creative. It’s not about checking skills off a checklist. Many of these qualities can’t be gleaned from just a resume. It involves really digging into a candidate’s approach and what makes them tick when you assess them. It also means being willing to invest in people’s skills development after you hire -- whether it’s through coaching, mentorship opportunities, further formal training, rotating them through different roles or categories in a department, or other methods. It’s more difficult, but the opportunities are huge”.
According to PwC’s recent research, only 5% of the companies surveyed have a dedicated supply chain risk management unit and 50% rely on a reactive approach to their risk management.
From the American Institute of Certified Public Accountants (AICPA) 2021 The State of Risk Oversight report, “risk volumes and complexities are at their highest level in 12 years, increased by significant events tied to COVID-19, social unrest, national elections, extremely low-interest rates, and a host of other risk triggers – no type of organisation is immune”.
“While progress has been made in implementing complete ERM processes, more than two-thirds of organisations surveyed still cannot claim they have “complete ERM in place”.
Yet, despite the fact that most organizations describe themselves to be “strongly risk-averse” or “risk-averse”, most organisations still do not provide training and guidance on risk management.
And so, for a majority of companies, risk management remains a mostly intuitive process that requires a host of soft skills. If you haven’t yet, it may be time to revisit that list of requirements and how you’re going about your hiring, before you lose out like that guy off Bumble… what was his name???