The gap between risk professionals’ and the C-suite’s prioritization of cyber risk appears to have closed, according to Marsh’s 12th annual Excellence in Risk Management study.
The survey of more than 300 executives in February found that risk management departments continued to have greater input to business strategy at their organizations, with the result that 43 percent said leadership agreed that cyber is the priority for the next 12 months—more than any other risk.
Cyber was followed by identifying and improving risk management best practices (36 percent), risk training and awareness (33 percent), and insurance program optimization (31 percent) as organizational risk priorities.
Marsh, which also held focus groups of executives with RIMS for the study, said that while risk management functions continue to advance, “many current measurement methodologies fail to uncover the value that risk executives bring to their organization.”
Seventy-nine percent of those surveyed said executives agreed on risk management’s reporting structure, for example, but only 44 percent saw alignment around use of analytics in risk finance. That’s less than for any other area included in the poll, including reporting structures, risk priorities, emerging risks, budgets, and risk tolerance.
Cyber may even be eclipsing other threats, with just 27 percent of those surveyed saying that the identification of emerging risks would be a priority at their organizations in the coming year.
“This runs counter to the clear message being heard from boards that they are more concerned about “what’s around the corner,” Marsh wrote. “For example, could geopolitical events introduce volatility into strategic plans? Or what impact might climate change or water scarcity have on operations or expansion decisions?”
Because of this short-sightedness, perhaps, only 12 percent of those surveyed said supply chain vulnerabilities would be prioritized as a risk in the coming year.
Sixty-six percent said their risk management departments had no interaction with their organization’s supply chain, and just 15 percent said their organization would benefit by improving the use of data and analytics to identify supply chain vulnerabilities.
Managing risks across multiple global geographies also received relatively low marks for “effectiveness,” with 44 percent saying their organization was effective or very effective in this regard, and 37 percent saying it was “somewhat” or “not” effective. (Only making high-quality risk analytics available to stakeholders got lower marks out of 15 risk-related activities.)
Marsh also found this year that the majority of risk professionals surveyed said their risk management department reports into the CFO/ treasurer at their organization. Only 27 percent of those who report into the CFO/ treasurer, though, expect an increase in spending for training risk management staff, whereas 46 percent of those reporting elsewhere expect one.
“This may be a point worthy of greater consideration by finance executives,” Marsh wrote. “Does their primary focus on cost and finance limit the broader organizational value that risk management can provide?”
Most risk management departments also still report being evaluated on traditional measures, such as insurance budgets and claims management results, Marsh said.
But while no consensus emerged on the best way to measure performance of the risk management function, most surveyed agreed on the need for a new standard–such as achieving earnings targets, based upon an agreed, weighted contribution from risk management.
Marsh also said that while there was little alignment around the right analytics required to make risk decisions, predictions on investments indicated that improvement was on the way.
Over the next two years, 42 percent said their organizations expect to increase the level of investment in risk analytics, with 57 percent saying it would remain flat. In only one other area—training—did more respondents (46 percent) expect to see investments increase.
With respect to cyber, the No. 1 risk identified for 2015, Marsh said that its definition had expanded “beyond the loss of personally identifiable information” among those surveyed, and that there was an increasing realization that “cyber events cannot always be prevented.”
Marsh also attributed companies’ sometimes contradictory responses to the rapidity at which the risk is evolving:
Marsh concluded that the “hyper-focus” by risk management and other leadership on cyber, fueled in part by media attention, is in fact a “boon to risk professionals working to boost risk management’s strategic partnership with their overall business.”
Among the recommendations Marsh made based on the report were: