Ernst & Young released their 2014 Chief Risk Officers (CRO) survey examining trends in risk planning. Not surprising, a major trend is companies switching focus from reactive risk management to proactive risk planning, which BCS has previously reported on

One fascinating point of data to emerge in the report is a new question Ernst & Young had not previously asked CROs. How Do You Know Your Risk Function or Program is Creating Value? Reminiscent of the scene in Office Space where outside consultants asked managers at a software company "what exactly would you do here," Ernst & Young was able to yield some interesting answers from the group risk officers.

This is often a tricky question for risk managers. A sales team knows their methods are working if they increase sales. It is more difficult to know if a program designed to lower costs through risk avoidance is effective without benefit of long-term data analysis.

A risk manager asks if the reason their company has had no vendor related claims the last 18 months is the result of finally implementing a vendor insurance auditing program, or if they have simply been lucky. 

Identifying these causal relationships is a long-term project. The reason companies know they should implement vendor insurance screening programs is because data proves they are effective at lowering costs and liability, but this is often not easy to identify in the short-term.

When asked How Do You Know Your Risk Function or Program is Creating Value, the top response was if the risk program was being integrated into the decision making of operations. In other words, if after implementing a vendor risk auditing program you want to know if its working, you need to incorporate the program into your operations process so that you can identify the causal links of how and why it is effective, and to modify the risk program to maximize its benefits. To effectively transition from reactive short-term risk thinking to long-term risk planning, your risk program must become a part of your day-to-day operations. Failure to do so will not produce the data to backup suspicions of why the program may or may not be working. You need to take your risk planning off the graph paper and bring it into your operations meetings.

As the report stated, “CROs are seeking ways to embed more data-driven and analytics-based practices within their operations.” The focus is no longer on reacting to perceived risks, but implementing risk programs such as vendor insurance auditing and safety screenings, and integrating these programs into your operations department, so that when your risk department faces an Office Space type interview, you will have an answer to the question of whether the risk program you are responsible for is actually working.


Leave a Comment