Risk management really a top priority?

There's a lot of lip service being paid to risk management right now. On the one hand, we all recognize it's a big issue. GRC vendors are more than happy to emphasize the R in their constantly rotating marketing efforts. The Aite Group, in its "Nine for '09: Opportunities and Challenges for Banks in 2009" report lists nine areas of emphasis for this year, several of which touch on risk management. 

And yet the amount of actual activity seems to be lagging just a bit. That's the view from the Institute of Internal Auditors anyway. Its recent survey polled 240 organizations and found that only 40 percent have implemented a formal enterprise risk management (ERM) program. That doesn't mean the issue has been wholly ignored; 68 percent of organizations report that they have a risk management "philosophy" in place, which I take to mean a loose set of processes and preferences that falls short of an actual program.  

The IIF recommends the following guidelines:

• Developing a risk management process that fits the organization's needs.
• Defining and using the same risk management language throughout the entire organization.
• Incorporating risk monitoring activities into all business action plans.
• Selecting a tool or automated process that meets the organization's risk management needs.
• Using a formalized and standardized risk mitigation process.   

To this list, officials at the EDM Council would add the need to make sure all the reference and market data at a company is squeaky clean. The most important need for risk professionals is clean, timely data on which to base their analysis. Their risk measures are only as good as the data. This is especially true in financial services. Here's a recent report by the EDM Council and IBM. - Jim