represented analysts, risk managers, CEOs, and many levels in between. Our focus was to investigate details about how organizations and risk professionals actually assessed and managed risks and what the effect of those efforts were.
In addition to this survey, I have updated a summary of three major sources of surveys mentioned in the first edition of this book. We will look at some surveys conducted between 2007 and 2018 by The Economist Intelligence Unit (EIU),1 Aon Global Risk Consulting,2 and Protiviti.3 And I will throw in some related observations from two other smaller surveys conducted by HDR, which asked risk management–related questions: a 2015 survey of 173 cybersecurity experts and a 2018 survey of eighty project managers. All of the surveys included responses from organizations around the world, from small to Fortune 500 companies in many industries as well as large government agencies. Here is a summary of findings:
Growth in risk management was fast but may have cooled off: In 2007, the Aon survey said 50 percent reported having a formal risk management function and 88 percent said the board was engaged in risk issues. The growth was apparently fast, for a while. The Aon 2017 survey says that 66 percent now have a formal risk function—down slightly from 2015. These numbers don't quite align with the findings of the HDR/KPMG survey, which found that of those who currently have a risk management function, 65 percent say they implemented it since 2007. (That difference could be a difference in the respondent population.) Furthermore, growth in the number of staff in those departments has leveled off according to the Aon survey.
There is support for risk management—mostly: The 2017 EIU report states that lack of support from senior management was a concern of only 21 percent in the previous year and only 15 percent expect it to be a concern in the next year. However, the HDR/KPMG survey finds that a higher proportion (31 percent) believe there is “no recognition by top management in the importance of risk assessment.”
Influence of risk management is not as high as it could be: Regarding influence, the HDR/KPMG survey finds that 67 percent say risk assessment is used to provide “some guidance” or “significant guidance” in “major decisions” whereas the 2017 EIU finds that only 47 percent say the risk function plays a role in strategic decisions.
CURRENT RISKS AND HOW THEY ARE ASSESSED
The Aon, Protiviti, and EIU surveys all asked respondents about their biggest risks. Of course, any survey about the perception regarding the biggest risks are probably transient, but here is the current snapshot.
Exhibit 2.1 summarizes the top five risks in each of these surveys. All three surveys were different but note that there is a bit more agreement between Aon and Protiviti than either of those have with EIU. This may be because EIU was asking specifically about risks in the next twelve months and the other two organizations didn't specify a time frame. Perhaps the EIU respondents felt that these risks were more relevant in the very near term.
These risk-ranking surveys have been taking place for many years and will probably go on for the foreseeable future but we should also ask how organizations determined these risks were their main concerns. On that question, these three surveys did not get into many specifics. That is where the HDR/KPMG surveys tried to fill the gap. Armed with all of this research, here is what we found:
EXHIBIT 2.1 Current Top Risks According to Three Surveys
Protiviti | Aon | EIU |
Disruptive technologies | Damage to reputation | Weak demand |
Internal resistance to change | Economic slowdown | Market instability within own industry |
Cyber threats | Increasing competition | Difficulty raising financing |
Regulatory changes | Regulatory changes | Labor (skills shortage, strikes, etc.) |
Timely identification and escalation of risks | Cyber threats | Exchange rate fluctuation |
Respondents would mostly say their methods are “formal:” The 2017 Aon study found that 60 percent state they have adopted formal or partially formal approaches to risk management. The share that say they have a formalized risk management approach goes up with the size of the firm—96 percent of firms with revenue over $10 billion say they use a formalized approach. About 70 percent overall would claim to have a formal or partially formal approach.
Formal mostly means “qualitative procedure” not quantitative: The HDR/KPMG survey found that what these $10 billion firms mean by formal is mostly (74 percent) a qualitative ranking or scoring method, perhaps using a form of the qualitative risk matrix. This is about the same for companies under that revenue threshold (78 percent). Only 16 percent of firms with revenue over $10 billion (and 20 percent of firms of all sizes) say they use quantitative methods—that is, they use explicit probabilities derived from mathematical and empirical methods using tools such as simulations and tools familiar to actuaries, statisticians, or quantitative risk analysts. Of those who use quantitative methods, the most common is Monte Carlo simulations (85 percent) followed by statistical analysis of historical data (77 percent). Less common are methods such as Bayesian statistics (56 percent) or utility theory (17 percent).
There are obstacles to the adoption of quantitative methods, but adoption is feasible: In the 2007 Protiviti survey, 57 percent said they quantify risks “to the fullest extent possible,” up from 41 percent in 2006. Because, as we noted, only 20 percent of all firms use some form of actual probabilistic methods, it would seem that most respondents in the Protiviti survey would not consider these methods possible. In fact, our survey found that 42 percent said an obstacle to the adoption of quantitative methods was “skepticism about the practicality and effectiveness.” Yet our survey showed that those who use quantitative methods such as simulations and statistical methods come from a variety of industries and company sizes. Even though quantitative methods are common in some industries (finance, insurance, etc.), the users outside of those industries are arguably as diverse as the users of qualitative methods. Apparently, there will be active users of these methods in the same industries and contexts where there are also skeptics.
These surveys agree with my personal experience on some key points. I see that most organizations who say they follow a formal method are merely saying they follow a defined procedure. Whether that defined procedure is based on mathematically and scientifically sound principles—what has been measured to work—is another question altogether. (More on that later.) Exhibit 2.2 provides a summary of what risk assessment methods are used, according to the HDR/KPMG survey.
Each of the categories in exhibit 2.2 contains many specific variations. So, let's dive into each of them in more detail.
EXHIBIT 2.2 Summary of Risk Assessment Methods Used According to the HDR/KPMG Survey
Method |
Percentage of
|