Expand +



Is Your Risk Management Program Doomed to Fail?

by Dave Hannon | insiderPROFILES

April 1, 2013

In a recent survey of 220 risk-focused SAP customers, insiderRESEARCH found that even though executives and board members understand the importance of risk management, current approaches to address it are missing the mark. To drive a true enterprise risk management program, organizations need collaborative, analytic, and predictive capabilities functioning at all levels of the enterprise — and using the right technology to deliver these capabilities is essential.

If you want to start on the path to effective enterprise risk management, don’t analyze what your competitors are doing, don’t comb through existing regulations and mandates, and don’t focus solely on local, isolated risks. To implement a true enterprise risk management strategy, take a hard look at your organization’s core business — the most basic ways your company generates revenue — and ask yourself how that capability could be disrupted or destroyed. Once you answer that question, you have the framework for an enterprise risk management program.

SAP Risk Management: A Snapshot

SAP Risk Management allows companies to gain deeper insight to better understand their unique risk factors, integrate and coordinate their risk management activities, make proactive decisions, and ultimately boost their bottom lines. For example, one customer increased its revenue by $90 million over a two-year period as a result of effective cross-functional management of financial services risks supported by SAP Risk Management. Learn more about the solution at

This is one of the key takeaways from a recent research project conducted for SAP by insiderRESEARCH. A survey of 220 risk-focused SAP customers found that even though executives and board members understand the importance of risk management, current approaches to address it are missing the mark. Companies are too concerned with meeting compliance goals and not spending enough time gathering and analyzing business-focused risk data from users across the enterprise.

“We struggle to ensure enterprise risk management, or even just risk management, is embedded in employees’ normal course of operations,” says a Chief Risk Officer in the public sector in APJ.

By failing to embed risk management in daily tasks that drive their core business, organizations are overlooking key business risks and missing opportunities every day. To drive a true enterprise risk management program, organizations need collaborative, analytic, and predictive capabilities functioning at all levels of the enterprise. Updating their IT infrastructure is the most effective way to deliver these capabilities — and the right technology is essential.

The Writing Is on the Wall

According to the survey, two-thirds of executives polled consider risk management somewhat or extremely important (see Figure 1), and 81% of those polled see the importance of risk management growing in their organization. “Risk used to be a low priority, but in the last two years, it has escalated,” says the CIO of a construction and mining equipment manufacturer in EMEA. “There’s more focus and priority on risk assessment and management.”

How would you rate the importance of risk management processes to the leaders in your organization?
Figure 1 How would you rate the importance of risk management processes to the leaders in your organization?

Despite that recognition, only 5% of risk management initiatives are considered “very successful” by those polled, an outcome that might stem from the top two drivers for risk management: regulatory compliance (70%) and compliance with internal corporate policies (69%). Strategic business risks, such as a significant loss event (14%) and adverse reviews by credit rating agencies (9%), are seen as much lower drivers for risk management, when in reality these factors can often become the largest detriment to a company (see Figure 2).

What are the primary drivers for risk management?
Figure 2 What are the primary drivers for risk management?

By redefining risk to include business-focused factors and trend indicators, organizations can bring a fresh, more predictive approach to risk management that achieves compliance and leverages the entire organization to collaboratively analyze risk and bring value every day.

How do you move to this new model of risk management? At the highest level, there are four steps:

  1. Identify the biggest risks to your core business by using collaborative technology, such as survey and assessment tools, to probe the knowledge and judgment of people deep in the business.
  2. Identify data that must be measured to track those risks and where that information resides in your organization.
  3. Automate the collection of that data into a centrally accessible repository.
  4. Create a broad and predictive reporting environment for that data, accessible at all levels.

Good News, Bad News

The good news is that most organizations already have the data they need to redefine risk management. In many cases, there are pockets of information being collected at the local level that can be used to identify risks that could affect the entire enterprise. The information simply needs to be housed in a central repository and exposed to the right people in the right format.

The bad news is that, currently, this is not happening. More than half (55%) of the professionals surveyed say that their organizations are using Microsoft Excel or Word to manage their risk programs locally, while another 39% use homegrown systems that have varying levels of integration and automation. More than 50% of the solutions in use today for risk management are more than three years old, according to the survey, and almost a quarter are more than six years old (see Figure 3). And when asked if their organization is likely to evaluate a new solution for automating enterprise risk management, a full 40% of survey respondents did not know.

When did your organization implement its current solution?
Figure 3 When did your organization implement its current solution?

Using these outdated and localized systems makes centralized, automated data collection and detailed reporting — especially predictive analysis — nearly impossible, hampering the ability for organizations to identify risks and avoid potentially serious consequences.

About the Study

insiderRESEARCH collected 220 online surveys and conducted 21 in-depth interviews with risk-focused SAP customers. Roles of respondents ranged from CIO and Chief Risk Officer to IT Manager and Consultant. Respondents came from EMEA (41%), North America (40%), APJ (11%), and Latin America (9%).

insiderRESEARCH conducts independent research across the worldwide base of SAP customers. Research projects are commissioned on a first-come, first-serve basis. Each custom project is tailored to deliver comprehensive, accurate, and actionable results. For more information, contact


For example, a major railroad company recently reported that its revenues dropped significantly because it had not recognized that a boom in natural gas demand was reducing demand for coal, the core product that the company transported. The data required to make this prediction was readily available — a simple analysis comparing natural gas demand data with coal shipment data. But because the company was not aggregating and analyzing that data routinely, it failed to predict the risk and paid a hefty price in the form of plummeting revenues and margin erosion.

The best way to funnel the right data to the right people and redefine enterprise risk management is to leverage an integrated IT infrastructure that provides a business-focused risk management framework while automating the collection of relevant data and providing user-friendly reporting capabilities across the enterprise. With SAP Risk Management, for example, users can benefit from the application’s ability to monitor underlying business systems and provide meaningful alerts when leading indicators cross a predefined threshold.

A New Day

For some companies, regulatory compliance, disaster preparedness, and brief mentions in financial statements of perceived major risks will always be the core of risk management. But enterprise risk management — as the name implies — must involve all levels of the enterprise working together to identify the unique business risks associated with that particular organization. Achieving this goal requires internal messaging, broad organizational commitment and acceptance, and committed investment in an infrastructure that can make it both efficient and pervasive.

When those capabilities are delivered to an organization, the entire concept of risk management takes on a new meaning that drives more value to the bottom line. 


An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!