October 2014
How much
progress have
we made since
the crisis?
Second National Survey of
Risk Management in the Netherlands 2014
The researchers (from left to right): Casper Ruizendaal, Remko Renes, Dirk Swagerman,
Marcel Prinsenberg, Esra Aktas, Leen Paape, Johan Scheffe, Matthijs van de Belt.
Gerben Posthumus is missing from the photograph.
Title:
How much progress have we made since the crisis?
Subtitle:
Second National Survey of Risk Management in the Netherlands 2014
Commissioning parties:
University of Groningen; Nyenrode School of Accountancy & Controlling; NBA
(Netherlands Institute of Chartered Accountants); PwC
Copyright:
2014 NBA Amsterdam, PwC Amsterdam, Nyenrode Breukelen, University of Groningen
Visuals:
Dreamstime, Nationale beeldbank
Edited by:
Margreeth Kloppenburg
ISBN/EAN: 978-90-75103-79-3
October 2014
Foreword
Results as expected, unfortunately. But some encouraging signs
In this report, the authors reveal the truth about what is still sadly lacking in risk
management in the Netherlands today. Of course, this is first and foremost the
responsibility of the board members. The good news is that we have also seen examples
of organisations that take proper responsibility for effective risk management. But the
fact remains that not all board members appear to understand what can go wrong.
This can lead them to believe that they have things under control when an objective
evaluation shows that this is not the case. This may be because risk management is not
taken sufficiently seriously, or because board members find it difficult, for example if
they are asked to assess unquantifiable risks, such as reputational risks, or the risk culture
within the organisation. I will explain both of these causes in more detail.
Not serious?
If the first cause is the case, and organisations do not take risk management seriously, it
is necessary for us, the Dutch National Bank (DNB), to demonstrate how a serious
approach to risk management can contribute to a stable economy. Indeed, many of
the organisations under our supervision are legally obliged to do this in any case. In
accordance with the Financial Supervision Act (Wet op het financieel toezicht/Wft) and
the associated regulations, the organisations under our supervision must systematically
analyse their risks and take appropriate measures. This means that it is up to
organisations themselves to determine what the greatest risks are for their organisations
and how they adjust their policy and procedures accordingly. Current practice shows
us that many organisations are still failing to carry out an effective systematic analysis of
the risks on a systematic basis and are not taking sufficient actions in response to an (in
some cases inadequate) analysis. It is important for this analysis to be continuous in
nature, because risks do not remain static. Risks for an institution are liable to change as
a result of both internal and external factors. The institution applies this kind of
systematic risk analysis in order to determine whether the current control measures are
proving effective. If they are not, the institution makes adjustments to the control
measures. A systematic risk analysis also involves the institution conducting this kind of
analysis regularly in accordance with a set methodology and recording the results in
writing.
Risk management difficult?
There is no denying that risk management is difficult. But that is the idea: dissent is never
pleasant and neither is the need to abandon grand designs and plans because the risks
are too high. But it is a necessity. The more independently-positioned risk management
is within the organisation, the stronger that risk management can develop and – of
course – the more potential dissent there will be. There is a need to clearly demonstrate
to the risk managers of the Netherlands (and the DNB is happy to contribute to this)
what constitutes effective risk management and how it can actually help to achieve
business objectives. Including an independent chief risk officer alongside a chief
financial officer on the board can help to make risk management a natural part of the
business process and thereby incorporate safeguards for healthy operation, continuity
and the survival of a company.
In my view, it is possible to eradicate both causes. Perhaps in five years’ time, when the
third National Survey of Risk Management in the Netherlands has been conducted, we
will at least be able to conclude that the experience of board members and
researchers has become closer and we will hopefully see the scores improve
significantly. I wish you the best of luck in this.
Jan Sijbrand, DNB Board of Directors
Second National Survey of Risk Management in the Netherlands
Open letter to directors in the Netherlands
Board members in the Netherlands,
In 2009, we presented our first survey of the status of risk management in the
Netherlands. Now, five years on, we are pleased to present the follow-up to our
research. To what extent have organisations like yours been engaged in the
introduction and improvement of their risk management systems?
Much to our surprise, we have noticed that hardly any improvement has been
achieved; in fact, there has even been a slight regression in some cases. The really bad
news is that you yourself believe that you have actually made progress. This might
mean that you have been misled and will have to pay the cost for it when you least
expect it. Have you carefully considered which risks you are willing to accept and
which you are not? Is there a culture in place to ensure that bad news reaches you on
time? When making decisions in the face of uncertainty – your solemn duty – has
enough thought been given to potential scenarios or have you perhaps gone no further
than a bad scenario and a good one, and something in-between?
4
Many of your fellow board members were also of the opinion that things were in order.
Despite this, various organisations have met with serious difficulties. Vestia, Imtech,
Rabobank, BAM, Meavita, Douwe Egberts, Ballast Nedam, SNS Reaal and Amarantis
are just a few examples. The extraordinary thing in all of these cases is that the
organisations faced serious difficulties at the heart of their business. Not in peripheral
activities but in the activities they were actually assumed to excel at! They were hit
hard, at the very core of their business. Every director, probably also including you, will
wonder: “Could this also happen to me?” Our answer to that question is: “That could
indeed happen”; if, like many of the respondents to our survey, you assume that you
are doing a better job than those unfortunate organisations. If you would like to find out
if your organisation actually is doing a better job, we invite you to become acquainted
with this report.
You should at least read the whole of Chapter 3 and talk to your chief risk officer,
compliance officer, internal auditor or head of finance and ask what lessons you can
both learn from this report. “Which conclusions and recommendations also apply to us?
What can we do to improve this?” At the very least, we call on you to take a critical
look at the following six questions:
- Is risk management properly integrated within our performance management? Is
there a direct link to the appraisal and remuneration of our employees?
- Are risk management and internal controls embedded in the DNA of our
organisation?
- How can we raise the structure, quality and position of our risk management
department to a higher plane?
- Have we properly articulated our risk appetite? Has this been consistently applied
and communicated across the entire organisation?
- Do we have truly integral risk management, that covers all of the risks, including
external influences?
- How can we further enhance our strategic thinking about risk?
We assure you that this will help you to avoid being mentioned in a list of scandals like
the one above, in the survey we will conduct in five years’ time.
We wish you every success in this endeavour.
October 2014
Open letter to risk managers in the Netherlands
Risk managers in the Netherlands,
In 2009, we presented our first survey of the status of risk management in the
Netherlands. Now, five years on, we are pleased to present the follow-up to our
research. To what extent have organisations like yours been engaged in the
introduction and improvement of their risk management systems?
Much to our surprise, we have noticed that hardly any improvement has been
achieved; in fact, there has even been a slight regression in some cases.
The really bad news is that you yourself believe that you have actually made progress.
This might mean that you are being misled and will have to pay the cost for it when you
least expect it. Have you carefully considered which risks you are willing to accept and
which you are not? Is there a culture in place to ensure that bad news reaches you on
time? When making decisions in the face of uncertainty, are you capable of properly
informing your board members about the advantages and disadvantages of the
potential scenarios or have you perhaps gone no further than a bad scenario and a
good one, and something in-between?
Of course, you are well aware that a lot still needs to be improved. It may not always
be easy to convince those around you of that fact. Risk management is important, but
is often seen as secondary; a necessary evil that can also sometimes even be seen as
an obstacle. In recent years, you have had the wind behind you; the financial crisis and
corporate scandals featured in the press caused interest in your work to increase,
occasionally even imposed by regulation. But there is still more than enough work to be
done. The press is still packed with scandals of not insignificant size.
You would be well advised to take a look at this report and determine the position of
your organisation and what can be improved. Engage in conversation with your board
members and ask them what you can do, together with the board. These questions
may prove useful in that conversation:
- What role do we want our risk management to play: from reactive to pro-active?
From technical skills to business skills? And what does that mean for our team?
- How can we involve all layers of management more effectively and help line
management to assume responsibility for risk management?
- Is there technology available that can assist us in making risk management more
effective and efficient and at the same time make it more attractive and
convenient for line management?
- How can we find and implement new techniques and methods in order to remain
alert to strategic and emerging risks and their management in the future?
Armed with this report, you can make a well-substantiated plea to be included in the
executive board as chief risk officer (CRO), since our research provisionally suggests
that, as dedicated risk champion, the CRO can achieve better results than in
organisations in which risk management is just one of the many tasks of one of the
board members.
We look forward to hearing the progress you have made in five years’ time. We wish
you the greatest success in this endeavour, confident that it will be for the benefit of
your organisation.
Second National Survey of Risk Management in the Netherlands
October 2014
Contents
Foreword
3
Open letter to board members in the Netherlands
4
Open letter to risk managers in the Netherlands
5
Contents
7
1
Introduction
8
2
Trends in risk management 2009 - 2014
2.1 Zero-tolerance
2.2 Increasing legislative and regulatory pressure
2.3 Speed and impact of changes
2.4 Risk culture
2.5 Integration of performance and risk management
10
10
10
11
11
12
3
Summary: our assessment of the development of risk management
3.1 Improvements in some areas – no structural progress made
3.2 Where do we go from here?
13
13
16
4
Survey results: analysis and observations
4.1 Introduction
4.2 Profile of the respondents
4.3 Risk assessment and analysis
4.4 Risk management reporting and risk monitoring
4.5 Risk management and organisation
17
17
17
28
36
40
5
Risk culture
49
6
Two alternative perspectives
6.1 Another look at the dataset, with two different questions
6.2 Enterprise Risk Management, automatically a higher score?
6.3 Risk management maturity, how do you make progress?
54
54
54
55
Bibliography
59
Appendix 1: Methodology
63
Appendix 2: Score guide for survey of Risk Management in the Netherlands 2014
67
Appendix 3: Questionnaire for survey of Risk Management in the Netherlands 2014 73
Appendix 4: Conceptual model
Second National Survey of Risk Management in the Netherlands
85
1. Introduction
We are proud to present you – valued reader, director, risk manager or stakeholder of
profit and non-profit organisations in the Netherlands – with the results of the second
national survey of the current status of risk management. In 2009, we presented the first
national survey of risk management in the Netherlands involving more than 900
participants. In the foreword, we indicated that we would gauge how much progress
had been made in five years’ time. This means that the time has now come for an
update.
The timing of the first national survey could not have been better: it came just after the
start of the greatest financial crisis in living memory. The fact that many organisations
were not in control of their risk management became all too painfully clear. Financial
organisations in particular, generally assumed to have the best systems and
methodologies at their disposal and undeniably the best supervision of their activities,
failed to make the grade. The world continues to suffer the consequences. Equally,
there seems no end in sight to the constant stream of new incidents in the field of risk
management and internal controls, although the term incident does not fully convey
their true impact, as in recent cases involving Vestia, Imtech, Rabobank, Amarantis,
BAM, Douwe Egberts, Ballast Nedam, SNS Reaal, etc.
Similar questions to 2009, but now also featuring risk culture
Would things be better five years later, after numerous reports, studies and attempted
improvements, was the question we asked ourselves. Have we learned from our
previous mistakes? What questions would assist us in gaining a greater understanding of
developments in risk management in recent years? From an academic perspective,
very little knowledge had been acquired in this area and, of course, change takes time
to have an effect. What did emerge clearly is that both risk culture and ‘tone at the
top’ have become overriding themes. If the instruments and methodologies are not the
problem, perhaps it is the people and the culture in which they have to work, is the
argument. We therefore attempted to include the concept of risk culture in our
questionnaire. It was a flawed attempt, because useful results on how to measure risk
culture are still hard to come by or not available at all. In any case, a proper assessment
of culture calls for research on a major scale, which was unfortunately impossible in
practice. Despite that, this report offers plenty of interesting pointers on risk culture. And
we would also now like to invite you to make a contribution to advancing our
understanding of risk culture.
In many cases, the questions we posed in this second survey have remained
unchanged compared to the first survey in 2009, whereas others have been slightly
updated on the basis of the latest insights, where relevant. Thanks to the unchanged
questions, we are able to compare the results with those from 2009. Has progress been
made? Has there even been regression in some cases? If so, in what areas? The 727
respondents – from the almost 10,000 questionnaires sent out – provided us with
information about many different sectors. This enables us to make a series of
comparisons. For example, we were particularly interested in comparing profit and nonprofit, as well as drawing a distinction between businesses in the financial sector and
the rest. In the first survey, there was a significant difference between the two. You will
find out whether that continues to be the case later in this report.
October 2014
We were also interested in providing you with more information on the use of tools,
techniques and software to support risk management activities. Quite a lot of these
have been introduced into the market in recent years and there have also been
changes within the suppliers’ market. The suppliers have consolidated and software
tools have been improved and are being used more often. We also wondered to what
extent these new instruments have actually reached the organisations. When used
effectively, tools and software provide a considerable boost to the monitoring, analysis
and early detection of risks. They are also extremely useful in ensuring people remain
focused on the matter in hand. Have the effects been noticeable?
This report
The report starts with a brief outline of the history since the previous report in 2009. This is
followed by our final assessment, our answer to the question: “How much progress has
been made in the crisis?” We link that answer to a series of recommendations, ranging
from concrete and easy-to-implement improvements to suggestions for intervention on
a much wider scale.
If you would like to find out more about a specific sector, or a particular subject, you
should go straight to Chapter 4. Here we provide substantiation for our judgements and
recommendations and point out where things sometimes work and sometimes prove
less successful, always in the light of the questions from our survey. We also focus on and
explain any interesting statistics, for example a particular sector that stands out or a
score that is unexpected or unusual. Because risk culture plays such an instrumental role
in the current debate about the failure of organisations and their risk management, we
have added risk culture as a new section in our questionnaire and devoted a separate
chapter to it in this report: Chapter 5.
Finally, Chapter 6 includes something extra: we looked at the collected data from two
alternative perspectives: firstly, we explored the advantages that risk management has
to offer in the eyes of the respondents. Secondly, the research data has enabled us to
make a substantiated assessment of which internal and external factors have an
influence on the maturity of a risk management system. The detailed explanation of the
methods we have used can be found where you might expect it: at the end,
immediately after the bibliography.
We hope you enjoy reading the report and that you find the survey results to be of use.
If you feel that specific questions are missing, or would like to have seen your own
company featured in the results, please do not hesitate to let us know or, even better,
sign up as an organisation to participate in the next survey in 2019!
Breukelen/Amsterdam/Groningen, 29 October 2014
Second National Survey of Risk Management in the Netherlands
2.
Trends in risk management 2009 - 2014
‘How things can change in the space of five years’… these were the opening words of
the 2009 report. We were then at the height of the crisis. So what impact did the crisis
have on people’s perceptions of risk management? Would risk management enable
organisations to arm themselves against political and macro-economic storms waging
elsewhere? Suddenly, these questions had genuine urgency.
Anyone who assumed that the storm we were referring to would have calmed five
years later was sadly mistaken. The economic environment remains turbulent and the
threat of a double, or even triple dip, continues. In the search for people to blame,
tolerance of mistakes by board members and supervisory authorities plummeted in
terms of public opinion. Supervisory authorities responded by creating stricter
regulations and becoming ever more prescriptive in terms of the implementation of
primary processes.
The economic crisis and sluggish recovery have also had a noticeable effect on
developments within the profession of risk management. Traditional methods for
managing risks no longer seem adequate in an environment subject to faster and more
far-reaching change. This can be seen in the increasing focus on a proper risk culture
and the ever-increasing integration of performance and risk management. Rather than
more of the same, it was a case of the same, but in a different and better way. Below,
we outline the five most important trends of the last five years.
2.1
Zero tolerance
The former board members of such companies as Vestia, Imtech, Rabobank,
Amarantis, BAM, Douwe Egberts, Ballast Nedam and SNS Reaal have all experienced it:
customers, shareholders, politics – indeed no one has tolerance any longer for
managing or supervisory board members who make major errors. Society wants to see
them pay, via the courts or otherwise, for the errors they made in their former roles. The
liability of senior executives and supervisory board members has increased in recent
years, partly as a result of political pressure. Whereas the courts still require evidence of
‘serious misconduct’, politics and public opinion have been rather less reticent in their
criticism, often before any criminal enquiry has been completed.
The reputational and financial risks that the managing and supervisory board members
run have increased significantly in the wake of these developments and increasing
litigiousness. As a result, much more needs to happen before a managing director will
put a signature to an ‘in control’ statement, which has increased the importance and
impact of the underlying methods used.
There are increasing calls for transparent business operations and management of risks:
from customers, investors, supervisory authorities and credit-rating agencies.
2.2
Increasing legislative and regulatory pressure
From the very first day of the public hearings into the causes of the crisis conducted by
the committee of enquiry into Financial Recovery1 in the Netherlands, the finger of
blame was clearly being pointed towards the supervisory authorities.
1 De Wit Committee (Commissie De Wit)
October 2014
The supervision was said to be too focused on compliance with regulations rather than
on compliance with principles.
But despite this, even more regulations have been added in recent years! So many, in
fact, that a PwC survey2 of more than 1,300 CEOs from 68 countries revealed that the
increasing regulatory pressure is seen as the greatest threat to economic recovery (and
the well-being of their organisations). In fact, the trend has actually been towards a
greater focus on compliance with principles. But that needs to be demonstrable, as a
result of which even more rules are added. Organisations that operate internationally or
have international clients face an additional challenge of having to deal with
discrepancies in terms of the regulatory regimes and philosophies.
2.3
Speed and impact of changes
The risk landscape is changing incredibly rapidly: demographic changes, accelerated
urbanisation, shifts in economic power, climate change, technological innovations, the
role of social media, changes in the labour market and increasingly interdependent
value chains that are becoming ever more complex. How can all this be managed? As
a result of the wide range of strategic risks resulting from these changes and the
unpredictability of the associated risks, a traditional ad-hoc (one-dimensional)
approach to managing risks is no longer adequate and an alternative approach is
required.
In 2012, the World Economic Forum3 concluded that the risks to which modern
organisations are exposed can be managed only by means of cooperation between
businesses, government authorities and wider society, based on long-term thinking.
The early detection of so-called ‘Black Swans4’ calls for the status quo to be challenged
and the introduction of external and possibly even bizarre ideas in the development of
strategy and identification of risk. Cooperation (across value chains, with consumers,
suppliers, within sectors, with government, NGOs, etc.) is fundamental for the success of
this.
2.4
Risk culture
Organisations like to focus on tangible measures when implementing risk management.
Examples of this include describing all of the risks, appointing a risk manager or
establishing concrete management measures.
But risk management is about much more than the risks at management level. There
are also employees at a much lower level who decide on a daily basis whether or not
to take a risk, as an everyday part of their work. Much of the success of risk
management therefore depends on the awareness of risk and control at all levels within
an organisation.
There is also increased focus on soft controls, which are required in order to enable
more stringent control methods to take effect. They include such things as leadership,
leading by example and communication styles.
2 PwC: 17th Annual Global CEO Survey: Fit for the future
3 World Economic Forum: Global Risks 2012
4 In his book ‘The Black Swan’, Nassim Nicholas Taleb looks at extraordinary events that have a major impact, but
that no one can foresee.
Second National Dutch Survey of Risk Management in the Netherlands
2.5
Integration of performance and risk management
A key indication of the risk culture of an organisation is the extent to which
management is based on a balance between performance and risks. Is the analysis
and control of risks already an essential part of operations? The PwC survey referred to
previously shows that 65 percent of the organisations do not analyse and manage their
risks and performance in relation to each other. This makes little sense, if one realises
that the outside world expects an organisation to take responsibility not only for its results
but also for the risks involved.
The point of departure for successful integration is for organisations to begin considering
risk appetite as an important part of strategic planning. The best way forward after that
involves ensuring that performance and risk are managed cohesively. Ultimately, risk
and returns are inextricably linked. Increased risk can result in greater returns, but the
other side of the coin is that there will be increased volatility and greater difficulty in
predicting the results.
An increasing number of organisations is beginning to acknowledge – often in response
to incentives from supervisory authorities – the need to take greater account of risk
appetite in planning. Few organisations have advanced as far as to take the second
step of managing results and risk simultaneously. This process takes time, but the outside
world is demanding it already.
In our next chapter, we present our judgement of the development of risk
management by 2014.
“Risk management largely remains the preserve of people. It starts with risk awareness, a
systematic assessment of the risks and dialogue about the key risks at each level of the
organisation.”
Siebe Riedstra, Secretary-General at the Ministry of Infrastructure and the Environment
“The dialogue between management and supervision improves significantly when risk
management is taken seriously and is regularly placed on the agenda.”
Paul van Gelder, Executive Board Member, Royal Imtech NV
October 2014
3.
Summary: our assessment of the
development of risk management
3.1
Improvements in some areas – no structural progress made
What progress has been made since the crisis?
The results reveal that progress has been made in some areas, but there is even a slight
regression in others. There are also remarkable discrepancies between developments in
the public sector and the private sector. Below, we analyse which factors contribute to
improved risk management and which do not. Our aim in doing this is to enable you as
a risk manager or entrepreneur to make the right choices in further improving your risk
management system.
No structural improvement in five years, despite the crisis
Based on a detailed survey, comparable to that of five years ago, we have been
unable to determine that risk management in the Netherlands has seen any significant
structural improvement and this applies to the total score, as well as the scores for each
sector and criterion.
Figure 1: Spider diagram of comparison scores 2014-2009 for each criterion
We also asked the respondents to give a rating for their own risk management systems
and the results surprised us: It would appear that organisations feel relatively secure
about the quality of their own risk management systems. This confidence has even
increased slightly compared to the results from 2009. We asked them to score
themselves on a scale of 1 to 10 (1 = very poor, 10 = excellent). The average rating that
organisations gave themselves is 6.85 (+0.37 compared to 2009). In addition,
approximately 89 percent (+9 percent compared to 2009) of respondents believe their
risk management systems to be satisfactory: a score of 6 or higher. There is also a
significant correlation between a higher self-score and a higher score for our criteria:
respondents who give themselves a high score, also score higher on our score guide.
None of this affects our view that risk management in the Netherlands remains at an
unsatisfactory level.
5 According to the researchers’ scoring guide.
Second National Survey of Risk Management in the Netherlands
Why is this not good enough?
There is a serious need for structural improvement, for three reasons. Firstly, many studies5
show that inadequate or low-quality risk management was one of the causes of the
financial crisis. Secondly, if self-regulation is not improved (or if, in this case, companies
fail to improve their risk management), there is a danger of government intervention
involving more laws and regulations in the area of risk management. This is especially so
if one takes account of the fact that there have been incidents involving risk
management in all sectors in the last five years. We have already seen this happen in
such sectors as financial services, energy and trade. Thirdly, there is the looming threat
that organisations currently engaging in cutbacks will actually cut back on essential
areas of risk management, possibly believing that their efforts towards recovery mean
there is less need for it.
Some improvement, in part
So, are we of the opinion that no progress has been made at all? On balance, the
answer is probably no, but in some areas we have noticed both interesting and at times
disquieting results.
Looking at the scores of the various respondents, we particularly noticed that larger
organisations achieve higher scores in our survey, and this applies to organisations that
are larger in terms of turnover as well as those larger in terms of number of FTEs (full-time
equivalents). The position of chief risk officer is on the rise, especially in financial services.
We are able to conclude that this is the sector that has invested most in risk
management since the last survey.
For the scores for risk assessment and analysis, it was noticeable, first of all, that more
than two thirds of respondents does not make an assessment of the relevant risks more
than once each year and slightly more than 13 percent admitted that they conduct
absolutely no risk assessment or analysis. We did not find any major differences between
sectors for this question. What we did see, fortunately, was an increase compared to
2009: an increasing number of organisations is assessing and analysing the risks for their
operations and this fortunately also applies to all types of risk. Further progress can be
achieved if organisations assess their risks in a more integrated way and if the
assessments and analyses take place deeper within the organisation: an enterprisewide risk analysis is more valuable than those conducted solely by board members or
an executive board.
As far as reporting and monitoring of risks is concerned, we unfortunately did not see
many differences compared to 2009. There was however one exception to this:
whereas, in 2009, 11 percent of respondents said that there was no internal reporting
about risks, this has now fallen to 5 percent. For all the other subsidiary questions on
reporting and monitoring, we continue to see similar results to those in 2009, usually with
a slight increase.
With regard to the questions about risk management and organisation, we were
pleased with the answers to the question about risk appetite. The number of
respondents that have now formulated a risk appetite has improved compared to
2009. However, we did find it strange that not all of them recorded and communicated
this risk appetite. This could be related to another surprising
6 Including Huber, C. and Scheytt, T. (2013): The Dispositif of Risk Management: Reconstructing Risk
Management after the Financial Crisis. Management Accounting Research, 24(2), pp 88 - 99
Mikes, A. (2009): Risk Management and Calculative Cultures, Management Accounting Research, 20, pp 18 - 40
Power, M. (2009): The Risk Management of Nothing, Accounting, Organizations and Society, 34, pp 849 - 855
October 2014
result: a significant majority of respondents applied no accepted standard when setting
up risk management and internal controls. Of course, a standard (such as ISO, Basel,
COSO, INK, EFQM) provides no guarantee, but it does offer the opportunity for
comparisons and the application of best practices. The use of a standard introduces a
language in which to share information about risks and control.
Based on to the answers to the (new) questions about risk culture, we gained the
impression that in many organisations risk management is still very much compliancedriven. “We engage in risk management because people ask us to”, is what the
answers appear to be saying. “People”, here could refer to an accountant, an external
supervisory body or the public. The effectiveness of risk management is, for example, a
factor in the remuneration system for only 9 percent of respondents. For half of all
respondents, the section on risk in the annual report is primarily or exclusively the
preserve of the financial function in the organisation.
A key conclusion from our survey that supports the notion that risk management is
primarily compliance-driven can be seen from the fact that companies consider the
prevention of reputational damage and the reduction of capital costs as significant
drivers for awarding their risk management a good score. On the other hand, the
inherent possibilities that risk management offers in terms of higher profitability and more
opportunities for growth do not appear to result in people giving their own risk
management system a higher score.
This impression is also confirmed by our conclusion that the maturity of risk management
is primarily determined by the influence of external parties, such as Big4 accountancy
firms, the supervisory body and governance codes that impose standards (voluntary or
not). Risk management for the outside world or as a result of external pressure. This is
despite the fact that ownership structures, with the exception of listed companies,
financial institutions and (semi-)public institutions, and audit committees have no
significant influence on risk management. The internal boost to risk management resides
primarily in the chief risk officer, preferably with a position dedicated especially to this.
This is also despite the fact that, in terms of culture, the position is not regarded as a
career advancement and risk management still primarily involves the top layers of the
organisation.
All of this amounts to little improvement compared to five years ago, which is anything
but reassuring. However, we do realise that these things do not happen automatically
and five years is a short space of time. We cannot expect risk management to have
become fully integrated in all sectors in just five years. It does not happen automatically
and in any case, can we actually manage all of the risks? Instrumentally, it is possible,
but what exactly are we managing in that case? In an increasingly complex world, the
highest level of risk management maturity is not yet realistic and we also understand
that all types of management (including risk management) are the work of human
beings. This means that we continue to be let down by human characteristics such as
overestimation of one’s own ability, we tend to seek confirmation of what we already
believe, allow ourselves to be reassured by trusting in others and we keep ineffective
structures in place merely in order to avoid rocking the boat. “No, the chance of
interest rates falling even further is extremely low”, “Things have been going well for
quite some time, haven’t they? Well then!”
There is also another factor: risk management is as rich as the imagination of the
individual applying it.
Second National Survey of Risk Management in the Netherlands
Although this is understandable, it is also dangerous. We should not allow ourselves to
tolerate things purely because they are understandable and human: the investment is
too great for that. Deliberately opting for risky investments as a semi-public body,
making key policy decisions that no one can explain five years later or hedging with
swaps, but later claiming in the press “I do not even know what a swap is”: these are
things we can no longer accept.
3.2
Where do we go from here?
We use our results to develop recommendations for organisations who want to make
progress and move closer towards mature risk management so that they are prepared
for the next crisis or at least adopt a slightly smarter approach than their competitors,
thereby gaining a competitive advantage. Recommendations for you, the readers of
this report. But we also see opportunities on a larger scale, opportunities to enable risk
management to play a more serious role. We have noticed that in all the sectors where
there was greater focus on risk management, the scores have increased and sectors
that have been regulated (again resulting in greater focus) also have demonstrably
better and more risk management maturity. Auditors, investors, supervisory authorities
and analysts should therefore continue to exert pressure.
As for the risk managers of the Netherlands, you have an important ally in these groups.
Speak to your managing director to raise the profile of risk management.
And, for those of you who are yourselves board members: you could take more time to
assess and analyse risks – not only in terms of risk management, but generally – and
organise constructive dissent: ensure that there is dissent that offers a wider perspective.
Often, it turns out that there was awareness within an organisation that something was
not right for quite some time, but this never reached the top of the organisation,
because no one had the confidence to spoil the party.
Take risk analysis and risk management seriously. Do not focus solely on compliance, but
decide what kind of organisation you want to be, which risks you are still willing to take
and which you are not, and develop your risk profile based on that. Record that profile
in writing and share it across the organisation, with built-in checks: that is what risk
management is all about. And, of course, monitor it and update it regularly.
Finally – and this will come as no surprise – we will continue with our surveys and
research. We also cordially invite other people to investigate how we can make risk
management more effective, starting in the Netherlands.
“Control is a vitamin at the start of the growth and a poison at the end of the same growth.”
Peter Robertson, Nyenrode and Monterey Institute (USA)
“Effective risk management prevents surprises and leads to better results.”
Erik van de Merwe, supervisory director and jury member for the FD Henri Sijthoff Prize
October 2014
4.
Survey results: analysis and observations
4.1
Introduction
Below, you will find the results of our survey, categorised according to the five main
areas of our questionnaire:
1.
2.
3.
4.
5.
general characteristics of the respondents and their organisations (section 4.2);
risk assessment and analysis (section 4.3);
risk management reporting and monitoring (section 4.4);
risk management and organisation (section 4.5);
risk culture (Chapter 5).
Here you will find the facts and figures, comparisons, analyses and observations on the
basis of which we reached our judgement and our recommendations in Chapter 3.
Details of the research structure, methodology and the quality of the data obtained
and used can be found in Appendix 1.
The questionnaire was sent in April 2014 to organisations whose addresses were
obtained from the database of ‘Company Info’. A total of 9,582 questionnaires were
sent to organisations with a budget or turnover in excess of EUR 10 million, of which 20
were returned because of bankruptcy or an incorrect address. Ultimately, this resulted in
727 usable questionnaires. The 7.6 percent response rate is relatively high for this kind of
survey.
We can now make a comparison with 2009 because the questions in our survey are
almost completely the same as those in our survey then (details of the differences can
be found in Appendix 1). So how do we stand, five years after the start of the crisis?
What progress has been made?
4.2
Profile of the respondents
Figure 2: Changes in the position of respondents 2014 - 2009
3
0
%
Second National Survey of Risk Management in the Netherlands
The majority of respondents (52 percent, compared to 55 in 2009) are executive board
members. As is customary, we also included CFOs in this category. This is important,
because risk management is ultimately a responsibility of the executive board. We did
not do this for the position of CRO, because it is not yet common practice for the CRO
to be a member of the executive board in all cases. The results included in Figure 7 still
support this choice (half of the CROs are members of the executive board).
A total of 32 percent of respondents hold a financial position (CFO and Controller). This
is a significant change compared to 2009, when the figure was 46 percent, but still in
line with the general thinking that risk management should be coordinated by the
finance function. The distribution for 2014 differs from 2009 on three points:
1. the importance of risk management at executive board/directors level (almost 10
percentage points higher);
2. the role and importance of the CRO (up by almost 5 percent);
3. a shift from the financial/support function to more business functions.
Distribution of respondents by sector
A total of 35 percent (2009: 40 percent) of the organisations are in the healthcare and
non-profit sectors. In order to enable a better comparison between profit and non-profit
organisations, we have included healthcare under non-profit. It is noticeable that the
‘Others’ category, consisting of Transport & Logistics, Telecommunications, Information
Technology and Entertainment and Energy & Utilities has seen a significant fall in terms
of the number of respondents. Despite this, the numbers are still sufficiently
representative in order to draw conclusions for each sector.
Figure 3: Respondents by sector 2014 - 2009
Figures 4 and 5 present an overview of the size of the organisations in terms of turnover
or budget and full-time equivalents (FTE). The only difference compared to five years
ago is that there has been less participation by the larger organisations
(turnover/budget in excess of 1 billion) this year.
October 2014
Figure 4: Respondents by turnover category
Figure 5: Respondents by FTE categories
Characteristics of respondents
The share ownership structures of respondents reveal something of an anomaly: more
than half of the organisations are not in the ownership categories we asked about. This
applies to almost all of the non-profit organisations (35 percent) and a number of other
organisations from other sectors. In addition, 8 percent (2009: 9 percent) of the
respondents are listed companies and 29 percent (2009: 65 percent) are active in more
than three countries. The difference in terms of international activities is remarkable and
there is no obvious explanation for it.
Second National Survey of Risk Management in the Netherlands
Figure 6: Ownership structure
Ownership
Profit
Non-profit
2014
2009
(N=475)
(N=251)
(in %)
(in %)
Not applicable
30.0
92.9
51.4
46.2
Anonymous shareholder
6.2
-
4.1
4.5
Several institutional investors
3.4
-
2.3
11.3
One or several families
19.3
2.1
13.5
14.4
Accounting consultancy
2.4
-
1.6
2.5
(Director and) majority shareholder
18.7
2.9
13.3
15.4
Subsidiary of holding company
7.3
-
4.8
5.7
Banks
0.9
0.4
0.7
-
Others
11.8
1.7
8.4
-
Total
100
100
100
100
Chief risk officer
The survey reveals that 58.2 percent of the listed companies have appointed a CRO or
similar. In view of the major focus on risk management and being ‘in control’ over the
last ten years, backed by corporate governance codes, we see this as a relatively low
percentage that does not reflect our own experience in practice.
20
Figure 7: Chief Risk Officer (CRO) or not
10.5%
64.4%
9.3%
CRO at Executive Board/Directors level
CRO, but not at Executive Board/Directors level
15.7%
No CRO, but a comparable position at Executive
Board/Directors level
No CRO and no comparable position at Executive
Board/Directors level
It is interesting to note that 35.5 percent of respondents have appointed a CRO or
similar position with ultimate responsibility for risk management; in 2009 the figure was
just 18.7 percent. It is apparent that risk management is increasingly being linked to an
officer involved in the process and this role is positioned at a higher level within the
organisation, at least in terms of the name.
The figures also confirm that it is relatively common practice in financial services to have
a CRO or equivalent position: this applies to two thirds of these organisations. The results
for Transport & Logistics and Commercial Services are also interesting, since almost half
of all respondents in this sector have a CRO or equivalent position.
October 2014
Below, you can also see that the size of an organisation in terms of its turnover/budget is
a key factor in determining whether there is a CRO or equivalent position. Also of note:
almost one third of the smallest organisations have gone so far as to appoint a CRO or
equivalent.
Figure 8: CRO, by sector (in percentages)
Appointment of CRO by sector
Has CRO or equivalent position
Trade
33.1
Transport & Logistics
48.0
Manufacturing
27.5
Financial services
68.4
Commercial services
44.4
Telecommunications, IT and Entertainment
27.8
Energy & Utilities
27.8
Healthcare
33.6
Government/Non-profit
27.8
Figure 9: CRO, by turnover/budget (in percentages)
Appointment of CRO by turnover
Has CRO or equivalent position
0 - 50 million
32.5
51 - 100 million
26.8
101 - 500 million
40.5
501 million - 1 billion
55.6
> 1 billion
68.4
Second National Survey of Risk Management in the Netherlands
When divided by sector, the following picture emerges:
Figure 10: Appointment of CRO or otherwise, by sector (in percentages)
Appointment of CRO by sector
CRO at
CRO not at
No CRO, but
No CRO or
Executive
Executive
equivalent
equivalent
Board/Dir. level
Board/Dir. level
position
position
Trade
3.4
14.5
15
66.7
Transport & Logistics
8.0
20.0
20.0
52.0
Manufacturing
10.1
4.1
17.6
68.2
Financial services
42.1
7.0
21.1
29.8
Commercial services
11.2
10.1
15.7
62.9
Telecommunications, IT
11.1
11.1
5.6
72.2
Energy & Utilities
5.9
11.8
11.8
70.6
Healthcare
7.5
9.3
16.8
66.4
Government/Non-profit
6.9
8.3
12.5
72.2
and Entertainment
Figure 11: Appointment of CRO or otherwise, by turnover/budget (in percentages)
Appointment of CRO by
turnover/budget
CRO at
CRO not at
No CRO, but
No CRO or
Executive
Executive
equivalent
equivalent
Board/Dir. level
Board/Dir. level
position
position
0 - 50 million
11.4
7.8
13.5
67.3
51 - 100 million
3.2
9.0
14.7
73.1
101 - 500 million
10.4
8.7
21.4
59.6
501 million - 1 billion
18.5
14.8
22.2
44.5
> 1 billion
36.8
21.1
10.5
31.6
Additional supervisory position
In addition to the chief risk officer, external governance mechanisms in particular, such
as the external supervisory authority and the Big4 accountancy firms, would seem to be
important drivers for a mature risk management system. Supervisory authorities, such as
the Dutch National Bank (DNB), focus in the supervision on the importance of risk
management, thereby potentially boosting its quality. The Big4 accountancy firms and
auditors who, following a change of auditors, view the organisation from a new
perspective also contribute to more mature risk management. The debate enriches
your risk management and clearly provides the constructive dissent that we encourage.
October 2014
A total of 42.2 percent of respondents deal with an external supervisory authority, such
as the AFM (Financial Markets Authority), DNB or ACM (Consumer and Market
Authority). As much as 72.1 percent has a supervisory board of some kind and 49.5
percent (2009: 47.8 percent) has set up an audit committee and/or risk committee.
Finally, more than 76.2 percent of the organisations (2009: 77.1 percent) are audited by
the Big4 accountancy firms. In the last three years, 24.4 percent of the organisations
surveyed has appointed a new external auditing organisation.
Higher self-evaluation versus our lower score
On average, all respondents gave the risk management in their own organisation a
significantly higher score than our score guide for the survey would suggest (see
Appendix 2). In both cases, the non-profit sector scores relatively low and healthcare is
just slightly higher.
Figure 12: difference between self-evaluation and surveys score, by sector
Sector
Number
Average report
Average
mark (self-
survey score
Difference
evaluation)
Trade
117
6.86
4.27
2.59
Transport & Logistics
25
6.76
4.70
2.06
Manufacturing
147
6.90
4.21
2.69
Financial services
55
7.55
6.26
1.29
Commercial services
89
6.82
4.65
2.17
Telecommunications, IT
18
6.67
4.03
2.64
and Entertainment
Energy & Utilities
18
7.11
5.24
1.87
Healthcare
107
6.75
4.61
2.14
Government/Non-profit
144
6.59
4.53
2.06
Total
720
6.85
4.60
2.25
If we compare the 2009 figures with those from 2014 (see figures 13 and 14), a positive
trend can be observed. Both the non-profit and healthcare sectors have seen a
significant increase and both have caught up with the profit sector, according to their
own scores. The difference between them is now minimal, with the exception of
financial services and energy & utilities. All sectors have made improvements in their risk
management – in their self-evaluation score and the survey score – with the exception
of telecommunications, information technology and entertainment and trade (own
report mark only).
The fact that the telecommunications, information technology and entertainment
sector has actually worsened according to its own admission is endorsed by our survey
score. In view of the relatively strong increase compared to 2009, financial services
seem to have invested further in risk management.
Second National Survey of Risk Management in the Netherlands
Figure 13: Comparison of report scores (self-evaluation) 2014 versus 2009
24
Based on our score guide, financial services scores highest and telecommunications,
information technology and entertainment the lowest. The greatest discrepancy
between the self-evaluation score and our score can be seen for manufacturing, and
the least discrepancy in financial services and transport & logistics. The non-profit sector
does not score significantly lower than the other sectors, but is slightly lower than
financial services and energy & utilities.
Figure 14: Comparison of survey score (score guide) 2014 versus 2009
October 2014
We also broke down the scores from the survey according to turnover and organisation
size. This clearly shows that the larger the organisation, in terms of turnover/budget or
number of FTEs, the higher the score for risk management. There is just one exception to
this rule, which is the smallest category, with a score of 4.52 (2009: 4.42). They score
higher than the subsequent two categories.
Figure 15a: Survey score, by turnover
2014
2009
Number
Average
Number
Average
0 - 50 million
335
4.22
418
4.16
51 - 100 million
157
4.48
198
4.22
101 - 500 million
173
4.99
215
4.81
501 million - 1 billion
27
5.48
29
6.09
> 1 billion
19
6.73
50
6.92
Total
711
4.60
910
4.54
Turnover category in €
Figure 15b: Survey score, by size
2014
FTE category
Number
2009
Average
Number
Average
0 - 49 FTE
96
4.52
110
4.42
50 - 99 FTE
98
4.26
120
4.15
100 - 500 FTE
323
4.36
404
4.22
501 - 1,000 FTE
86
4.79
107
4.75
1,001 - 10,000 FTE
103
5.42
159
5.37
6
6.72
12
7.06
714
4.60
912
4.54
> 10,000 FTE
Total
How do self-evaluation scores relate to survey scores?
We assessed whether there is a significant relationship between our scores and the
scores the respondents gave themselves, and this would appear to be the case. In
other words, if respondents rate themselves higher, we also give them a higher (survey)
score. This relationship applies in 25 percent of the cases. Although this may appear to
be a low percentage, it is still respectable for this type of survey. A similar comparison
with the maturity model (see below) reveals a less close relationship. In this case, almost
19 percent of the report marks the respondents give themselves corresponds with the
level of maturity they accord themselves based on the five Beasley levels.
Second National Survey of Risk Management in the Netherlands
We conclude from this that the respondents’ report mark does not depend on the level
of maturity of their risk management. The relationship between their own report mark
and the survey score based on our score guide, confirms that respondents base their
mark less on the tangible aspects of their risk management than we did.
The advantages of risk management as identified by the respondents themselves
A new question in our 2014 survey involved explicitly identifying the advantages of a risk
management system for an organisation according to the respondents’ own views. The
more generic, qualitative characteristics such as fewer surprises, more confidence that
goals will be achieved and improved reputation are noticeably rated as positive.
However, more quantitative advantages that have a direct impact on the balance
sheet or profit and loss account, such as lower capital costs, fewer fines, higher margins,
a higher turnover and/or increased market share actually score lower. This is
disappointing, in terms of substantiating the business case for risk management from a
quantitative perspective, but does confirm that there has only been limited research
related to effective risk management and the direct financial contribution it makes to
the success of the organisation.
Figure 16: Advantages of risk management
Advantages
26
Average score
Standard
(scale 1-5)
deviation
Fewer surprises
3.6
0.88
More confidence in achieving the budget/objectives
3.5
0.86
Fewer departures from the budget/planning
3.2
0.88
Reduced capital costs
2.5
1.06
Improved estimation of provisions
3.1
1.02
Fewer complaints from customers/staff
2.9
1.04
Fewer and less serious corporate incidents
3.0
1.07
Fewer claims and lawsuits
2.9
1.11
Fewer instructions and/or fines from the supervisory authorities
2.7
1.21
Less negative media attention
2.9
1.16
Increased customer satisfaction
3.1
1.02
Increased employee satisfaction
2.9
0.98
Increased margin
2.6
1.03
Increased turnover/profitability
2.6
1.04
Improved reputation
3.4
0.98
Increased growth/market share
2.5
1.02
(Quantitative advantages are in orange)
Based on the rating for the risk management system and the advantages gained
according to the respondents’ own judgements, we investigated whether the risk
management system has an influence on business performance. Our empirical research
revealed that organisations do not see the benefit of risk management in controlling
growth. The application of risk management results according to its users in reduced
capital costs and enhances the organisation’s reputation.
October 2014
Risk maturity
We also asked the respondents to categorise their own organisation using a risk maturity
model. In this case, the responses are less easily compared with those from 2009. This is
because we have based the definition of the different stages on recent literature. Five
years ago, we were more generous in defining the different stages6.
The model uses five stages of development (see question 35 in the questionnaire,
Appendix 3). The higher the figure, the more mature the risk management:
•
•
•
•
•
Stage 1: there are currently no plans for the introduction of a risk management
system;
Stage 2: we are investigating the possibility of introducing a risk management
system, but have not yet made a definitive decision;
Stage 3: we are currently planning the implementation of a risk management system;
Stage 4: currently, a risk management system is partly in place and implemented;
Stage 5: a fully-fledged risk management system is in place and implemented.
In view of their own maturity scores, organisations appear to be quite confident about
their risk management. Almost 49 percent ended up with maturity level 4 or 5, and if we
deem level 3 to be a pass, the percentage awarding itself a pass increases to 57.
Almost half of all respondents (43 percent) have no risk management system, no plans
to introduce one or are only investigating the desirability of such a system. The
remaining half (49 percent) have implemented at least a partial risk management
system. Only 8 percent have concrete plans for the introduction of a system. It would
appear that, by 2014, the choice of whether or not to have a risk management system
has already been made.
Figure 17: Risk maturity model
9%
27%
Stage 1
Stage 2
Stage 3
16%
40%
Stage 4
Stage 5
8%
6 This type of maturity model has previously been applied in the studies by Beasley et al. (2005) and Ward (2003). In
2009, the stages of maturity were defined more generously than those according to Beasley et al. This leaves
greater room for interpretation making the difference between stages slightly vaguer than the original stage
categories of Beasley et al. Although this did not ultimately lead to any confusion among respondents, as the
way they answered this question shows, the levels have been reformulated again in 2014 in order to better reflect
the original basic categories of Beasley et al. For this reason, the results 2014 cannot be compared with those
from 2009, or only to a very limited extent.
Second National Survey of Risk Management in the Netherlands
If we look at the different sectors, the distribution appears to be relatively wide in the
healthcare, government/non-profit and manufacturing sectors.
Figure 18: Maturity levels, by sector
Maturity score
Sector
1
2
3
4
5
Energy & Utilities
3
3
1
7
2
Number
Average
Median
16
3.1
4
Financial services
4
3
2
27
17
53
3.9
4
Healthcare
18
19
13
47
6
103
3.0
4
Trade
32
17
6
53
5
113
2.8
4
Gov./Non-profit
40
19
14
52
9
134
2.8
3
Manufacturing
46
28
9
47
10
140
2.6
2
Telecoms, IT, etc.
7
7
1
2
1
18
2.1
2
Transport & Logistics
8
3
1
9
2
23
2.7
3
Commercial services
25
16
7
31
5
84
2.7
3
Total
183
115
54
275
57
684
2.9
3
As a percentage
27%
16%
8%
40%
9%
100.0%
Here too, we see the earlier report marks confirmed: the high score for financial services
and energy & utilities. This is also the case for the lower report marks, as
telecommunications, information technology and entertainment shows. Trade,
manufacturing and government account for the majority of stage 1 organisations
(around 60%). Government and healthcare still tend to be at the third level: the
planning stage.
There is a significant link between the survey score and the maturity score based on the
five Beasley stages, which provides a good indication that our score guide is an
effective measure of the maturity of the risk management system.
4.3
Risk assessment and analysis
How often is an integrated and enterprise-wide risk assessment and analysis
conducted within the organisation?
The key to the success or failure of any risk management is a clear and shared view of
the relevant risks for the organisation, their characteristics and priorities. A risk analysis
offers just that. In a rapidly changing environment, organisations obviously regularly
assess their risk profile in terms of how up-to-date and relevant it is and make any
necessary adjustments to enable them to respond quickly and effectively to changes.
October 2014
This makes it all the more noteworthy that 68.1 percent (2009: 52.8 percent) of
respondents does not conduct this kind of analysis more than once annually and as
much as 13.3 percent (2009: 27.8 percent) still conducts no assessment and analysis. The
notion that these organisations conduct no risk management at all is an exaggeration,
but this does raise important questions. The fact that there has been improvement since
2009 is positive progress, since it happens at least once annually now.
Managers also often point out that managing risks is part of their everyday work. It often
happens implicitly. But is that enough? It reflects the impression we have gained from
our observations of practice: when risk assessment and analysis is conducted, it is
relatively instrumental, often once per year immediately before or after the start of a
new planning year.
Figure 19: Frequency of risk assessment and analysis
Profit and non-profit organisations appear to spend an equal amount of time and
energy on analysing risks and there is no major difference between the various sectors.
Although that may seem acceptable in itself, it is remarkable. After all, we would
expect risk management to be common practice in highly-regulated sectors, such as
financial services, and therefore for this kind of analysis to be conducted with greater
regularity. In view of the competitive environment in which they work, one might also
expect profit organisations to conduct analyses more frequently than those in the nonprofit sector.
However, we were able to confirm one of our other assumptions. We expected that the
size of the organisation would have an impact on the extent to which risk management
has become institutional and therefore also on the frequency of risk analyses. This
proved to be the case: all organisations with turnover/a budget in excess of € 1 billion
conduct risk assessments with significantly greater frequency.
When is the risk assessment and analysis conducted?
We consider it important for organisations to regularly assess risks in relation to the
strategy and objectives of the organisation and believe that risk management activities
should be integrated as far as possible within existing management activities. This would
lead one to expect to see risk assessment or analysis at least included within the
planning & control (P&C) cycle. After all, the logical rhythm and nature of that cycle
can be effectively combined with thorough risk assessment and analysis.
The results show that the P&C cycle is used in 78.4 percent (2009: 60.1 percent) of the cases
Second National Survey of Risk Management in the Netherlands
29
to conduct the risk assessment and analysis, whereas one might expect that figure to
be around 100 percent. We also noted that non-profit organisations do this more than
profit organisations do (87.6 versus 73.7 percent). These percentages are higher than
those in the survey in 2009, with a significant increase in the non-profit sector being
particularly noticeable. In 2009, only 60 percent of those surveyed incorporated the risk
management process within the P&C cycle.
Figure 20: Timing of risk assessment and analysis (in %)
2014
When?
Planning & Control
Average
2009
Profit
Non-profit
(N=475)
(N=251)
Average
Profit
Non-profit
(N=548)
(N=368)
78.4
73.7
87.6
60.1
56.9
65.5
20.1
23.8
13.1
15.9
19.9
10.3
33.3
33.9
32.3
24.3
24.3
24.7
30.9
31.6
29.9
22.5
27.0
16.0
16.1
15.6
17.1
11.7
13.1
9.8
cycle
Acquisitions/
(dis)investments
Key projects/
developments
Strategic
decisions
Important incidents
However, since risks are not generally dictated by the rhythm of the cycle, it also makes
sense to evaluate the risk profile whenever there are important changes, whether
internal or external. But the survey reveals that organisations do not apply this good
sense. The highest score for this question is 31.6 percent for the profit sector, which we
consider to be a very low percentage. After all, strategic decisions are of great
importance for any organisation and should involve an assessment of risk. In all other
cases, the level of risk analysis remains the same or is even less, which can only be
described as disquieting.
Fortunately, there does appear to be a positive trend, since there is a rise compared to
2009 for all occasions mentioned. Various things are worthy of note: in the non-profit
sector, a risk analysis is conducted for strategic decisions almost twice as often (from
16.0 to 29.9 percent). This also applies for important incidents (from 9.8 percent to 17.1
percent). Possible explanations for this include: reduced pressure from the government,
pressure on budgets, a shift of activities and budgets to lower levels of government, the
large number of incidents and the vulnerability of society and the resulting need to take
greater risks. There is increasingly less room to deal with the unexpected.
October 2014
What risks are being assessed?
Figure 21: Risks identified 2014 – 2009
In the best-case scenario, risk analyses include all potential risks. It would therefore seem
logical to focus primarily on (financial) reporting risks in view of the emphasis on this in
corporate governance regulations in particular. But research7 actually shows that
operational risks and, to an even greater extent, strategic risks ultimately represent the
greatest threats and involve the greatest consequences. On a positive front, all risks are
being assessed more frequently than they were in 2009, and especially strategic,
operational and financial risks. Whereas compliance risks achieved a relatively low
score in 2009, these are now being assessed almost twice as often. This reflects a familiar
trend of increasing legislation and regulations and decreasing tolerance within society
of poor risk management. We also note that financial reporting risks and legitimacy risks
score low. Below, you will find an overview of all of the risks identified/assessed, divided
into profit and non-profit, comparing 2014 and 2009.
Figure 22: Risks identified8 profit – non-profit (in percentages)
2014
Risk
Average
Strategic risks
66.2
Financial risks
Operational risks
(Financial)
2009
Profit
Non-profit
(N=475)
(N=251)
64.8
68.9
86.4
85.1
77.6
79.2
27.9
Legitimacy risks
Compliance risks
Reputation risks
Average
Profit
Non-profit
(N=548)
(N=368)
49.4
49.8
49.2
89.2
69.1
67.6
71.5
74.9
59.9
62.7
56.5
30.9
22.3
23.2
26.1
15.9
27.5
21.7
38.6
-
-
-
47.0
50.9
39.8
26.8
29.2
20.5
38.0
34.3
45.0
-
-
-
Reporting risks
7 PricewaterhouseCoopers Advisory, Internal Audit, ‘‘An opportunity for transformation’’, 2008
8 The categories have been changed since 2009, with the addition of legitimacy risks and reputation risks
Second National Survey of Risk Management in the Netherlands
Compared to the profit sector, the non-profit sector assesses and analyses its strategic,
financial and reputational risks more. This is easily explained in view of the public and
social nature of their work. The highest score for financial risk can possibly be explained
by the pressure on budgets, reduced room for setbacks, less pressure from the
government and a shift of core activities to lower levels of government. By the same
token, one might also expect operational risks (quality, no room for error, right first time,
etc.) to play a greater role in the profit sector. This is not confirmed by the results of our
survey. For profit organisations, the low score for compliance can possibly be explained
by the fact that non-profit respondents do not see a clear distinction between
compliance risks and legitimacy risks. Finally, it is interesting to note that legitimacy risks
also play a role in the profit sector. At 21.7 percent, that risk scores unexpectedly high,
which can only be explained by possible contributions from commercially-oriented
semi-government organisations.
Figure 23 in particular shows the integrated nature of risks (or the lack of this integration).
In it, the number of different types of risks that respondents take into account becomes
clear. We draw a distinction in this between profit and non-profit. In profit organisations,
all seven types of risk are taken into account in only 20.8 percent of the cases (2009:
16.5 percent). Non-profit organisations do this slightly more frequently: in 21.9 percent of
the cases.
Several things stand out, compared to 2009. Greater numbers of respondents adopt an
integrated approach to assessing risk, with a significant increase for non-profit in
particular: from 7.9 percent for a maximum of 5 to 21.9 percent for 7 risks. In this, nonprofit is now ahead of profit, which reflects the greater focus on and increase in the
quality of risk management within the government/non-profit organisations.
A similar picture – but more extreme – can be seen for ‘assessing 6 risks’ (4 in 2009). The
significant difference between profit and non-profit is genuinely noteworthy, but difficult
to explain.
This also applies for ‘assessing/identifying 3 types of risks’, which scores highest in nonprofit and, together with ‘7 types’ would appear to be common practice in almost 45
percent of the cases. However, the picture for ‘4 types of risks’ is the exact opposite.
For non-profit, the spread in the number of times is relatively wide, whereas in the case
of profit organisations, the number of types of risk categories appears to be reasonably
concentrated at 1 to 4, with one outlier towards integrated (is 7).
It is almost encouraging that only 6.9 percent (for profit, compared to 4.8 percent for
non-profit) of respondents still do not take a single risk category into account, where it is
interesting to note that this is greater for profit than it is for non-profit. Of course, this is in
line with the 13.3 percent that do not conduct risk assessments (see Figure 19).
October 2014
Figure 23: Number of types of risks identified/assessed
20.8%
21.9%
7
6
5
1.2%
14.7%
4
13.7%
3
2
12.6%
1
Profit
0
Non-profit
4.8%
0
5
10
15
20
25
30
How many layers of management does your organisation have and at which
levels of management are the risks assessed?
The number of levels of management involved in risk assessment and analysis shows
how widely spread risk management is across the business. In an ideal scenario, all
layers of the organisation will be involved in drawing up a risk assessment and analysis.
However, at first glance the results do not appear to offer much hope in this regard: in
75 percent of the cases, the Executive Board/Directors/first level management only
is/are involved. The results from 2014 and 2009 cannot be compared directly (see
caption below Figure 24), but in 2014 there does appear to be a trend for the
assessment to be conducted at a higher and limited number of levels only.
Figure 24: Risk assessment management level
2014
2009*
Percentage
Percentage
Executive Board/Directors only
20.6
54.5
Executive Board/Directors and 1st management level
54.5
41.0
Risk assessment management level
Executive Board/Directors and
1st
and
2nd
19.3
23.2
Executive Board/Directors and 1st, 2nd and 3rd third management level
management level
3.7
14.0
Executive Board/Directors and more than three management levels
1.8
2.3
* In 2009, this question was different since it asked about participation in each management level; as a result,
several responses were possible and responses were not mutually exclusive. This also explains why the total
exceeds 100%
The above requires some qualification and the number of management layers in the
organisation needs to be taken into account. If there is a big difference between the
number of layers present and the layers in which the assessment takes place, we
believe the above to be particularly concerning.
Second National Survey of Risk Management in the Netherlands
Figure 25 explains this and broadly confirms the above. There is a noticeable
discrepancy between Executive Board/Directors only and Executive Board/Directors
and first and second management level. The number of organisations with two or more
management levels is almost 45 percent, but only 25 percent of risk assessments are
conducted at these levels. In view of the fact that it is desirable for these assessments to
take place across the business, this is somewhat surprising. It means that the risk
management is not conducted at any great depth within organisations.
Finally, we compared the organisational layer at which an ‘in control’ statement is
requested with the number of layers and the risk assessments. This reveals a similar trend,
in other words an activity/responsibility that is rising higher within the hierarchy. We
believe this to be an important indicator of the risk culture and control awareness of the
organisation. As long as this responsibility is not broadly shared and there is no
accountability for it, risk management will never truly become part of the DNA of the
organisation in our experience.
We have established (see Figure 25 below) that there is a significant link between
turnover and the number of management layers, but even in organisations with
turnover in excess of 1 billion euros, there is still only limited participation by the third
layer of management (10.5 percent).
Figure 25: Management level of risk assessment compared to number of layers of management
(in percentages)
Number of layers of management
How many layers
At what level
of management
are the risks
are there in the
assessed?
For which organisational
level is an in control
statement requested?
company?
Not applicable
-
7.2
45.5
Executive Board/Directors
7.3
20.6
29.3
Executive Board/Directors and 1st layer
49.9
54.5
11.4
Executive Board/Directors and
2nd
layer
33.3
19.3
3.6
Executive Board/Directors and 3rd layer
6.5
3.7
1.5
Executive Board/Directors and >3 layers
3.0
1.9
-
Which techniques are used for risk assessment and analysis?
The results show virtually no difference between profit and non-profit across the board.
More regulated sectors, such as financial services and the energy sector stand out
positively from the average. The quality of any risk assessment and analysis depends on
the choice of techniques, the people and the sources used. The quality improves if
many people are involved in it and different techniques are used simultaneously in
order to access as many sources of information as possible. In addition, certain
techniques are specific to particular sectors, with more quantitative techniques
primarily being used in the financial sector. The results reveal that 68.8 percent of
respondents use quantitative techniques and 87.1 percent use qualitative techniques.
Relatively speaking, we find the first figure surprisingly high and it confirms the trend
observed in practice for making risk management more tangible by quantifying it.
October 2014
Significant increases can be seen for almost all techniques compared to 2009, with
incident recording leading the way (see Figure 26). This is an indication of the increasing
professionalisation of the discipline. In many cases, there are only very limited
differences between profit and non-profit for the qualitative techniques and the
increase is more or less the same. Document study (2014: 1 compared to 2 in 2009) and
interviews (2014: 2 compared to 1 in 2009) have swapped places in terms of being the
most popular technique. All of the newly-added techniques (not to be confused with
new techniques) would appear to be primarily specialist in nature, achieving scores of
around 10 percent. The technique of serious gaming/war gaming, which is to be
classified as a relatively new technique, stands out from the rest by achieving a score of
only 2.1 percent.
Figure 26: Risk management techniques, 2014 compared to 2009, financial services, profit
and non-profit (in percentages)
Technique
Average
Financial
services (N=64)
Profit (N=475)
2014*
2009
2014*
2009
2014*
2009
Document study
73.7
38.6
71.9
39.1
73.5
Interviews
70.0
42.2
80.7
57.8
68.4
Workshop
40.6
17.4
68.4
34.4
Questionnaires/Checklist
69.7
36.8
82.5
56.3
Incident recording
69.7
24.7
89.5
42.2
72.6
Scenario analyses
57.3
31.0
82.5
48.4
60.0
Sensitivity analyses
33.3
19.3
57.9
34.4
38.7
Simulations
28.1
9.6
49.1
15.6
30.7
Stress testing
22.9
5.4
73.7
31.3
Value at Risk
23.1
8.7
59.6
32.8
Economic capital
16.1
5.7
47.4
29.7
Back testing
8.3
-
36.8
-
Serious gaming/war gaming
2.1
-
7.0
Fault tree analysis
11.7
-
7.0
Fishbone method
11.3
-
Hazard and operability study
8.0
-
10.5
-
Non-profit (N=251)
2014*
2009
34.3
74.1
44.3
42.1
72.9
42.4
41.1
17.2
39.8
17.9
70.9
37.7
67.3
35.3
27.3
63.7
20.9
33.6
52.2
27.7
22.4
23.1
14.9
10.9
23.1
7.6
26.7
8.2
15.5
1.1
28.8
11.1
12.4
5.2
21.1
7.5
6.8
3.3
11.6
-
2.0
-
-
2.3
-
1.6
-
-
12.8
-
9.6
-
8.9
-
12.2
-
9.6
-
5.3
-
11.4
-
1.6
-
8.8
-
12.8
-
6.0
-
(HAZOP)
Failure Method and
Effects Analysis (FMEA)
* In 2014, six techniques were added to the set of tools (see table for the techniques that were not recorded in
2009)
Second National Survey of Risk Management in the Netherlands
Interviews, document studies, questionnaires and incident recording are seen to be the
most frequently-used techniques, hovering around 70 percent. Enabling a proper
dialogue about risks and the background to them and how to deal with them is more
important than agreeing a risk profile. The process itself is more important than the result.
In this respect, we are surprised by these results. The number of workshops has increased
significantly since 2009, rising from 17.4 percent to 40.6 percent, but remains relatively
low in our view. Another surprising result is that more than half of respondents make use
of scenario analysis, making this technique the fifth most frequently used.
4.4
Risk management reporting and risk monitoring
How frequent is internal reporting about risks?
Internal reporting about risks is an important element of risk management. For senior
management within an organisation, it makes sense to have a good understanding of
the nature and scope of the risks being run by the various organisational divisions. Only if
that understanding exists can a board truly assess the value of the financial and other
performance of an organisational division. A properly-conducted risk management
report gives a clear answer to the question of how much risk is involved in achieving the
reported (financial) results. This kind of report also gives more senior management an
understanding of what is happening lower down within the organisation and how the
managers responsible are dealing with the issues. Of course, this primarily makes sense if
the internal reporting is both periodic (preferably monthly, but in any case reflecting the
P&C cycle) and ad hoc, whenever a specific situation calls for it.
Our first impression is that there have been hardly any shifts/changes compared to 2009,
suggesting a stable picture, with one, highly favourable, exception. Only 5 percent
(2009: 11 percent) of respondents now indicate that there is no internal reporting about
risks. This is a considerable improvement since 2009. It is likely that this 5 percent engage
in hardly any risk management at all. In any case, conducting risk analysis without
reporting on it is of little use. Without the reports, it is impossible to monitor or manage
your risks.
Figure 27: Frequency of internal reporting about risks
Frequency
2014 (in %)
2009 (in %)
Not applicable
5
11
Weekly
3
4
Monthly
22
23
Quarterly
42
38
Annually
33
31
Occasionally/ad hoc
20
29
October 2014
For the 95 percent (2009: 89 percent) of respondents that conduct internal reporting, it is
worth noting that 33 percent (2009: 31 percent) does this once annually only. In view of
the rapid changes in risks caused by the current dynamic, this figure is far too low.
Surprisingly, if we distinguish between the results based on organisation size, this
percentage is even higher for organisations with an annual turnover/budget in excess
of € 1 billion. Unfortunately, this trend is not compensated for by occasional/ad-hoc
reports. Here too, we still see a low score and further regression compared to 2009.
Of the respondents, 42 percent (2009: 38 percent) reports internally about risks every
quarter and 22 percent (2009: 23 percent) every month. In the financial sector in
particular, almost half of respondents report on a monthly basis. This is in line with our
expectations, in view of the reporting requirements laid down by supervisory authorities
such as the DNB. The energy sector also largely reports about risk on a monthly basis.
Only a very small group (3 percent) shows the response option “weekly”. In addition, 20
percent (2009: 29 percent) indicated that they (also) report about risks on an
occasional/ad-hoc basis.
What does an internal risk report include?
Reporting about risks only really make sense if the report is tailored to the target group.
This puts the recipient in the best position to carry out his or her duties and responsibilities
and make decisions, take action and where necessary make adjustments. We
therefore expect the report at least to include the most important risks, the status of the
main management/control measures, the development of risks and the status of
improvement measures.
In general, the picture here is stable compared to 2009, with (slight) increases almost
across the board. The status of the main control measures is the only thing that stands
out slightly. Only ‘important external changes’ shows a slight decrease compared to
2009. Approximately 71 percent (2009: 66 percent) reports internally about the most
important risks. Organisations also report frequently about incidents. This is
understandable and makes complete sense: you learn from errors and further improve
the risk profile. The other scores show that there is still a lot that can be improved. For
example, critical risk indicators are hardly ever used now.
Figure 28: Subjects included in internal reports
Report about
2014 (in %)
2009 (in %)
Most important risks
70.8
65.8
Status of the main control measures
46.7
37.4
Critical risk indicators
22.9
16.4
Development of/changes to risks
45.6
41.0
Incidents that have occurred
50.0
46.5
Important internal changes and consequences
29.9
29.9
Important external changes and consequences
30.6
31.8
Status of improvement measures
41.0
37.9
Second National Survey of Risk Management in the Netherlands
When are the risks discussed?
Risk management should preferably be anchored within regular management activities
and primarily as part of the natural combination with the P&C cycle. This means that
management and risk management coincide naturally. The time to discuss risks is during
regular internal meetings of the Executive Board/Directors/management. There is also
regular discussion of risks on an ad-hoc basis. Somewhere between 40 and 45 percent
of respondents discuss risks as part of discussions about internal and external audit
reports and at audit committee or supervisory board meetings. We consider this to be
too low a percentage and it has even reduced somewhat since 2009. The low(er) score
for business reviews/business plan progress discussions (just 26.2 percent) also stands out.
This may be because it is now part of the planning & control cycle, which previously
scored much higher for risk assessment and analysis or because of the frequency of
monitoring/reporting on a quarterly basis. Another option is that this is partly cancelled
out/covered by the higher score for budget discussions. The role of risk management in
project progress meetings is also still low, although there has been a slight improvement
since 2009.
Figure 29: When do you discuss risks?
Discussion
2014 (in %)*
2009 (in %)
As part of Executive Board/Directors/Management Team meetings
75.6
66.0
As part of business reviews/business plan progress meetings
26.2
28.4
As part of discussions of internal and external audit reports
43.0
43.7
As part of audit committee/supervisory board meetings
44.1
45.9
As part of budget discussions
41.2
46.1
Ad hoc/ in the event of incidents/at major meetings
43.5
48.2
As part of project progress discussions
36.5
31.2
As part of the Annual Shareholders Meeting
10.7
-
As part of consultations with external parties
20.7
-
9.8
-
As part of risk committee meetings
* Here too, several options were added to the questions in 2014 (see elements with no score in 2009)
In organisations with an audit committee, risks are discussed at these meetings in 70
percent of the cases9. We consider this to be a low percentage, also in view of the fact
that many corporate governance codes include the discussion of risks as best practice.
It would appear that this has not hit home everywhere.
Finally, the low score of 9.8 percent for risk committee meetings is extremely low. This
may be related to the fact that still only few organisations – outside the financial sector10
– have separate risk committees.
9 356 respondents have an audit committee, but only 248 organisations discuss the risks with the audit
committee. (248/356 = 70%)
10 In the Banks Code (Code Banken, 2009) published by the Dutch Banking Association (Nederlandse Vereniging
van Banken) the risk committee is introduced as a subcommittee of the supervisory board. Committees of this
kind focus on risk management in banks, but are still relatively rare in the Netherlands.
October 2014
Do you use statements from the management responsible indicating that their
organisational division is ‘in control’?
Risk management becomes explicit when it is confirmed by means of an ‘in control’
statement. In the best-case scenario, this kind of statement serves to boost the quality of
the underlying information and risk management. It is recommended that whenever the
most senior management issues a statement of this kind, it is based on in control
statements issued by lower layers of management. This is actually increasing since more
and more organisations are obliged to issue an external in control statement, often as a
result of corporate governance codes, such as the Dutch Corporate Governance
Code. Almost 63 percent of the respondents do not make use of internal statements.
Figure 30 below shows what the internal statement for the remaining 37% actually
relates to. For this question it was possible to give multiple answers.
Figure 30: ‘In control’ risks
Risks*
In the area of strategic risks
Percentage (N=271)
27.3
In the area of financial risks
77.1
In the area of operational risks
54.2
In the area of (financial) reporting risks
50.2
In the area of legitimacy risks
33.6
In the area of compliance risks
46.9
* In 2009, there were only three potential answers to this question: no, yes for financial reporting or yes for all risk
areas. In 2014, it is possible to provide a more nuanced picture of risk areas.
Of respondents who indicated that they use this kind of statement for financial
reporting risks, 18.5 percent (50 percent of those voting yes; 2009: 21 percent) are
primarily in the profit sector. Strategic risks and legitimacy risks apparently play only a
limited role. In view of the importance of strategic risks this is remarkable. For legitimacy
risks this is explainable, as this primarily plays a role within governmental organisations/
non-profit organisations. This one-sided approach seems to agree with the integrated
nature of the statements. There is still a large group that only prepares a statement on a
single risk type (22.9 percent). Although the question was posed differently in 2009
(choices: no, only financial reporting risk, integrated risk) only the 21 percent score on
financial reporting risks is comparable. A significant increase is visible in the scores for
the integrated nature of the statement: 27.3 percent in 2014 compared to 10 percent in
2009. This means that the focus is on the more traditional risk groups.
A comparison with 2009 is not possible. In 2009, there were three potential answers:
•
•
•
No, no ‘in control’ statement
Yes, in the area of financial reporting
Yes, in all risk areas (strategic, operational, financial reporting, legislation and
regulations)
Second National Survey of Risk Management in the Netherlands
So, if an in control statement is used, which layers of the
organisation does it ?apply to?
The more layers of management are involved in an in control statement, the more
successful an organisation is in conducting risk management effectively. Because the
deeper the awareness of the risks (preferably down to the sinews of the organisation)
and of the importance of being in control, the better the potential for effective risk
management.
As was to be expected, the percentage falls the deeper we go down the organisation.
Interestingly, only 29 percent (2009: 22 percent) of respondents issue a statement to the
highest layer of management. In the previous question, we saw that 37 percent (2009:
31 percent) works with an in control statement. It is possible that some of the
respondents felt unable to answer yes to this question because they issue an external
statement only. What is both surprising and concerning is that the level of penetration
within the organisation is lower at all levels than in 2009, which means that the in control
statement increasingly ends up with the Executive Board/Directors only. We believe that
this fails to promote a culture of awareness of risk and control involving active and
visible accountability. This point is reinforced further by the fact that the total
percentage of organisations issuing a statement has fallen compared to 2009 (from 49.2
percent in 2009 to 46 percent in 2014).
Figure 31: In control by organisational layer
In control by organisational layer
2014 (in %)
2009 (in %)
In control statement from the Executive Board/Directors
29.3
22.1
In control statement from the 1st layer of management
11.4
14.4
In control statement from the 2nd layer of management
3.6
8.1
1.5
3.2
0.8
1.4
In control statement from the
3rd
layer of management
In control statement from more than three layers of mgt. below
Executive Board/Directors
4.5
Risk management and organisation
Has the risk appetite been determined or recorded within your organisation?
If risks are to be effectively managed, it is important to be clear about the extent of risk
appetite. This provides an impression of what is considered to be a major or minor risk.
Risk appetite also provides information about where action is required and perhaps
even what kind of action. Without a clear-cut and explicit risk appetite, it is difficult to
talk of integrated and enterprise-wide risk management.
In response to the question as to whether risk appetite had been determined at all, 42
percent indicated that this had happened. This is a significant increase compared to
the result reported in 2009 (31.8 percent). This is encouraging, in view of its importance
and because many organisations still struggle to apply the concept of risk appetite to
their business operations in practice.
October 2014
Figure 32: Determining risk appetite
Risk appetite characteristics*
Percentage (N=305)
Determined qualitatively
77.0
Determined quantitatively
68.2
Determined specifically for one or more risk groups
48.2
Risk appetite recorded
66.2
Risk appetite communicated
61.0
* These aspects were added in 2014 to the question about risk tolerance/appetite
The quality of the risk appetite concept in an organisation (application, effect, etc.) is
determined by various characteristics, as detailed in Figure 32. All of these
characteristics score higher than 60 percent, with the exception of the specific
approach adopted for certain risk groups. Although in practice risk appetite is often
expressed in qualitative terms, the score for it being determined quantitatively is still
almost 70 percent. It is strange that recording and communication score relatively low
and are not approaching 100 percent, since this lies at the heart of the power of this
concept. If applied, it sends out a clear message. Only in small, ‘simple’ organisations is
it possible to forego this and still achieve an effect.
The results cannot be compared to 2009, because the question has been changed
(“Has risk tolerance been quantified?”). We can of course explore whether there are
differences across sectors. This turns out to be the case. In the non-profit sector, it is
communicated significantly more and risk appetite is also determined qualitatively
more often.
Figure 33: Determining risk appetite, profit – non-profit
Risk appetite characteristics*
Profit (N=226)
Non-profit (N=79)
Determined qualitatively
75.7
81.0
Determined quantitatively
68.1
68.4
Determined specifically for one or more risk groups
51.3
39.2
Risk appetite recorded
67.3
63.3
Risk appetite communicated
63.3
54.4
* N = 305 (42.0%) breaks down as 226 (74.1%) profit and 79 (25.9%) non-profit.
Who coordinates the risk management activities?
Of course, the management itself has ultimate responsibility for risk management in an
organisation. However, we also see a role for a coordinator, often a central officer who
serves as a facilitator. We therefore expect this to be a role for a central support
department, preferably.
Second National Survey of Risk Management in the Netherlands
So why is this? Various departments and positions can serve as coordinators. The term
coordination can sometimes prove confusing because it is open to interpretation. Some
people argue that a situation involving various coordinating positions can cause
problems. Others assert that the more positions are involved with risks, the more
effective risk management will be.
The respondents’ answers provide a few points of interest. First of all, the increase in the
number of special risk management functions/departments. This is further supported by
a reduction in the number of respondents with no organised function and a slight
increase in the role played by the quality department. It is difficult to link this with Figure
7 on the subject of the CRO position, because based on that, an even higher score
would have been expected. The same applies for the special committee (see link with
Figure 34).
Figure 34: Coordination of risk management
Function
A special risk management function/department
42
2014 (in %)
2009 (in %)
19.9
12.8
A special committee
7.3
6.0
Line management
30.4
33.9
The financial function
47.7
64.1
The insurance department
3.3
5.0
Internal audit/internal auditing service
15.0
17.7
The compliance department
9.8
7.4
The quality department
20.5
18.7
Not organised
5.2
6.7
The diminishing role of the first line can be explained in two ways. Either the respondents
are applying the ‘three lines of defence’ concept more strictly (see also the next
question), or risk management is primarily a line activity and part of regular business
operations; seen this way, a decrease is unfortunate.
It is not surprising that the financial function remains at the top, with 47.7 percent,
although it has decreased significantly compared to 2009 (64.1 percent).
Because some people were of the view that more than just one coordinating position
or department should be avoided, we also calculated the number of coordinators.
Most organisations, 48 percent, have a single coordinating position, 17 percent has two
and 30 percent has three or more coordinating positions.
The number of organisations applying the three lines of defence principle is 148 (22.5
percent). From the perspective of practice, this is still surprisingly low. Recently, a lot has
been written and said about the lines of defence as a concept for organising
governance in the field of risk, compliance and control. Incidentally, the theoretical
and academic evidence for this is limited.
October 2014
In our analysis, we therefore looked at the differences for each sector and each
turnover category. The fact that the three lines of defence principle is primarily common
practice in the financial sector is hardly very surprising. However, it is surprising to see
telecommunications, information technology and entertainment in second place, in
view of the low score for the level of maturity and the report mark/survey score. All of
the other sectors are at a level of 24 percent or lower, with manufacturing being a
sector in which the concept has made hardly any headway at all. Examining turnover
size also confirms what might be expected, in other words that it is primarily large
companies that know and apply this principle. Only in organisations with a turnover of
500 million or more is the figure of 42 percent reached. Figure 35 and 36 below provide
a more detailed specification of the concept by sector and turnover size.
Figure 35: Three lines of defence, by sector
Three Lines of Defence by sector
Application of Three Lines of Defence (in %)*
Trade
23.7
Transport & Logistics
24.0
Manufacturing
8.7
Financial services
66.67
Commercial services
13.3
Telecommunications, IT and entertainment
33.3
Energy & Utilities
22.2
Healthcare
12.1
Government/Non-profit
14.6
* N = Number of organisations per sector.
Figure 36: Three lines of defence, by turnover
Three Lines of Defence by turnover
Application of Three Lines of Defence (in %)*
0 - 50 million
9.9
51 - 100 million
18.6
101 - 500 million
27.9
501 million - 1 billion
42.3
> 1 billion
73.7
* N = Number of organisations per sector.
Which standards do organisations apply when setting up risk management and
internal controls?
Best practice is to use a widely-accredited standard. There may also be specific
standards for certain areas such as IT, or for sectors, such as the financial sector.
Second National Survey of Risk Management in the Netherlands
The results for the question as to which standard organisations apply also came as a
surprise. We were not expecting to see a mind-boggling 51.3 percent still not applying
any standard at all, although this score has improved since 2009. Although there is no
guarantee that the use of a model is necessary in order to manage risks, some kind of
reference is helpful. It is not a surprise that COSO is still at the top of this list, although not
particularly convincingly, despite people’s frequent references to COSO. INK comes
second and is fast catching up with COSO. The emergence from nowhere of ISO to
reach number three with a modest 12 percent and definite potential is also surprising. In
all cases, there is an increase compared to 2009, although this is still not particularly
convincing. The previous survey in 2009 revealed that 63.2 percent did not make use of
a standard/model.
Figure 37: Overview of standards used (in percentages)
Standard
Financial
services (N=57)
44
Profit sector
(N=475)
Non-profit
2014
2009
sector (N=251)
No standard
10.5
49.1
47.8
48.6
63.2
COSO
64.9
29.5
20.3
26.3
21.2
INK/EFQM model
10.5
14.5
31.5
20.4
14.4
ISO 31000*
17.5
12.0
12.0
12.0
-
6Sigma
5.3
10.3
3.6
8.0
3.7
Basel/Solvency
63.2
11.2
1.2
7.7
4.7
Management of Risk (M_o_R)*
3.5
4.6
4.4
4.6
-
Australian/New Zealand
1.8
0.4
1.2
0.7
0.3
OCEG
1.8
0.4
0.4
0.4
0
AIRMIC
1.8
0.2
0.4
0.3
0
Others
19.3
10.9
13.1
11.7
7.5
* In 2009 this was not included as a category since ISO 31000 had not yet been published. The same applies to
Management of Risk, but this was because it was unknown at that time.
The following differences between sectors are also worthy of note:
•
•
•
•
•
As expected, INK/EFQM is primarily applied in non-profit organisations.
ISO31000 is applied relatively little in the profit sector. We know of no logical
explanation for this, particularly since ISO guidelines are used a lot in industrial
environments.
6Sigma has a high level of penetration in the profit sector. There is, however an
explanation for this: it is originally a manufacturing concept.
Basel/Solvency is only applied in the financial sector (no explanation required), but
still achieves a surprising score of 63 percent, since it is mandatory for insurance
companies and banks; one would expect it to achieve a score in the lowest quartile
unless it involves financial institutions other than banks and insurance companies.
Management of Risk and OCEG occur primarily within the profit sector.
October 2014
Which software is used?
The use of software is not necessary in itself, but improves efficiency and therefore the
further professionalisation of risk management. There are many options for supporting
the risk management process. Certain larger and/or more developed organisations in
the field of risk management use software. The answers given demonstrate that people
may not be fully up to speed with the possibilities of the packages they have
purchased. For example, every Enterprise Resources Planning (ERP) package now has
‘segregation of duties (SoD)’ built into it as standard. This category should therefore
have achieved a much higher percentage in the table below (Figure 38) if the
respondents had been aware of that. Senior management is probably insufficiently
familiar with IT to answer this question properly or – and this is less likely – it does not
classify SoD as a risk management tool.
We asked which software organisations use in order to support the implementation of
risk management. The results are more positive than in 2009 and reflect the trend
towards the increasing importance of technology in managing risks. This trend can also
be seen in the increasing professionalisation and consolidation of GRC software
companies in recent years. In 32,3 percent of cases, no software is used. Compared to
the 2009 survey (73.8 percent), this has fallen significantly, which means that the use of
software has increased. The question from 2009 has been supplemented to include the
integrated software solutions (referred to as vendors) that are the most well-known,
applied and developed according to Gartner/Forrester. In the Dutch market, the scores
for these solutions are very low. SAP/GRC are the only ones that can claim to have any
presence. A diversity of solutions, including self-built ones in Excel or Lotus Notes for
example still seem to have the upper hand. There is clearly still a lot of progress to be
made and growth to be expected in the future.
Figure 38: Risk management software application and vendors
Risk management software
Percentage
No (supporting) software
32.2
Nasdaq OMX Bwise
0.8
EMC (RSA Archer)
0.1
Thomson Reuters (Accelus)
0.4
SAP (GRC)
3.3
IBM (OpenPages)
0.3
Software AG (Aris)
0.7
Wynyard (Methodware)
0.1
Self-developed software
10.9
Other software
15.6
The results for functionalities supporting risk management are still depressingly low even
in 2014. There is no clear trend towards improvement and there is even a slight
worsening between 2009 and 2014 (see Figure 39).
Second National Survey of Risk Management in the Netherlands
Only 1.4 percent of respondents claim to use segregation of duties (SoD) software. We
conclude from this that many of the respondents do not understand the standard
software – for example ERP systems that are supplied by SAP and other software
organisations – but still use them. The percentage of users of this type of standard
software is actually expected to be much higher and therefore the figure of 1.4 percent
(2009: 1.5 percent) should also be much higher.
Figure 39: Use of software for and in support of risk management
Other support software
2014 (in %)
2009 (in %)
Brainstorm software
1.2
1.3
Voting software
2.1
2.7
SoD (segregation of duties) software
1.4
1.5
Data-analysing software
6.8
6.4
Process management software
8.0
10.2
Internal audit management software
5.8
7.7
Monitoring software
6.9
5.6
Performance management software
6.1
7.1
Other support software
4.0
5.8
What form does the external reporting about risk management take?
Broadly speaking, the same applies for external reporting as for internal reporting.
Relevant issues to include are: clarity about the integrated risk profile, the changes in it,
the way it is managed and the key measures taken. Corporate governance codes
mean that external reporting about risks is increasingly becoming common practice.
We also assume that external reports have a positive impact on the level of risk
management. This is because in order to report, you also need to start collecting data.
Comparing the results from 2014 to those from 2009 reveals that reporting has generally
increased and improved: in 2009, 25.4 percent of respondents said they reported
nothing, and this has fallen to 16.7 percent; almost all categories score higher than in
2009. Slightly more than half of all respondents report financial risks. Although more or
less all corporate governance rules insist that organisations report at least about finance
or financial risks, the results are nowhere near 100 percent. From this, we conclude that
there is a lot of room for improvement.
October 2014
Figure 40: Contents of external risk management reports (in %)
Report includes
2014 (in %)
2009 (in %)
The way in which risk management was set up
37.2
30.5
Effectiveness of risk management/internal controls (all risks)
14.8
12.0
Effectiveness of risk management/internal controls (financial risks)
20.0
13.1
Risk tolerance in a qualitative sense
11.6
5.3
Risk tolerance in a quantitative sense
7.2
5.2
The most important strategic risks
41.4
36.8
The most important financial risks
53.0
53.8
The most important (financial) reporting risks
14.9
10.6
The most important operational risks
31.7
33.7
The most important compliance risks
17.9
11.3
The most important areas for improvement/measures taken
25.8
27.1
The most important incidents that have occurred
18.2
19.2
The material consequences of incidents
9.0
9.5
The most important changes in our risk profile and internal control
system
15.0
12.4
Nothing
16.7
25.4
The slight fall in operational risks (from 33.7 percent to 31.7 percent) is worth noting. On
the other hand, the relatively significant increase in compliance risks can easily be
explained in today’s world.
The decrease (albeit slight) seen for the most important points for
improvement/measures taken is counter-intuitive in view of the requirements set by
society and attempts to make the information more accessible to readers/users. The
figure for ‘contents of external reports’ also clearly demonstrates that the risk tolerance
is generally not mentioned either in qualitative or quantitative terms in external reports,
although the former does feature to some extent.
External reporting elements by turnover category (Figure 41) show that the larger the
organisation, the more it is likely to report about risk management and to do so more
effectively. Interestingly, the turnover category 101 - 500 million is an exception to this
rule on several occasions. We have been unable to find an explanation for this.
Finally, there are several notable exceptions in the picture portrayed of a linear
improvement by turnover:
•
•
•
the distribution across turnover categories for effectiveness of risk
management/internal control for financial risks (no clear picture that can be
explained);
an outlier in the turnover category 501 - 1000 million for most important changes in
our risk profile;
the above also applies to a slightly lesser extent for (financial) reporting risks.
Second National Survey of Risk Management in the Netherlands
Figure 41: Contents of external risk management reports by turnover category (in percentages)
Reporting by turnover (in millions)
0 - 50
51 - 100
101 - 500
501 - 1000
>1000
The way in which risk management was set up
29.8
33.3
44.8
65.4
73.7
Effectiveness of risk management/
11.4
10.9
18.6
26.9
52.6
20.2
17.3
23.3
15.4
31.6
8.4
11.5
10.5
23.1
52.6
internal controls (all risks)
Effectiveness of risk management/
internal controls (financial risks)
Risk tolerance in a qualitative sense
Risk tolerance in a quantitative sense
6.0
6.4
5.2
15.4
21.1
The most important strategic risks
35.8
42.3
42.4
61.5
84.2
The most important financial risks
48.5
57.1
52.3
69.2
84.2
The most important (financial) reporting risks
12.7
13.5
13.4
42.3
31.6
The most important operational risks
26.2
35.3
34.3
50.0
57.9
The most important compliance risks
13.6
17.3
19.8
46.2
63.2
The most important areas for improvement/measures taken
23.5
30.1
25.0
38.5
42.1
The most important incidents that have occurred
17.8
19.9
18.0
15.4
26.3
The material consequences of incidents
9.4
8.3
7.0
11.5
15.8
The most important changes in our risk profile/internal
11.4
16.7
14.5
66.7
47.4
18.1
18.6
14.5
11.5
-
control system
Nothing
48
October 2014
5.
Risk culture
In the lead-up to our survey in 2009 and in the light of the results, we often had intensive
discussions about the role of culture in the quality of risk management and whether this
can be incorporated in a questionnaire. This is because a balance needs to be struck
between sufficient relevance/depth and a questionnaire that is attractive/convenient
and quick to complete. At the time, we took the view that this was difficult, if not
impossible and adopted an alternative approach. We need to look at the way in which
organisations configure risk management; it is – as we said at that time – a reflection of
the risk culture/control environment and the importance that organisations attach to
risk management. Who is involved, how often, and is there a dedicated
function/position, a clear scope of risk, how is accountability provided, etc.
This may not be completely watertight, but we are still of the same opinion. Despite this,
when it came to the new survey, we were determined, partly in view of the discussion in
recent years and the actual reconfirmation of the role and importance of risk culture, to
address this issue more emphatically in the questionnaire. The risk culture/control
environment actually forms the foundation for the setting up and above all the
effectiveness of the risk management system. Unfortunately, this was again confirmed in
all of the corporate scandals (including in the non-profit sector!) of recent years in the
Netherlands and beyond. As well as the fundamental lack of effective control
measures, there was always something amiss with the culture.
We opted to gain an impression of the risk culture by asking about management
involvement, the relationship with appraisal and remuneration (incentives) and a
number of statements describing the control environment. We make no claims that the
questions below are exhaustive or cover the issue adequately (if that is at all possible
with a questionnaire/self-assessment alone). We present the results below, together with
a brief analysis.
Who writes the risk section in your annual report?
The annual report constitutes the only formal way of reporting and providing
accountability to all external stakeholders, including society as a whole. The risk section
has been part of the annual report for many years and has recently evolved further in
terms of its size, depth and relevance. In our view, the importance attached to risk
management can be seen reflected in the management function and position
responsible for writing and compiling the report.
Although no comparison with 2009 is possible, it is interesting to note that it is the
financial function, with more than 50 percent of the response, that writes the risk
section. This can partly be explained based on the traditional perspective of the role
played by the financial discipline in risk management and internal controls and, on the
other hand, by the fact that it is not yet common practice to have a separate risk
management officer in every organisation (for more on this, see the question and
analysis about the CRO and coordination of risk management).
Second National Survey of Risk Management in the Netherlands
Figure 42: Official responsible for writing risk section
Function
Number
Percentage
Not applicable
128
17.7
Managing Director/CEO
168
23.2
The financial function
383
52.8
The risk manager/IC officer/GRC officer
130
17.9
Secretary to the board/secretarial function
40
5.5
Legal department
14
1.9
Other
55
7.6
The low score for the legal department is worth noting because we have the impression
that the legal department actually plays a major role in compiling the report on some
occasions, for example in terms of what information is placed in the public domain. The
same applies, to a lesser extent, to the secretary of the board, which is after all a
specialist position. We do not consider the score of 23.2 percent for the Managing
Director/CEO to be a bad figure, in view of the role we accord to line management
with regard to risk management and because respondents were able to give several
answers and the Managing Director/CEO is often jointly involved. The answers to the
culture question also show that the risk manager actually contributes to the risk section
in very limited cases only, despite the fact that he or she coordinates risk management.
In only 36 percent of the cases in which a CRO has been appointed (210), is he or she
involved at board level (76 of the 210).
How is the remuneration and appraisal system linked to the effectiveness of risk
management?
Incentives, positive or otherwise, play a central role in people’s actions and the choices
they make. This also applies to risk management. The amount that people focus on and
the importance they attach to risk management is encouraged by the appreciation
and any reward, material or otherwise, that they receive for it. This needs to be
embedded within the position and job descriptions as well as in personal (annual) plans.
In view of the context described, it is disquieting to note that in only 9 percent of the
cases there is actually such a formal and direct relationship between the effectiveness
of risk management and the remuneration and appraisal systems. There is no such
relationship at all in 66 percent of the cases.
In our view, this does not facilitate the permanent embedding of risk management
within the organisation (in the organisation’s DNA) or help make it part of day-to-day
activities. We have no clear explanation for this, apart from the possibility that
respondents do not see the relationship as clearly as we do, something that is
confirmed by a relatively low score of 1.9 and 2.1 for the last two statements on the next
pages. We would however go so far as to say that there are still a lot of potential
improvements in this area that can be relatively easily achieved.
October 2014
Figure 43: Relationship between remuneration/appraisal and risk management
Function
Number
Percentage
There is no direct formal relationship between the effectiveness of risk management
and the remuneration and appraisal systems.
65
9.0
There is no direct relationship, but risk management is taken into account informally in
the remuneration and appraisal systems.
181
25.1
There is absolutely no relationship between the effectiveness of risk management and
the remuneration and appraisal systems.
475
65.9
Total
721
100
Eleven statements about risk management in relation to culture
In order to gain an impression of the risk culture, we presented a series of 11 statements
to the respondents about various subjects relating to risk management11 that we feel
reveal something about the role and importance of risk management in the
organisations surveyed, as well as the extent to which it is embedded within them.
Respondents were asked to rate the questions on a scale from 1 (completely disagree)
to 5 (completely agree). Because the survey was by nature a self-assessment, it is
justifiable to ask whether there is a social desirability bias in the responses or whether
they are an approximation of the reality seen from the perspective/context of the
respondent. We were unable to rule this out by means of cross-checks.
In view of these limitations, the high score for the inherent importance of risk
management for good business operations stands out. In practice, and especially in
view of the other scores, we have the impression that risk management remains very
much a compliance-driven activity that is either enforced or elicited by means of
incentives. This score surprises us and appears to confirm social desirability bias. The
same can be said for the statement: “it is permissible to make mistakes, as long as you
learn from them”.
But we cannot draw the same conclusion for the answers to one of the previous
questions. The positioning of risk management and the filling of a position in that area
would appear to confirm what we already knew, including the complaints from the
business about the quality of risk management or risk managers. Although we cannot of
course tar everyone with the same brush, this does appear to be a fundamental
problem, especially if we bear in mind that 50 percent of respondents were board
members. They can break through this by raising the status of risk management and the
people who work in it to a higher plane and give quality (including knowledge of
business) a priority in filling positions in this area.
The focus on short-term results also scores relatively low and seems at odds with the
experience of many people both within and outside organisations at least. This may also
be an example of social desirability bias, which we cannot dismiss based on other
evidence or insights.
Moreover, many of the responses appear to opt for the security of the centre ground,
with a score around 3.5 and an acceptable and definitely not outstanding standard
deviation in all cases.
11 Based on The Institute of International Finance, 2012
Second National Survey of Risk Management in the Netherlands
Figure 44: Score for statements
Statements
Average score
Standard
(scale 1-5)
deviation
1. Risk management takes place because it contributes to better
business operations and is not seen as a cost item.
3.9
0.92
2. Staff are encouraged when they take risks to do so from a wellconsidered position.
3.6
0.95
3. A position in risk management is seen as a boost to your career.
2.5
0.96
4. It is permissible to make mistakes, as long as you learn from them.
4.0
0.80
5. The culture in our organisation promotes risk management.
3.2
0.98
6. Breaches of internal rules are taken seriously and are punished.
3.2
1.00
7. The Executive Board/Directors is/are very committed to risk
management and actively support(s) it.
3.5
1.01
8. Employees feel at liberty to draw risks to the attention of their line
managers.
3.7
0.81
9. In our organisation, the emphasis is primarily on short-term results.
2.5
1.11
10. The remuneration structure promotes risk-taking.
1.9
0.99
11. A clear link is made between achieving goals, risks and
remuneration.
2.1
1.08
Figure 45: Score for statements by sector
Statements by sector
1
2
3
4
5
6
7
8
9
10
11
Trade
3.88
3.61
2.43
3.96
3.21
3.35
3.41
3.70
2.43
1.94
2.03
Transport & Logistics
3.76
3.36
2.48
3.88
3.28
3.32
3.32
3.72
2.44
2.00
2.56
Manufacturing
3.79
3.51
2.54
4.07
3.16
3.23
3.31
3.71
2.56
2.25
2.46
Financial services
4.04
3.74
3.09
3.84
3.70
3.67
3.93
3.89
2.28
1.91
2.91
Commercial services
3.95
3.59
2.40
3.98
3.13
3.28
3.50
3.78
2.85
2.02
2.17
Telecommunications,
3.41
3.59
2.29
4.11
2.94
3.12
3.35
3.59
3.00
2.59
3.06
Energy & Utilities
4.17
3.67
2.83
3.89
3.22
3.67
3.72
3.50
2.83
1.40
2.50
Healthcare
3.96
3.57
2.33
4.14
3.12
2.97
3.55
3.56
2.56
1.68
1.69
Government/Non-profit
3.99
3.42
2.21
3.35
2.85
2.88
3.35
3.55
2.35
1.49
1.62
IT and entertainment
October 2014
Figure 46: Score for statements by turnover
Statements by turnover
1
2
3
4
5
6
7
8
9
0 - 50 million
3.87
3.54
2.42
51 - 100 million
3.90
3.45
2.36
101 - 500 million
3.95
3.60
3.50
501 million - 1 billion
3.92
3.65
2.58
> 1 billion
3.95
3.79
3.32
10
11
4.03
3.15
3.06
3.42
3.67
4.02
3.03
3.16
3.37
3.69
2.45
1.74
2.05
2.50
1.95
2.06
3.96
3.18
3.38
3.50
3.69
3.08
3.45
3.50
3.66
2.67
2.10
2.19
3.58
2.27
2.12
2.54
3.69
3.63
3.84
4.00
3.53
3.05
2.26
2.63
Report marks for risk management seen from a different perspective
Despite all of the reservations about the risk culture scores, we are curious to see what
the results of the risk culture section mean for the total score. The score guide was
based on seven quality aspects (see Appendix 2) to which we added the element ‘Risk
culture in the DNA’, but with a different weighting. Unless there is a reasonable ‘Risk
culture in the DNA’ score, risk management cannot be of good quality and is nothing
more than window dressing. However we choose to weight this additional quality
aspect, the total score for the quality of risk management falls significantly. Below, we
have included two variants for the effect that DNA has on the survey score:
1. DNA is weighted the same as the other seven aspects (15 percent contribution);
2. DNA is given a greater weighting, approximately one third of the total (30 percent
contribution).
The results speak for themselves: the difference between the self-evaluation score and
our scores merely increases further. We would like to emphasise once again that this
contributes to the discussion of the role of risk culture in organisations, but that the
depth and scope of our questions are not sufficient in order to draw any wellsubstantiated conclusions in this area.
Figure 47: Total score with weighting, compared to self-evaluation
Average report
Survey score weighting
Survey score weighting
mark (self-evaluation)
85% - 15%
70% - 30%
Trade
6.86
4.21
3.95
Transport & Logistics
6.76
4.58
4.38
Manufacturing
6.90
3.94
3.72
Financial services
7.55
6.01
5.74
Commercial services
6.82
4.29
4.03
Telecommunications, IT
6.67
3.78
3.53
Energy & Utilities
7.11
4.95
4.67
Healthcare
6.75
4.36
4.06
Government/Non-profit
6.59
4.10
3.81
Total
6.85
4.32
4.06
Sector
and entertainment
Second National Survey of Risk Management in the Netherlands
6.
Two alternative perspectives
6.1
Another look at the dataset, with two different questions
Based on the research data we collected for the survey, we put two other questions.
Firstly: Do organisations that say they use Enterprise Risk Management also perform
better? You will find the answer in section 6.2.
Secondly, we asked: What factors make a positive contribution to a more mature risk
management system? We provide the answer to this in section 6.3 – you can consider
this as a series of very concrete recommendations for your own organisation.
6.2
Enterprise Risk Management, automatically a higher score?
In recent years, increasing numbers of organisations have instigated Enterprise Risk
Management (ERM) in order to manage risks. Unlike the traditional approach to risk
management, in which risks are seen from various organisational divisions or
perspectives, ERM assumes that the entire spectrum of risks is seen in a more integrated
way. This means that in the ERM, strategic, operational, reporting and compliance risks
are all handled simultaneously. The aim of an approach of this kind is to help businesses
to deal with opportunities and risks. The assumption here is that it helps organisations to
manage risks and seize opportunities more effectively. So far, this has not proven to be
an easy task for many organisations as all kinds of things can still go wrong. Another
message one might take from this is that it is not realistic to assume that incidents will no
longer ever occur after the implementation of this kind of system.
Outlining the advantages and disadvantages of implementing ERM is also far from
straightforward. Some studies have shown that it becomes cheaper to provide for
capital requirements and that the allocation and use of capital is improved (COSO
2004). The development and implementation of an ERM system calls for the investment
of a great deal of time, knowledge and resources. The question is whether the
advantages outweigh the costs incurred. Obviously, ERM costs money and if it delivers
no observable results, its introduction can be placed in doubt.
We conducted research to find an answer to this question. Statistical analyses were
used to investigate whether an ERM system has an impact on business performance.
The expectation is that the higher the value of the ERM, the greater the benefits for the
organisations. Below, we provide a summary of the most important results.
Opportunities for growth
We asked respondents the extent to which ERM was beneficial in terms of the
organisation’s opportunities for growth. Businesses with potential for growth face
uncertainties with regard to future cash flows and this would make them more inclined
to introduce ERM (Liebenberg and Hoyt, 2003). Growth should lead to an increase in
the value of the business and of course that calls for a weighing up of the risks and
potential returns. In this process, risks are identified, consequences assessed and
additional measures taken in order to manage risks. ERM can assist in this.
October 2014
Unfortunately, our research did not show that ERM has a positive influence. It would
appear that fast-growing organisations do not see the benefit of ERM.
Profitability
We also asked respondents to what extent ERM made a positive contribution to
profitability. It is assumed that if respondents rate their ERM system highly, this will imply a
similarly high contribution to profitability.
After all, looking at risks in an integral way makes it possible to limit the volatility of profit
and therefore also the predictability of the results. Unfortunately, we were unable to
identify any positive relationship on this point in our research.
Cost of capital
The respondents then gave an indication of the extent to which ERM proved beneficial
in terms of capital costs. Does it result in lower capital costs?
Capital costs are directly influenced by the risk profile. Investors demand a higher return
if a business takes more risks. When ERM has been fully implemented, the business has
more information of higher quality about its risk profile. This information can be shared
with investors, which results in more transparency about (future) risks. This kind of
information should primarily be of importance for businesses whose activities are
complex, because such businesses are difficult to assess from the outside. The
management of risks also improves the business’s own perception of its risks. This
improved perception could in turn result in the financial market demanding lower risk
premiums on shares and loans and permit a lower level of solvency (more internal
equity capital compared to external equity). Ultimately, this should lead to a reduction
in capital costs. This indeed proved to be the case.
Reputation
Finally, we investigated the extent to which ERM improves reputation. We assume that
the higher respondents rate their ERM, the more it contributes to their reputation. The
sections about risk management in the annual report imply that companies are
increasingly aware of the need to analyse a wide range of risks and to see which
measures have been taken to reduce these risks. The awareness of the risks and the
management of these risks, result in protecting the organisation’s image and
contributing to reputation.
This also proved to be the case.
6.3
Risk management maturity, how do you make progress?
The survey provided a wealth of valuable information on the question of which factors
contribute to a higher rating for the risk management system in an organisation. This
means that you can immediately benefit from this.
Your Chief Risk Officer will provide assistance, involvement of the board is crucial
Because risk management is increasingly becoming a strategic affair, more and more
businesses are appointing a chief risk officer (CRO) to take ultimate responsibility for risk
management. On the one hand, the CRO is responsible for coordinating risk
management and communicating the objectives and results to the Executive Board
and investors.
Second National Survey of Risk Management in the Netherlands
This enables an organisation to reduce the likelihood of asymmetric information
between representatives of the company and shareholders. On the other hand, the
CRO plays a leading role in promoting risk management among managers. In addition,
the CRO should ensure that the risk management system is in line with the organisational
strategy.
In the public management letter from the NBA (Netherlands Institute of Chartered
Accountants, 2013), there is no explicit reference to a CRO as holder of the risk
management function, but it has been shown in practice that only one third of
respondents have appointed a CRO and a quarter have placed ultimate responsibility
for risks at the top of the organisation. Our research shows that the appointment of a
CRO is indeed to be recommended, since it results in a higher score for the risk
management system. However, what is strange is that the CRO that does not act at
senior management level scores considerably better than one that is a member of the
team of directors. This means that as risk champion, the CRO has been shown to have
added value in the field of risk management. The appointment of such an officer is
therefore very much to be recommended!
Audit committees: more visibility and relevance required (and less technology)
The audit committee (AC) was introduced in order to supervise executive management
and in particular its duty to provide reliable financial reporting. Since 2008, it has been a
legal requirement in the Netherlands for what is termed ‘a public interest organisation’
to appoint an AC. This is the result of the compulsory implementation in the Netherlands
of European Directive 2006/43/EC on statutory audits.
One of the areas of focus of an AC in fulfilling its role as supervisory body is risk
management and internal controls. The AC must regularly discuss the most important
risks and the way in which these risks are managed in consultation with the Executive
Board/Directors and the AC can exert an influence in these consultations. For example,
the AC can encourage management to focus sufficient attention on the risk
management system and on freeing up resources to develop the risk management
system further (Paape and Speklé, 2012).
However, an AC must meet certain requirements: an effective AC must have expertise
in, time for and involvement in day-to-day affairs in order to be able to fully and
effectively assess all the risks. It does seem to be the case that the AC has a positive
influence on risk management. An AC primarily scrutinises risk management from an
instrumental perspective, but our survey suggests that respondents do not perceive it to
have sufficient relevance yet. Respondents indicate that an AC does not contribute to
a higher score for the risk management system. ACs can therefore still make further
headway in this area.
International diversification as a natural mechanism for risk management
The Netherlands has always been an exporting country and in 2003 it was even the
second most important exporting country in the European Union for the sixth
consecutive year (CBS/Statistics Netherlands, 2014). This means that organisations that
have diversified internationally play an important role in the Dutch economy. But
organisations that operate internationally face more complicated risks (Wagner, 2010)
and the concomitant increase in complexity of the organisational structure means that
the behaviour of organisations is less predictable for investors and therefore more
difficult to monitor.
October 2014
Leaven and Levine (2007) argue that this creates room for opportunism. On the other
hand, international diversity helps reduce risks according to the portfolio theory. This is
achieved by the imperfect cohesion between various areas and markets (Carson et al,
2008; Song and Cummins, 2008). This means that diversity also leads to a need for a
more advanced organisational structure in order to transfer knowledge, coordinate
activities and effectively allocate resources (Lang and Stulz, 1994). International
diversification is therefore a new variable added to the survey into risk management in
the Netherlands. It is possible to conclude from our survey that international
diversification results in a more mature risk management system.
However, far from all organisations that operate internationally have the same level of
maturity when it comes to their ERM. One third has no plans to introduce a risk
management system and one fifth is still thinking about it. One explanation for this is that
these organisations assess and manage their risks in a different way.
Auditors increasingly focusing on risk management
In their role as auditors, accountants have not emerged from the crisis unscathed, as
was shown all too clearly in the article ‘Financial Crisis and the silence of the auditor’
(Sikka, 2009) targeted at the Big4 accountancy firms. Even the Financial Markets
Authority has expressed its criticism of the auditing quality of the accountancy firms. This
has led, among other things, to new legislation on the compulsory rotation of auditors in
listed companies, new requirements with regard to independence (Regulation on the
independence of auditors in insurance engagements, ViO in Dutch) and revised codes
of conduct and professional rules (VGBA) as well as the more recent reform proposals
presented by the sector and described as ‘in the public interest’.
This is all primarily aimed at the Big4 accountancy firms and our survey shows that it is
they who are primarily taking the lead in this discussion. Companies that are audited by
the Big4 have a higher level of risk management maturity than those that are not. This
finding is in line with Beasley et al. (2005).
Another key development that will contribute to an increased focus on risk
management is the customer-specific auditor’s statement. The Big4 accountancy firms
experimented with this for the first time for the financial year 2013, which may explain
part of the Big4 effect. In this statement, the auditor explains the most important control
risks identified, the tolerances applied, the going concern assumption and potentially
also the scope of the group audit. The aim of this new statement is to provide more
information to the user of the annual accounts with regard to what the auditor has
actually done. After all, the user wishes to know which areas of risk have been identified
by the auditor and what action he or she has taken in response (PwC, 2014).
A fresh perspective does wonders
An offshoot of this new legislation for auditors is that public interest companies are
obliged to change auditors more frequently. Although the jury is still out with regard to
whether this is of benefit for the audit and there is actually evidence to suggest that it
has a negative impact on quality, especially in the first three years after appointment,
this new legislation is a fact. Auditors may be expected to focus on risk management in
the planning phase (customer acceptance and risk analysis). The auditor uses the
client’s own risk analysis for this purpose. The company’s internal risk management
system and the auditor’s discussion with the client about this could challenge
companies to reflect on their risk management system and the new auditor could offer
a fresh perspective on this.
Second National Survey of Risk Management in the Netherlands
This impression would appear to be confirmed by this partial survey which identifies a
statistically significant relationship between a change of auditing firm in the last three
years and a higher score for risk management maturity. In addition, companies that
have changed auditors appear (although not to an extent that is statistically significant)
to be slightly more negative about their risk management systems, which could on the
one hand mean that a fresh perspective from a new auditor leads to an understanding
that there may still be shortcomings in terms of internal controls and risk management.
On the other hand, a change of auditor may lead to a more realistic assessment of an
organisation’s own risk management, and therefore less difference between the
organisation’s own perception and that of the auditor. However, because the results
are not significant, further research will be required on this. If the influence of a change
of auditor is measured using the score guide, it appears that the fresh perspective of a
newly-appointed auditor is not statistically observable.
Risk management as a response to supervision
The requirements of supervisory authorities are seen by businesses as the minimum
requirements that the business must meet as a form of compliance, as well as a form of
licence to operate. Risk management is just one of the instruments used to achieve that
(for example in the form of incident management). This means that as an instrument, risk
management can serve as a form of legitimacy vis-à-vis supervisory authorities in order
to demonstrate that the aspects of supervision are being sufficiently managed. Based
on the institutional theory introduced by Powell and DiMaggio 1983, isomorphisms
(mirroring) can be used to explain risk management being seen as an accepted
method of compliance within a sector.
Compared to other sectors, financial institutions have specific requirements with regard
to risk management and an obligation to apply the three lines of defence principle. The
DNB’s specific focus on risk management (partly in the form of its research on the theme
of risk management) is also quite logically expressed in the governance codes of
financial institutions. This also supports the theory of normative isomorphism, risk
management as a form of compliance. In other words, supervision as a form of
enforced risk management, but legitimised as best practice for organisations.
Governance codes form a relevant boost, also in the case of self-regulation
Governance codes as a whole make a positive contribution to the maturity of risk
management, compared to sectors were no code applies. It is interesting to note here
that (non-listed) financial institutions have a higher maturity score than unlisted
companies, which can be explained by the more explicit focus on risk management in
the codes of the financial sector.
The most startling result from this survey is that the (semi-)public sector, which involves
working with the help of codes of conduct, has clearly undergone a positive
development in terms of the maturity of its risk management system in the space of five
years. This provides proof that self-regulation in the form of codes can make a positive
contribution to the maturity of risk management. Governance codes as a boost for risk
management in the public sector actually work!
Institutional investors speak out!
As was the case in 2009, companies whose ownership is in the hands of institutional
investors have been reluctant to speak publicly about their risk management and have
not participated in the survey in large numbers. In the case of those companies that did
participate in the survey, the effect of institutional ownership appears to be
insignificant, but there is insufficient information to draw any conclusion of relevance.
October 2014
Bibliography
Journals
Beasley, M.S., Clune, R., Hermanson, D.R. (2005): Enterprise Risk Management: An
Empirical Analysis of Factors Associated with the Extent of Implementation. Journal of
Accounting and Public Policy, Vol.24, pp 521 - 531.
Busco, C., Frigo, M.L., Giovanni, E., Riccaboni, A., Scapens, R.W. (2005): Beyond compliance,
why integrated governance matters today, Strategic Finance, 87 (2), pp 35 - 43.
Bushman, R., Chen, Q., Engel, E., Smith, A. (2004): Financial accounting information
complexity and corporate governance systems, Journal of Accounting and Economics, 37,
pp 167 - 201.
Deephouse, D.L. (1996): Does isomorphism legitimate?, Academy of Management Journal, 29
(4), pp 1024 - 1039.
DiMaggio, P.J., Powell, W.W. (1983): The iron cage revisited: institutional isomorphism and
collective rationality in organization fields, American Sociological Review, 48 (2), pp 147 160.
Frumkin, P., Galaskiewizc, J. (2004): Institutional isomorphism and public sector organizations,
Journal of public administration research and theory, 14 (3), pp 283 - 307.
Gates, S., Nicolas, J.L., Walker, P.L. (2012): Enterprise Risk Management: A Process for
Enhanced Management and Improved Performance. Management Accounting Quarterly,
13 (3), 28 - 38.
Golshan, N.M., Rasid, S.Z.A. (2012): Determinants of Enterprise Risk Management
Adoption: An Empirical Analysis of Malaysian Public Listed Firms. International Journal of
Social and Human Sciences vol. 6 pp 119 - 126.
Hillson, D.A. (1997): Towards a Risk Maturity Model, International Journal of Project and
Business Risk Management, vol 1, no 1, pp 35 - 45.
Huber, C., Scheytt, T. (2013): The Dispositif of Risk Management: Reconstructing Risk
Management After The Financial Crisis. Management Accounting Research, 24(2), pp 88 99.
Jackson, A.B., Moldrich, M., Roebuck, P. (2008): Mandatory audit firm rotation and audit
quality,
Managerial Auditing Journal, 23 (5), pp 420 - 437.
Jensen, M.C., Meckling, W.H. (1976): Theory of the Firm: Managerial Behavior, Agency
Costs and Ownership Structure, Journal of Financial Economics, 3 (4), pp 305 - 360.
Johnsen V., Khurana, I., Reynold, J.K. (2002): Audit firm tenure and the quality of financial
reports,
Contemporary Accounting Research (winter), pp 637 - 660.
Johnstone, K.M. (2000): Client acceptance decisions: simultaneous effects of client
business risk, audit risk, auditor business risk and risk adaption, Auditing: A Journal of
Practice and Theory, 19 (1), pp 1 - 25.
Second National Survey of Risk Management in the Netherlands
Kleffner, A.E., Lee, R.B., McGannon, B. (2003): The effect of corporate governance on the
use of enterprise risk management: evidence from Canada, Risk Management and
Insurance Review, 6 (1), pp. 53 - 73.
Liebenberg, A.P., Hoyt, R.E. (2003): The determinants of enterprise risk management:
evidence from the appointment of chief risk officers, Risk Management and Insurance
Review, 6, pp. 37 - 52.
Hoyt, R.E., Liebenberg, A. (2011):The value of Enterprise Risk Management, The Journal of
Risk and Insurance, Vol. 78, No. 4, pp. 795 - 822.
Majone, G. (1997): From the Positive to the Regulatory State: Causes and Consequences
of Changes in the Mode of Governance, Journal of Public Policy, 17(2), pp 139 - 167.
Mikes, A. (2009): Risk Management and Calculative Cultures, Management Accounting
Research, 20, pp. 18 - 40.
Paape, L., Speklé, R.F. (2012): The Adoption and Design of Enterprise Risk Management
Practices: An Empirical Study, European Accounting Review, 21 (3), pp 533 - 564, DOI:
10.1080/ 09638180.2012.661937.
Pagach, D., Warr, R. (2011): The Characteristics of Firms that Hire Chief Risk Officers.
Journal of Risk and Insurance, 78(1), pp 185 - 211.
Power, M. (2009): The Risk Management of Nothing, Accounting, Organizations and Society,
34, pp 849 - 855.
Sikka, P. (2009): Financial Crisis and the Silence of the Auditors, Accounting, Organizations
and Society, 34, pp 868 - 873.
Sobel, P.F., Reding, K.J. (2004): Aligning Corporate Governance with Enterprise Risk
Management,
Management Accounting Quarterly, 5 (2), pp 29 - 37.
Spira, L.F., Page, M. (2003): Risk Management: The Reinvention of Internal Control and
the Changing Role of Internal Audit. Accounting, Auditing and Accountability Journal, 16, pp
640 - 661.
Ward, S., (2003): Approaches to Integrated Risk Management: A Multi-dimensional
Framework, Risk Management: An International Journal, pp 7 - 23.
Wan Daud, W.N., Haron, H., Ibrahim, D.N. (2011): The Role of Quality Board of Directors in
Enterprise Risk Management (ERM) Practices: Evidence from Binary Logistic Regression,
International Journal of Business and Management, 6(12), pp 205 - 211.
Wan Daud, W.N., Yazid, A.S., Hussin, M.R. (2010):The Effect of Chief Risk Officers (CRO) on
Enterprise Risk Management (ERM) Practices: Evidence from Malaysia. The International
Business and Economics Research Journal, 9(11), pp 55 - 64.
Woods, M. (2009): A Contingency Perspective on the Risk Management Control System
within Birmingham City Council, Management Accounting Research, 20, pp 69 - 81.
October 2014
Yazid, A.S., Razali, A.R., Hussin, M.R. (2012): Determinants of Enterprise Risk Management
(ERM): A Proposed Framework for Malysian Public Listed Companies, International
Business Research, 5 (1), pp 80 - 86.
Books/reports/publications/theses
Aktas, E. (2014): Invloed van risicomanagement op de ondernemingsprestaties perceptie op risicomanagement, Master’s thesis, Accountancy and Controlling, University of
Groningen
Belt, M. van de. (2014): Risicomanagement in Nederland - Hoe accountants, externe
toezichthouders,
de
wetgever
en
verschillende
eigendomsstructuren
het
volwassenheidsniveau van risicomanagement beïnvloeden, Master’s thesis, Accountancy
and Controlling, University of Groningen
Berry- Stölzle, T.R., Xu, J. (2013): Enterprise Risk Management and the Cost of Capital
Collier, P. M., Berry, A. J., Burke, G. T. (2007): Risk and Management Accounting: Best
Practice Guidelines for Enterprise-Wide Internal Control Procedures, Oxford:
CIMA/Elsevier, ISBN: 978-0-7506-8040-0.
COSO. (2010): Coso’s 2010 report on ERM: Current State of Enterprise Risk Oversight and
Market Perceptions of COSO’s ERM Framework, The Committee of Sponsoring
Organizations of the Treadway Commission (COSO).
DeLoach, J.W. (2000): Enterprise Wide Risk Management: Strategies for Linking Risk with
Opportunity, London: Financial Times/Prentice Hall.
Desender, K. (2007): On the Determinants of Enterprise Risk Management
Implementation. Information Resources Management Association Annual Meeting
Paper. Electronic copy available at: http://ssrn.com/abstract=1025982.
DNB. (2010): In het spoor van de crisis - achtergronden bij de financiële crisis, De
Nederlandse Bank N.V., ISBN 9789 080 478 466.
European Commission. (2010): Audit Policy: Lessons from the crisis, Green Paper, Brussels.
EY. (2013): Wie had dit kunnen zien aankomen, White Paper, December 2013.
Gatzert, N., Martin, M. (2013): Determinants and Value of Enterprise Risk Management:
Empirical Evidence from the literature, Working Paper, Department for Insurance
Economics and Risk Management Friedrich-Alexander-University (FAU) of Erlangen-Nurnberg.
Koninklijke NIVRA Amsterdam, PricewaterhouseCoopers Amsterdam, Nyenrode
Breukelen, University of Groningen (2009): Risicomanagement in tijden van crisis (en
voor en na).
Mertens, F. (2009): De regulerende staat - ontwikkeling in toezicht door inspecties,
Nederlandse School voor Openbaar Bestuur, ISBN: 978-90-75297-08-9.
Second National Survey of Risk Management in the Netherlands
Monda, B., Giorgino, M. (2013): An Enterprise Risk Management Maturity model, paper
submitted for the Enterprise Risk Management Symposium, April 22 - 24, 2013, Chicago
Illinois.
NBA, Netherlands Institute of Chartered Accountants (2013): Risico’s managen is
mensenwerk: Risicomanagement en -verslaggeving bij grote ondernemingen.
OECD. (2010): Corporate Governance and the Financial Crisis: conclusions and
emerging good practices to enhance implementation of the principles.
Pagach, D., Warr, R. (2007): An Empirical Investigation of the Characteristics of Firms
Adopting Enterprise Risk Management. North Carolina State University working paper.
Pagach, D., Warr, R. (2010): The Effects of Enterprise Risk Management on Firm
Performance, Working Paper, North Carolina State University, Raleigh
Pooser, D.M. (2012): An Empirical Examination of the Interrelations of Risks and the Firm’s
Relation with Enterprise Risk Management. (3539604 Ph.D.), The Florida State University,
Ann Arbor. Retrieved from http://search.proquest.com/docview/1095535349 ProQuest
Dissertations and Theses Full Text database.
Posthumus, G.J. (2014): Risicomanagement in Nederland - Een onderzoek naar het
effect van de Chief Risk Officer, Audit Commissie en Internationale diversificatie op het
volwassenheidsniveau van risicomanagement anno 2014, Master’s thesis, Accountancy
and Controlling, University of Groningen
62
PwC. (2014): Klare taal!
Nederlandse beursfondsen.
Benchmark
controleverklaringen
‘nieuwe
stijl’
onder
Weick, K.E., Sutcliffe, K.M. (2007): Managing the Unexpected, 2nd ed. John Wiley and
Sons, San Francisco
October 2014
Appendix 1: Methodology
Survey
In order to assess the current status of risk management, a survey was used. This type of
research is frequently used in academic literature in order to gauge the status of risk
management (e.g. Kleffner et al. 2003; Beasley et al., 2005; Gates et al., 2012). A
conceptual model was developed for the previous survey (see graphic in Appendix 4)
and this served as our framework. It has also been used to determine much of the
content of the questionnaire. As part of our overall research, statistical analyses have
been used as a basis for evaluating the conceptual model in the light of the survey
results. In addition, we re-evaluated the score guide that was also used in the previous
survey, and applied it in order to have an independent and uniform standard with
which to measure the maturity of the risk management system.
The questionnaire
The first step in setting up the new survey involved deciding to use the same
questionnaire as for the survey conducted in 2009. A range of group meetings were
held to evaluate that questionnaire in the light of the survey results. This involved
investigating which questions had proven to be less than effective in practice, either in
terms of interpretation or the analysis of the results. Questions were also added on the
subject of risk culture. The following elements of interest were added to the questions in
the general section: ‘external supervision’ and ‘change of accountancy firm’. Both of
these were translated into yes/no questions with clear interpretations. In question 6, the
categories concerning the number of countries were added in order to enable
enhanced grading of the complexity involved in operating internationally. Question 12
about the chief risk officer was amended in order to draw a distinction between the
position itself and the involvement of management in this kind of position. On the
subject of internal supervision, an extra question was added to the new questionnaire
(question 10) asking about the presence of a supervisory board. With the help of this
question, it is easier to interpret the operation of the internal supervisory body than by
asking questions about the presence of an audit committee only. In addition, the
sectors in which respondents operate were categorised according to the CBS
categories. However, in order to enable comparison with 2009, a renumbering table
was also compiled. Question 35 was also reformulated, partly as a result of criticism with
regard to comparability raised in the study by Paape and Speklé (2012). This is
explained in more detail in the research results.
The pilot phase
In order for any survey to be effective, the questioning needs to be unequivocal and
not lead to issues of interpretation, which could result in prejudice or differing
interpretations during completion. It is also important that completion of the
questionnaire is not too time-consuming, as this can also lead to a reduced response.
After the definitive questionnaire was compiled, the research group’s network was
deployed to send the questionnaire to professionals practising in several well-known
leading companies (approximately 5 - 10). Any comments that arose were evaluated
and the question formulation or sequence modified in response. The modified
questionnaire as a whole was then individually re-evaluated by the research group. This
resulted in the definitive questionnaire and accompanying documentation.
Second National Survey of Risk Management in the Netherlands
Research population
As was the case in 2009, the survey was conducted among all organisations in the
Netherlands with turnover/budget (government/ non-profit) in excess of € 10 million. This
limit was chosen based on the expectation that organisations with turnover less than € 10
million are unlikely to have a formalised risk management system. The survey is aimed at
all organisations in the Netherlands, rather than any specific sector or groups. The
dataset was based on an export from the database Company.info (which is linked to the
records of the Dutch Chamber of Commerce, among other things), sorted by turnover.
This database includes all organisations registered in the Netherlands. After an analysis of
the addresses file, including some additional analyses, this ultimately resulted in a
database of addresses that included 9,582 organisations.
Sending out the questionnaire
Special thought was given to timing when sending out the questionnaire. We took into
account any holidays and peak periods for reporting/auditing of annual reports for
listed organisations, for example, which could result in undesirable levels of nonresponders. There were also discussions within the research group about how the
questionnaire should be distributed (using online survey tools or a paper-based survey).
In the end, it was decided to send out a paper-based survey. This option was chosen in
the light of expectations that an e-mail invitation would be more likely to lead to no
response, since the invitation would then be sent to a general e-mail address at the
organisation, running the risk of it being interpreted as spam. Although the paper-based
version was addressed rather generally (To the Executive Board/Directors of…), which
basically involves a similar risk, the proportion of respondents at director-level appears
high (52 percent of all responses). In order to increase the response, various forms of
social media were used to draw attention to the survey. As in 2009, respondents were
offered the opportunity to complete the survey anonymously (in order to increase the
response). In addition to this, the opportunity was also offered of receiving a copy of
the research report, benchmarking the organisation’s own results (based on the score
guide) relative to the population as a whole as a means of evoking interest among
respondents.
Response and non-response
Of the total of 9,582 surveys sent out, approximately 20 were returned because of
bankruptcies or incorrect addressing. This resulted in a total of 727 usable surveys, a
response of 7.6 percent. This makes it slightly lower than the survey in 2009, when there
was a 9.9% response and the database resulted in 929 usable surveys. However, this
includes a representative distribution of profit and non-profit organisations and public
versus private companies. In addition, organisations of different sizes are also
represented.
Score guide
For the score guide, we formulated a number of principles that we believe an effective
risk management system should fulfil. As in 2009, these were derived from a number of
widely-accepted standards for risk management, such as COSO ERM, AS/NZS 4360 2004
and ISO 31000. Insights acquired from practical experience, research and interviews
also played a role in this.
As a result of this, the score guide contains various subjective elements that are open to
discussion. We welcome any such discussion since we believe it can only benefit the
development of risk management as a whole.
October 2014
We took the following seven principles of effective risk management as our basis:
•
•
•
•
•
•
•
the regularity/frequency with which risk management is applied;
the integrated nature of it (scope, types of risks);
enterprise-wide application (the level of the organisation on which it is implemented);
the degree of pro-activity;
the explicitness;
the degree of structure (methodological nature);
the regular internal or external reporting about risks and risk management.
On the basis of these, 16 questions were developed to cover the seven principles.
Several points were then allocated for each principle and each question within it. For
further details of the allocation of points, we refer you to the appended score guide
(Appendix 2), which indicates the associated questions for each principle and the
maximum number of points that can be achieved. The questionnaire and point
allocation were also slightly improved compared to 2009. These modifications have a
negligible impact on the scores.
Statistical analyses of the conceptual model and added value of risk management
In addition to presenting the raw research results, additional statistical analyses were
conducted in order to draw conclusions about the validity of the conceptual model in
the context of this survey. Similar statistical analyses were also conducted in order to be
able to make a statement about the added value of risk management as perceived by
the respondents. The conclusions from these analyses are presented in Chapter 6. In the
statistical analyses, conducted in SPSS, all necessary assumptions required to legitimise
multiple linear regression and ordinal regression were assessed and found to be
adequate (including multi-collinearity, normally distributed residuals, test on uniformlydistributed probabilities). Correlation matrices and descriptive statistics were also used.
Risk management maturity
In line with the academic studies conducted by Beasley et al. (2005) and Paape and
Speklé (2012), it was decided to define maturity based on the five levels first introduced
by Beasley et al., which were assessed in question 35. These results were also partly set
against the results that would have emerged using our own score guide. However, with
the exception of the role of the audit committee, this did not lead to significantly
different results. Although both methods have their shortcomings, the consistency in the
results for both confirms that they are scientifically tenable.
Differences in definition compared to research results in Chapter 4
It is important to point out that there may be differences in terms of definition between
the data presented in the research results and the data applied in the statistical
analyses. For example, 43 respondents were excluded from the statistical analysis
because they did not answer one or several relevant questions and only fullycompleted questionnaires were used. In addition, in defining the (semi-)public sector, it
was decided to include housing associations categorised in the trade sector by the CBS
as part of the public sector and charitable organisations, considered to be non-profit
organisations equivalent to government in the results, were not regarded as a (semi)government in the statistical analyses. This has some impact on the results of the
analysis. As a result of this, the conclusion that the (semi-)public sector has made
important advances is less explicitly visible in the raw research results.
Second National Survey of Risk Management in the Netherlands
Finally, we would like to point out that we primarily conducted the statistical analyses on
internal and external bodies, governance regulations and supervision and took less
account of factors that can be more or less taken as given and are less subject to
influence by management reactions or that result in interaction with management. As a
result, factors such as the ratio of internal to external equity (leverage), organisational
size and result volatility were disregarded.
October 2014
Appendix 2: Score guide for survey of Risk
Management in the Netherlands 2014
Introduction
The quality of risk management is measured based on 7 quality factors, identical to the
survey conducted in 2009. These are measurable factors. The maximum possible
number of points is 100, subdivided as follows:
1.
2.
3.
4.
5.
6.
7.
Regularity/frequency of RM
Integrated
Enterprise-wide (and -deep)
Pro-active
Explicit
Structured/methodical
Reports (internal and external)
14 points
14 points
14 points
14 points
15 points
15 points
14 points
Total
100 points
These points have been allocated to a large number of questions in the questionnaire.
Further explanation for each quality factor is provided below.
1. Regularity/ frequency of RM, 14 points maximum
Question 17 (8 points maximum)
How often is an enterprise-wide (for all organisational divisions) risk assessment and risk
analysis conducted in your organisation? (Choose one answer only)
•
•
•
•
•
Never
Annually
Quarterly
Monthly
Weekly/very frequently
0 points
2 points
4 points
8 points
8 points
Question 24 (6 points maximum)
How frequent are internal reports to the Executive Board/Directors about risks and their
management in your organisation? (several answers possible)
•
•
•
•
•
•
•
Not applicable
Weekly
Monthly
Quarterly
Annually
Occasionally/ad hoc
Other, please specify
Second National Survey of Risk Management in the Netherlands
0 points
6 points
6 points
4 points
2 points
1 point
1 point
2. Integrated, 14 points maximum
Question 19 (14 points maximum)
What risks are assessed? (several answers possible)
•
•
•
•
•
•
•
•
Not applicable
Strategic risks
Financial risks
Operational risks
(Financial) reporting risks
Legitimacy risks
Compliance risks
Reputational damage risks
0 points
2 points
2 points
2 points
2 points
2 points
2 points
2 points
3. Enterprise-wide (and -deep), 14 points maximum
Question 21 (10 points maximum)
At what level of management are the risks in question 19 assessed?
(several answers possible)
68
•
•
•
•
•
•
Not applicable
Executive Board/Directors
Executive Board/Directors and first management level
Executive Board/Directors and second management level
Executive Board/Directors and first, second and third management level
Executive Board/Directors and more than three management levels
0 points
3 points
6 points
8 points
10 points
10 points
Question 28 (4 points maximum)
For which organisational levels is an in control statement requested?
(several answers possible)
•
•
•
•
•
•
Not applicable
In control statement from the Executive Board/Directors
In control statement from the first layer of management
(for example, divisional management)
In control statement from the second layer of management
(for example, business unit management)
In control statement from the third layer of management
(for example, departmental management)
In control statement from more than three layers of management
below the Executive Board/Directors
0 points
1 point
1 point
1 point
1 point
1 point
October 2014
4. Pro-active, 14 points maximum
Question 18 (7 points maximum)
When is the risk assessment and analysis conducted?
(several answers possible)
•
•
•
•
•
•
•
Never/not applicable
As part of the (annual) P&C cycle
At the time of acquisitions/(dis)investments
During important projects/developments
At the time of strategic decisions
After important incidents
Other, please specify:
0 points
3 points
2 points
2 points
2 points
2 points
2 points
Question 26 (7 points maximum, 1 point per answer)
When do you discuss your risks? (several answers possible)
•
•
•
•
•
•
•
•
•
•
•
As part of the Annual Shareholders Meeting
As part of consultations with external parties, such as external supervisory
bodies and other stakeholders
As part of Executive Board/Directors/Management Team meetings
As part of business reviews/business plan progress meetings
As part of discussions of internal and external audit reports
As part of risk committee meetings
As part of audit committee/supervisory board meetings
As part of budget discussions
Ad hoc/in the event of incidents/at major meetings
As part of project progress discussions
Other, please specify:
5. Explicit, 15 points maximum
Question 27 (5 points maximum)
Does your organisation make (internal) use of a statement from the management
responsible that their organisational division is in control, for example by means of an
internal Letter of Representation (LOR) or another comparable document? (several
answers possible)
•
•
•
•
•
•
•
•
No, no ‘in control’ statement
Yes, in the area of:
Strategic risks
Financial risks
Operational risks
(Financial) reporting risks
Legitimacy risks
Compliance risks
Second National Survey of Risk Management in the Netherlands
0 points
1 point
1 point
1 point
1 point
1 point
1 point
Question 29 (10 points maximum)
Has the risk appetite been determined or recorded within your organisation? This refers
to the amount of risk the organisation is willing to accept in implementing its strategy
and activities. (several answers possible)
Has the risk appetite within your organisation been determined? If yes:
•
•
•
•
•
Has the risk appetite been determined qualitatively?
Has the risk appetite been determined quantitatively?
Has the risk appetite been specifically determined
for one or more risk groups?
Has the risk appetite within your organisation been recorded?
Has the risk appetite within your organisation been communicated?
3 points
4 points
1 point
2 points
3 points
6. Structured/methodical, 15 points maximum
Question 23 (4 points maximum, 1 point per answer)
Please indicate which of the techniques below is used for risk assessment and risk
analysis. (several answers possible)
70
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Document study
Interviews
Workshops
Questionnaires/checklists
Incident recording
Scenario analyses
Sensitivity analyses
Simulations
Stress testing
Value at Risk
Economic capital
Back testing
Serious gaming/war gaming
Fault tree analysis
Fishbone method
Hazard and operability study (HAZOP)
Failure Method and Effects Analysis (FMEA)
Other, please specify
October 2014
Question 30 (3 points maximum if a single department coordinates. In the case of
two departments 2 points, three departments just 1 point and even
more departments no points)
Who coordinates the risk management activities in your organisation?
(several answers possible)
•
•
•
•
•
•
•
•
•
•
A dedicated risk management function/department
A dedicated committee (risk management committee, etc.)
Line management
The financial function
The insurance department
Internal audit/internal auditing service
The compliance department
The quality department
Not organised
Other, please specify:
Question 31 (2 points maximum if the answer is Yes)
In your organisation, do you apply the ‘Three Lines of Defence’ principle?
Question 32 (3 points maximum)
In setting up risk management and internal controls in your organisation, have you
been influenced by any of the standards listed below? (several answers possible)
•
•
•
•
•
•
•
•
•
•
COSO/COSO ERM
ISO 31000
Management of Risk (M_0_R)
Basel/Solvency
Australian/New Zealand Framework
INK/EFQM model
OCEG
6Sigma
AIRMIC
Other, please specify:
3 points
3 points
3 points
1 point
2 points
2 points
1 point
1 point
2 points
1 point
Question 33 (3 points maximum, 1 point per answer)
Which software does your organisation use to support risk management?
(several answers possible)
•
•
•
•
•
•
•
•
•
Brainstorm software
Voting software
SoD (Segregation of Duties) software
Data-analysing software
Process management software
Internal audit management software
Monitoring software
Performance management software
Other, please specify
Second National Survey of Risk Management in the Netherlands
7.
Reports (internal and external), 14 points maximum
Question 25 (7 points maximum, 1 point per answer)
What do the internal risk reports report about?
(several answers possible)
•
•
•
•
•
•
•
•
•
•
Not applicable/there are no internal risk reports
The most important risks
Status of the main management/control measures
Critical risk indicators (CRIs)
Development of/changes to risks
Incidents that have occurred
Important internal changes and their consequences for your organisation
Important external changes and their consequences for your organisation
Status of improvement measures
Other, please specify:
Question 34 (7 points maximum, 1 point per answer)
What does your organisation report externally about risk management, for example in
your annual report?
(several answers possible)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The way in which risk management was set up
Wide-ranging ‘in control’ statement
Effectiveness of risk management/internal controls in full (report relates to all risks)
Limited ‘in control’ statement
Effectiveness of risk management/internal controls concerning financial reporting
risks (report relates solely to financial reporting risks)
Risk appetite in a qualitative sense
Risk appetite in a quantitative sense
The most important strategic risks
The most important financial risks
The most important (financial) reporting risks
The most important operational risks
The most important compliance risks
The most important areas for improvement/measures taken
The most important incidents that have occurred
The material consequences of incidents
The most important changes in our risk profile and internal control system.
October 2014
Appendix 3: Questionnaire for survey of Risk
Management in the Netherlands 2014
General questions
1. My position is:
2. In which sector is your organisation primarily active?
(Choose one answer only from the CBS categories below)
o
o
o
o
Agriculture, forestry and fisheries
Mineral extraction
Industry
Production, distribution and trade in electricity, natural gas, steam and cooled air
o Water sourcing and distribution; waste and wastewater management and sanitation
o Construction industry
o Wholesale and retail trade; car repair
o
o
o
o
o
o
Transport and storage
Accommodation, food and drink
Information and communication
Financial institutions
Real estate: letting and sales
Consultancy, research and other specialist commercial services
o Renting of movable property and other commercial services
o Security and detection
o Public administration, government services and compulsory social insurance
o
o
o
o
o
Education
Healthcare and welfare services
Culture, sports and recreation
Other services
Households as employer; non-differentiated production of goods and services
by households for their own use
o Extraterritorial organisations and bodies
3. What is the annual turnover of your company/organisation as of the end of the last
accounting year?
(If turnover is not used in your company, please give the annual budget)
€
4. What is the total number of employees (expressed as FTEs) in your organisation as of
the end of the last accounting year?
FTE
Second National Survey of Risk Management in the Netherlands
5. As of the end of the last accounting year, please indicate for your organisation the ratio
that applies to the relationship between internal and external equity (internal/external).
o
o
o
o
o
10% or less internal/external
11 to 20% internal/external
21 to 30% internal/external
31 to 40% internal/external
more than 40% internal/external
6. In how many countries is your organisation active?
o
o
o
o
1 country
2 countries
3 countries
More than 3 countries
7. Is your organisation a listed company?
Y-N
8. Your shares are primarily owned by:
(Choose one answer only)
o Not applicable
o Anonymous shareholders
o Several institutional investors
o
o
o
o
o
One or several families
Accounting consultancy (share certificates)
Banks
(Director and) majority shareholder
Other, please specify:
9. Are your organisation’s activities subject to supervision by an external supervisory
body, such as AFM, DNB, ACM (OPTA)?
Y-N
10. Does your organisation have a supervisory board?
Y-N
October 2014
11. Has this supervisory board established an audit committee and/or risk
committee (in the case of financial institutions)?
Y-N
12. Has your organisation appointed a separate chief risk officer (or comparable
officer or function such as a risk committee) at the level of the Executive
Board/Directors that has ultimate responsibility for risk management? (Choose
one answer only)
o Yes, there is a CRO at Executive Board/Directors level
o Yes, there is a CRO, but not at Executive Board/Directors level
o No, there is no CRO, but a comparable position at Executive Board/Directors level
o No, there is no CRO, and no comparable position at Executive Board/Directors level
13. Which accountancy firm audits your annual reports?
14. In the last three years, have you appointed a new external accountancy firm?
Y-N
15. Please give a report mark for the risk management system in your organisation:
(scale 1 - 10, where 1 is the lowest and 10 is the highest score)
1
2
3
4
5
6
7
8
9
10
16. To what extent does your organisation benefit from the risk management system?
(scale 1 - 5, where 1 indicates ‘no benefit’ and 5 ‘a great deal of benefit’)
Less uncertainty/variation in results
a. Fewer surprises
b. More confidence in achieving the budget/objectives
c. Fewer departures from the budget/planning
d. Lower cost of capital
e. More reliable estimation of provisions
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
Less damage
f. Fewer complaints from customers/staff
g. Fewer and less serious corporate incidents
h. Fewer claims and lawsuits
i. Fewer instructions/fewer fines from the supervisory authorities
j. Less negative media attention
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
Second National Survey of Risk Management in the Netherlands
Better results
k. Increased customer satisfaction
l. Increased employee satisfaction
m. Increased margin
n. Increased turnover/profitability
o. Improved reputation
p. Increased growth/market share
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
Questions concerning risk assessment and analysis
17. How often is an enterprise-wide (for all organisational divisions) risk assessment
and risk analysis conducted in your organisation?
(Choose one answer only)
o Never
o Annually
o Quarterly
o Monthly
o Weekly/very frequently
18. When is the risk assessment and analysis conducted?
(several answers possible)
o Never/not applicable
o As part of the (annual) planning & control cycle
o
o
o
o
o
At the time of acquisitions/investments/disinvestments
During important projects/developments
At the time of important decisions
After important incidents
Other, please specify:
19. What risks are assessed?
(several answers possible)
o
o
o
o
o
Not applicable
Strategic risks
Financial risks
Operational risks
(Financial) reporting risks
o Legitimacy risks
o Compliance risks
o Reputational damage risks
October 2014
20. How many layers of management are there in your organisation?
(Choose one answer only)
o Executive Board/Directors only
o Executive Board/Directors and one management level below that
o Executive Board/Directors and two management levels below that
o Executive Board/Directors and three management levels below that
o Executive Board/Directors and more than three management levels below that
21. At what level of management are the risks in question 19 assessed?
(several answers possible)
o
o
o
o
o
o
Not applicable
Executive Board/Directors
Executive Board/Directors and first management level
Executive Board/Directors and first and second management level
Executive Board/Directors and first, second and third management level
Executive Board/Directors and more than three management levels
22. Which techniques are used for risk assessment and analysis in your organisation?
(several answers possible)
o Quantitative techniques
o Qualitative techniques
23. Please indicate which of the techniques below is used for risk assessment
and risk analysis.
(several answers possible)
Yes
a. Document study
b. Interviews
c. Workshops
d. Questionnaires/checklists
e. Incident recording
f.
Scenario analyses
g. Sensitivity analyses
h.
Simulations
i.
Stress testing
j.
Value at Risk
k.
Economic capital
l.
Back testing
m. Serious gaming/war gaming
Second National Survey of Risk Management in the Netherlands
No
Don’t know
Yes
No
Don’t know
n. Fault tree analysis
o. Fishbone method
p. Hazard and operability study (HAZOP)
q. Failure Method and Effects Analysis (FMEA)
r.
Other, please specify
Questions concerning risk management reporting and monitoring
24. How frequent are internal reports to the Executive Board/Directors conducted
about risks and their management in your organisation?
(several answers possible)
o
o
o
o
o
o
o
Not applicable
Weekly
Monthly
Quarterly
Annually
Occasionally/ad hoc
Other, please specify:
25. What do the internal reports report about?
(several answers possible)
o
o
o
o
o
o
o
o
o
o
Not applicable/there are no internal risk reports
The most important risks
Status of the main management/control measures
Critical risk indicators (CRIs)
Development of/changes to risks
Incidents that have occurred
Important internal changes and their consequences for your organisation
Important external changes and their consequences for your organisation
Status of improvement measures
Other, please specify:
26. When do you discuss your risks?
(several answers possible)
o As part of the Annual Shareholders Meeting
o As part of consultations with external parties, such as external supervisory
bodies and other stakeholders
o As part of Executive Board/Directors/Management Team meetings
o As part of business reviews/business plan progress meetings
o As part of discussions of internal and external audit reports
October 2014
o
o
o
o
o
o
As part of risk committee meetings
As part of audit committee/supervisory board meetings
As part of budget discussions
Ad hoc/in the event of incidents/at major meetings
As part of project progress discussions
Other, please specify:
27. Does your organisation make (internal) use of a statement from the management
responsible that their organisational division is in control, for example by means of
an internal Letter of Representation (LOR) or another comparable document?
(several answers possible)
o
o
o
o
o
o
No, no ‘in control’ statement
Yes, in the area of:
strategic risks
financial risks
operational risks
(financial) reporting risks
o legitimacy risks
o compliance risks
28. For which organisational levels is an in control statement requested?
(several answers possible)
o Not applicable
o In control statement from the Executive Board/Directors
o In control statement from the first layer of management
(e.g. divisional management)
o In control statement from the second layer of management
(e.g. business unit management)
o In control statement from the third layer of management
(e.g. departmental management)
o In control statement from more than three layers of management
below the Executive Board/Directors
Second National Survey of Risk Management in the Netherlands
Questions concerning risk management and organisation
29. Has the risk appetite been determined or recorded within your organisation? This
refers to the amount of risk the organisation is willing to accept in implementing its
strategy and activities.
(several answers possible)
Yes
No
Don’t know
a. Has the risk appetite within your organisation been
determined?
If yes:
b. Has the risk appetite been determined qualitatively?
c. Has the risk appetite been determined quantitatively?
d. Has the risk appetite been specifically determined for
one or more risk groups?
e. Has the risk appetite within your organisation been
recorded?
f.
Has the risk appetite within your organisation been
communicated?
30. Who coordinates the risk management activities in your organisation?
(several answers possible)
o A dedicated risk management function/department
o A dedicated committee (risk management committee, etc.)
o
o
o
o
Line management
The financial function
The insurance department
Internal audit/internal auditing service
o The compliance department
o The quality department
o Not organised
o Other, please specify:
31. in your organisation, do you apply the ‘Three Lines of Defence’ principle?
Y-N
32. In setting up risk management and internal controls in your organisation, have you
been influenced by any of the standards listed below?
(several answers possible)
o Not applicable/we have not been influenced by a standard
October 2014
Yes
No
Don’t know
a. COSO/COSO ERM
b. ISO 31000
c. Management of Risk (M_o_R)
d. Basel/Solvency
e. Australian/New Zealand Framework
f.
INK/EFQM model
g. OCEG
h.
6Sigma
i.
AIRMIC
j.
Other, please specify
33. Which software does your organisation use to support risk management?
(several answers possible)
o Not applicable/we do not use software for risk management
Broad so-called GRC platforms
Yes
No
Don’t know
Yes
No
Don’t know
(risk data management software)
a. Metricstream
b. Nasdaq OMX Bwise
c. EMC (RSA Archer)
d. Thomson Reuters (Accelus)
e. SAP (GRC)
f.
IBM (OpenPages)
g. Enablon
h.
Software AG (Aris)
i.
Wynyard (Methodware)
j.
Self-developed software
k.
Other, please specify
Other support software (single functionality)
(possibly in addition to the software mentioned above)
l.
Brainstorm software
m. Voting software
n.
SoD (Segregation of Duties) software
o. Data-analysing software
p. Process management software
q. Internal audit management software
r.
Monitoring software
s.
Performance management software
t.
Other, please specify
Second National Survey of Risk Management in the Netherlands
34. What does your organisation report externally about risk management, for
example in your annual report?
(several answers possible)
o The way in which risk management was set up
o Wide-ranging ‘in control’ statement
Effectiveness of risk management/internal controls in full (report relates to all risks)
o Limited ‘in control’ statement
Effectiveness of risk management/internal controls concerning financial reporting
risks (report relates solely to financial reporting risks)
o Risk appetite in a qualitative sense
o Risk appetite in a quantitative sense
o The most important strategic risks
o The most important financial risks
o The most important (financial) reporting risks
o The most important operational risks
o The most important compliance risks
o The most important areas for improvement/measures taken
o The most important incidents that have occurred
o The material consequences of incidents
o The most important changes in our risk profile and internal control system
o Nothing
35. Please indicate the stage of risk management maturity in which you would
categorise your organisation.
(Choose one answer only)
o Stage 1: There are currently no plans for the introduction of a risk management system.
o Stage 2: We are investigating the possibility of introducing a risk management system,
but have not yet made a definitive decision.
o Stage 3: We are currently planning the implementation of a risk management system.
o Stage 4: Currently, a risk management system is partly in place and implemented.
o Stage 5: A comprehensive risk management system for Enterprise Risk Management is in
place and implemented.
Questions concerning risk culture
36. Who writes the risk section in your annual report?
(several answers possible)
o Not applicable
o Managing Director/CEO
o The financial function (CFO, head of financial administration, treasury department)
October 2014
o The risk manager/IC officer/GRC officer
o Secretary to the board/secretarial function
o The legal department
o Other, please specify:
37. To what extent does the remuneration and appraisal system used by your board
and line management take account of the effectiveness of risk management?
(Choose one answer only)
o There is a direct relationship between the effectiveness of risk management and
the remuneration and appraisal systems.
o There is no direct relationship, but risk management is taken into account
informally in the remuneration and appraisal systems.
o There is absolutely no relationship between the effectiveness of risk management
and the remuneration and appraisal systems.
38. To what extent do you agree with the following statements about risk management?
(scale 1 - 5, where 1 indicates ‘disagree’ and 5 ‘agree’)
Statements about risk management
a. Risk management takes place because it contributes to
better business operations and is not seen as a cost item.
b. Staff are encouraged when they take risks
to do so from a well-considered position.
c. A position in risk management is seen as a boost to
your career.
d. It is permissible to make mistakes, as long as you learn
from them (learning organisation).
e. The culture in our organisation promotes risk management.
f. Breaches of internal rules are taken seriously and
punished.
g. The Executive Board/Directors is/are very committed to risk
management and actively support(s) it.
h. Employees feel at liberty to draw risks to the attention of their
line managers.
i. In our organisation, the emphasis is primarily on short-term results.
j. The remuneration structure promotes risk-taking.
k. A clear link is made between achieving goals,
risks and remuneration.
Second National Survey of Risk Management in the Netherlands
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
1-2-3-4-5
39. Do you have any further comments in the light of this survey?
84
Organisation:
Your name:
Your position:
Address:
Postcode + town/city:
Your e-mail address:
October 2014
Appendix 4: Conceptual model
Chief Risk Officer (+)
Internationalisation(+)
Stock market listing(+)
(Semi-)public (+)
maturity
Big4auditor(+)
Financial institutions (+)
Second National Survey of Risk Management in the Netherlands
86
October 2014
Second National Survey of Risk Management in the Netherlands