1. Home
  2. Operations
  3. Control & Compliance in Operations

Cost of risk management failures is underestimated, both externally & internally

This report analysed the corporate governance framework and practices relating to corporate risk management in 27 jurisdictions, in the private sector and in state-owned enterprises (SOEs). It was based upon a general survey of participating jurisdictions, complemented by three country studies illustrative of different aspects of risk management and corporate governance (Norway, Singapore and Switzerland).


The review found that:

  • while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated, both externally and internally, including the cost in terms of management time needed to rectify the situation. Corporate governance should therefore ensure that risks are understood, managed, and, when appropriate, communicated.
  • following the financial crisis, many companies have started to pay more attention to risk management. This is, however, seldom reflected in changes to formal procedures, except in the financial sector and in companies that have suffered serious risk management failure in the recent past. It appears that most companies consider that risk management should remain the responsibility of line managers. 
  • responding to public and/or shareholder pressures, some company boards, especially in widely-held companies, have started to review their incentive structures, including through the reduction of potential incentives for excessive risk-taking, notably stock options for top executives. Listed company boards need to be provided with incentive structures that appropriately reward business success, as well as awareness and management of risk.
  • existing risk governance standards for listed companies still focus largely on internal control and audit functions, and primarily financial risk, rather than on (ex ante) identification and comprehensive management of risk. 


The main recommendations were that:

  • corporate governance standards should place sufficient emphasis on ex ante identification of risks. Attention should be paid to both financial and non-financial risks, and risk management should encompass both strategic and operational risks.
  • there is scope to make risk governance standards more operational, without narrowing their flexibility to apply them to different companies and situations. Experiences from the financial sector can be valuable, even if not necessarily transferable to the non-financial sector. Outsourcing- and supplier-related risks, for example, deserve attention in both the financial and the nonfinancial sector.
  • boards need to put more emphasis on “catastrophic” risks, even if these do not appear very likely to materialise. More guidance may be provided on managing the risks that deserve particular attention, such as risks that will potentially have large negative impacts on investors, stakeholders, taxpayers, or the environment.
  • boards should be aware of the shortcomings of risk management models that rely on questionable probability assumptions.
  • SOEs should follow similar risk governance practices as listed enterprises, but this is often not formalised in implementable regulation. Deviations from listed company standards should be duly motivated, and not just be the result of lack of applicability of corporate governance codes. 

CTMfile take: This important (and boring) report shows that corporate treasurers can expect many more risk management control initiatives from OECD and governments. Hopefully, most of them will be along the lines of standardising risk management between countries, e.g. the admirable OECD multi-lateral instrument to enforce transfer pricing rules initiative.

Like this item? Get our Weekly Update newsletter. Subscribe today

This item appears in the following sections:
Control & Compliance in Operations