Only 7% of Australian boards are identifying and evaluating their risk management and business objectives in ‘real time’ limiting the opportunity for risk management to play a role in every day decision making, according to EY’s inaugural governance, risk and compliance (GRC) survey There’s no reward without risk.

However, 35% of Australian executives at corporate and project level are starting to make greater use of real-time analytics which is supporting more informed and efficient risk management and risk taking. Australia stacks up well in comparison to organisations around the globe with only a quarter of organisations reporting that their executive group is making better use of real-time risk and issue reporting.

The survey of governance, risk and compliance management is based on the responses from 1,196 C-suite leaders, board audit committees, and assurance and compliance executives including 82 from Australia.

Oceania Risk Transformation Leader Catherine Friday said Australian boards were measuring up to world best practice in some areas but oversight could be improved by more frequent evaluations of the organisation’s risk profile.

“Best practice is moving to quarterly and, in some instances, almost ‘real time’, risk identification and response.

“While an annual review process can be useful, it really is the bare minimum in terms of connecting risk information to business planning and decision-making. As market dynamics and volatility continue to develop at pace, the organisations that are out-performing their peers are those that have faster and better risk identification and response built into their business as usual (BAU) program management.

“Organisations today are faced with managing a rapidly changing risk landscape, as a result of market volatility, geopolitical crises, wide-spread economic changes, regulatory reforms and cyber threats.”

Ms Friday said while this created challenges for organisations, it was important to think, manage and respond to risk in three key ways.

1: Link risk strategy and business performance

Organisations need to be able to clearly identify the key risks that have negative consequences, but also those that generate value, to enable a direct link between risk and business performance.

Eighty five per cent of respondents indicated there was an opportunity to improve the link between risk and business performance and saw real business benefit in doing so. This included 21% of respondents who indicated their organisation’s risk profile significantly influences their capital and other resource allocations. Close to 70% of respondents hope to get to this position in the next three years with greater linkages between risk profile, appetite, and resource allocation decisions. Respondents cited drivers such as needing to reduce costs, increase efficiencies, and ‘do more with less’ across all industries.

2: Have an effective operating model for better risk control

Respondents clearly recognised the value of a well-coordinated operating model; 67% expected activities to be well-coordinated within three years while only 21% described their model that way currently.

3: Leverage technology and frequent risk communication to efficiently manage risk

The survey found that 70% of organisations still do not use GRC technology. Organisations should view technology as a tool to more efficiently and effectively execute, as well as sustain, their response to risk, as it can integrate risk management and reporting with BAU reporting, and therefore increase risk management efficiency and effectiveness.

Leading organisations prepare scorecards, dashboards and other forms of reporting for their Board and executive management, enabling management to adapt the organisation’s business strategy as appropriate. With only 30% of respondents currently doing this, there is definite room for improvement to provide decision-makers with vital risk insights more regularly.

Ms Friday said it was clear that organisations were making progress but there was still a lot of work to be done to make risk a more integral part of strategic discussions.

“Better identification of risks, clearer risk ownership processes, more structured and frequent risk communication to decision-makers and better use of technology are all essential to bridge the gap between understanding and execution,” Ms Friday said.