More companies are implementing enterprise risk management (ERM) processes, but many of them are falling short, according to a new study from the AICPA and North Carolina State University’s Enterprise Risk Management Initiative.
Each year, the ERM Initiative at NC State University, in partnership with the AICPA, conducts research about the current state of risk oversight processes in organizations of all types and sizes to obtain an understanding of the relative maturity of underlying activities executives and boards use to monitor the rapidly changing risk landscape.
The researchers surveyed 560 U.S. CFOs and senior finance leaders this past winter, asking them to assess the level of maturity in their organization’s risk management processes. The 13th annual report reveals that executives believe risk volumes and complexities remain high, giving ongoing concerns related to the war in Ukraine, rising inflation, the war for talent, lingering supply chain disruptions, ransomware threats, and a host of other triggers. Recent realities are revealing a need for real change in how organizations oversee the constantly evolving risk landscape.
Risk volumes and complexities are near their highest level in 13 years, triggered by significant events tied to the ongoing economy, geopolitical challenges, the great resignation, supply-chain roadblocks, never-ending cyber threats, upcoming mid-term elections, and a host of other risk triggers – no type of organization is immune.
Events in 2022 are convincing leaders about the need for real change in how organizations govern business continuity and crisis management.
Organizations are facing pressures from a number of stakeholders to provide more risk information, and business leaders want to be better prepared when unexpected risk events emerge to avoid being surprised.
Effective risk management is a priority among boards of directors
Maturity of Risk Management Practices
While progress has been made in implementing complete ERM processes, more than two-thirds of organizations surveyed still cannot claim they have “complete ERM in place.”
Public companies and financial services organizations exhibit the highest level of ERM in 2022.
Most types of organizations believe their risk management oversight is more robust or mature than pre-COVID 19 periods; however, fewer than half of respondents describe their organization’s approach to risk management as “mature” or “robust.”
Organizations continue to struggle to integrate their risk management and strategic planning efforts.
There are a number of impediments to advancing an organization’s risk management processes, with the belief that “risks are managed in other ways besides ERM” dominating the list.
There may be a disconnect between desired versus actual risk management capabilities given the majority of organizations describe their risk culture as “strongly risk averse” to “risk averse” despite the finding that only a minority of respondents describe their risk management processes as “mature” or “robust.”
Risk Management Leadership
Pinpointing an executive to lead the risk management process is becoming more common relative to a decade ago; however, just under one-half of our surveyed organizations are doing so.
Individuals serving in the CRO or equivalent role most often report directly to either the CEO or CFO.
The likelihood an organization has a management-level risk committee is increasing and higher than the likelihood they have appointed a CRO or equivalent.
Ongoing Risk Monitoring
There appears to be an opportunity for most organizations to improve the nature and type of key risk indicators included in their management dashboard systems. Across the full sample, only 32% report they are “mostly satisfied” or “very satisfied” with their organization’s KRIs.
The growing use of data analytics may provide opportunities for management to strengthen their management “dashboards” to include more information that helps track potential risks on the horizon.
More often than not, boards of directors assign formal responsibility for overseeing management’s risk assessment and risk management process to a board committee, which is typically the audit committee, except for financial services organizations that have a risk committee at the board level.
Most organizations prepare a formal report on top risks to the board at least annually, with the percentage highest for public companies in 2022.
The majority of boards set aside a specific meeting to discuss the aggregate report of top risk exposures facing the organization, particularly for public companies.
The integration of risk information with discussion of the strategic plan is not occurring extensively across most organizations, suggesting there may be opportunities to enhance the integration of risk information with strategic planning information for most organizations.