2016 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices
NC State’s ERM Initiative, in partnership with the American Institute of CPAs, has just released its 2016 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. Based on survey responses from 441 business executives spanning a number of industries, types and sizes of organizations, the report provides detailed insights about the state of maturity of their organization’s current state of enterprise risk management (ERM) practices. This is the seventh year that we have conducted similar research in partnership with the AICPA.
This report provides extensive data about the state of maturity about various aspects of an organization’s ERM process. Not only do we provide data about the full sample, but we also separately report findings for the largest sized organizations (revenues > $1B), publicly traded companies, financial services organizations, and not-for-profit organizations.
Here is a brief overview of some of the key findings.
State of ERM Maturity
There appears to be a disconnect between the recognition of today’s high risk business environment and the decision to invest more in structured risk oversight.
While 57% believe that the volume and complexity of risks have changed “extensively” or “mostly” in the last five years, only 25% believe their organization has a “complete formal enterprise-risk management process in place,” and that finding does not differ from the prior year, suggesting that no significant strides in risk oversight maturity were made over the prior year.
Calls for Improved Risk Oversight
Executives indicate that they are receiving increased calls for greater engagement by executives in risk oversight with 70% indicating that the board of directors is asking “somewhat” to “extensively” for increased senior executive involvement in risk oversight. That is even higher for large companies (88%) and public companies (88%).
- But, those pressures do not appear to be leading to significant year-over-year change in risk management approaches. Only 25% describe their organization’s level of risk management maturity as “Mature” or “Robust.” Are the pressures sufficient to warrant real change?
Organizations appear to be using management-level risk committees to lead the risk oversight effort. Most organizations, except for financial services firms, are not creating new management level risk leadership positions, such as chief risk officer or equivalent.
- 45% have a management-level risk committee and those committees meet at least quarterly. 32% have designated an individual to serve as the chief risk officer or equivalent; however, the percentage is much higher for financial services organizations.
Almost two-thirds of the organizations indicate they use written reports to communicate risk information to senior executives and most prepare a formal report of top risk exposures to the board at least annually. However, only about a third of them (at best) maintain risk inventories at the enterprise level, which begs the question about the nature of the sources of risk information used to generate the written reports.
- About a third of the organizations update their understanding of risks annually while an additional 22% update that understanding semi-annually or quarterly. More importantly, almost half of the organizations have no formal updating process. Given the nature of the ever-changing business environment, key stakeholders may wonder if the frequency of risk updates is sufficient.
- One-third of the respondents describe their ERM process as “systematic, robust, and repeatable with regular reporting of top risk exposures to the board.”
Risk Assessment Scales
Most organizations (just under 70%) do not provide any guidelines or scales for management to assess risk probabilities or impacts.
- Thus, the process used to prioritize risks is mostly ad hoc and subject to the biases of an individual’s personal risk tolerances. Are those potential biases skewing the list of top risks?
Integration of ERM and Strategy
Organizations appear to be struggling to integrate their risk oversight with their strategy development and execution.
- 56% indicate that their organization’s risk management process is “not at all” or “minimally” viewed as a proprietary strategic tool that provides unique competitive advantage, suggesting that many organizations continue to struggle to integrate ERM and strategic planning. Just under one-half of the organizations believe that existing risk exposures are considered when evaluating new strategic initiatives.
- Executives see risk management as a “competing priority” despite the realities of the risk/return relationship.
Risk Management Training
While most view the risk landscape as increasing in complexity over time, the majority of organizations have provided no formal training or guidance on risk management for employees.
- If your organization seeks additional training on the topic of ERM, the ERM Initiative hosts executive education and ERM Roundtable Summits featuring ERM best practices. Learn more.
Future of ERM
As organizations peer into the future, the challenge question for the board of directors, senior executives, and other key stakeholders is “how confident are we in our organization’s ability to effectively identify and navigate the unfolding uncertainties surrounding our current business model and new strategic initiatives?” Based on key findings in this report, what opportunities exist to enhance the organization’s risk management thinking so that both sides of the risk and return relationship are sufficiently and effectively managed?
This year’s report highlights many other specific findings about various aspects of an effective enterprise-wide risk management process. In addition to providing findings for the overall sample, the report separately highlights key findings for public companies, the largest organizations, financial services organizations, and not-for-profit entities.
Download Prior Year Reports