2020 The State of Risk Oversight:  An Overview of Enterprise Risk Management Practices - 11th Edition

Each year, the ERM Initiative at NC State University, in partnership with the AICPA, conducts research about the current state of risk oversight processes in organizations of all types and sizes to obtain an understanding of the relative maturity of underlying activities executives and boards use to monitor the rapidly changing risk landscape. We are pleased to announce that our 2020 State of Risk Oversight Report is now available reflecting insights from 563 respondents.

Despite some signs of greater ERM maturity for organizations, our 11th annual report suggests there is significant room for improvement in risk oversight processes across a number of organizations. Unfortunately, many executive teams and boards of directors are now realizing the implications of being ill-prepared to manage the multitude of enterprise-wide risks triggered by such a large scale root cause event of the magnitude of the evolving COVID-19 crisis.

Key Findings

  • Most respondents perceive a much riskier business environment now compared to five years ago. COVID-19 has probably increased that perception exponentially for most business leaders.
  • Even before COVID-19, respondents noted that a number of external parties were pressuring senior executives for more extensive information about risks. That will likely be even greater once the pandemic crisis is behind us.
  • Few executives describe their organization’s risk management process as mature. COVID-19 has most likely highlighted even more limitations in their organization’s risk oversight capabilities than previously considered.
  • More organizations are appointing a Chief Risk Officer or creating management-level risk committees to help lead the organization’s risk efforts. That leadership is critical if an organization wants to ensure the process is ongoing and value-adding.
  • About half of the respondent organizations engage in formal risk identification and risk assessment processes. Hopefully more business leaders will see the value in engaging in those processes in the future so that they can be in a more proactive versus reactive risk management posture when the next big risk event emerges.
  • Few respondents perceive their risk management process as providing important strategic value. The ongoing pandemic crisis is hopefully convincing more executives of the strategic importance of having rich insights about risks facing the organization as they make key strategic decisions.
  • Boards tend to delegate responsibilities for risk oversight to a board level committee. More boards are likely to pull that back to the full board level given all individuals on the board need to be informed about the range of top risks for the organization.
  • The process used to generate reports to the board about risks is often ad hoc. Executives may want to rethink how they identify and prioritize risk information to be discussed with the board, given many boards are likely to place even greater pressure on management for more timely and robust risk reporting.
  • Organizations struggle to embed risk accountabilities as part of employee compensation. That is something executives may want to rethink so that risk owners feel greater accountability for overseeing risks assigned to them.
  • Cultural barriers exist inside organizations that limit the strengthening of risk management processes. Business leaders need to focus on what barriers are present inside their organizations to determine what needs to be done to remove those barriers so progress can be realized.

While organizations that previously invested in developing robust enterprise-wide risk management processes are still experiencing significant impacts from this unfolding crisis, their previous preparation to manage risks at an enterprise-wide level has hopefully positioned their leadership teams to be in a more proactive risk management position relative to competitors who have little, if any, ERM process in place.

This report highlights the state of risk oversight practices in 563 organizations. We believe readers can use this report to identify a number of factors to be considered as they seek to enhance their ERM approaches to managing the ever-changing nature of risks in the global business environment.

Download the 11th Edition

You can access all of the prior years’ reports by clicking on the links below.

If your organization seeks additional training on the topic of ERM, the ERM Initiative hosts executive education and ERM Roundtable Summits featuring ERM best practices.   Learn more.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2020-04-01