2021 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices - 12th Edition
Each year, the ERM Initiative at NC State University, in partnership with the AICPA, conducts research about the current state of risk oversight processes in organizations of all types and sizes to obtain an understanding of the relative maturity of underlying activities executives and boards use to monitor the rapidly changing risk landscape. We are pleased to announce that our 2021 State of Risk Oversight Report is now available reflecting insights from 420 respondents.
Our 12th annual report reveals that executives believe risk volumes and complexities are at their highest level in 12 years, increased by significant events tied to COVID-19, social unrest, recent elections, extremely low interest rates, and a host of other triggers. Recent realities are revealing a need for real change in how organizations oversee the constantly evolving risk landscape.
This 2021 State of Risk Oversight Report highlights over 40 different aspects of risk management practices that readers can use to benchmark their risk management processes along several dimensions. And, it includes Calls to Action and an Evaluation Template that executives can use to quickly assess their risk management programs.
In addition to providing analyses for the full sample, the report includes sub-analyses for large organizations (revenues > $1B), public companies, and not-for-profit organizations.
Detailed analyses provide helpful benchmarking perspectives about these aspects of risk management:
- Drivers for Enhanced Risk Management
- Overall State of Risk Management Maturity
- Strategic Value of Risk Management
- Impact of Culture on Risk Management
- Assignment of Risk Management Leadership
- Risk Identification and Risk Assessment Processes
- Risk Monitoring Processes
- Board Risk Oversight Structure
- Board Reporting and Monitoring
The report also includes a number of questions readers can consider about their organizations as they read the findings for each of these topics and it concludes with a series of Calls to Action that executives can use to evaluate their risk management maturity.
- Risk volumes and complexities are at their highest level in 12 years, increased by significant events tied to COVID-19, social unrest, national elections, extremely low interest rates, and a host of other risk triggers – no type of organization is immune.
- Events in 2020 are revealing a need for real change in how organizations govern business continuity and crisis management.
- Organizations are facing pressures from a number of stakeholders to provide more risk information, and business leaders want to be better prepared when unexpected risk events emerge to avoid being surprised.
- Effective risk management is a priority among boards of directors.
Maturity of Risk Management Practices
- While progress has been made in implementing complete ERM processes, more than two-thirds of organizations surveyed still cannot claim they have “complete ERM in place.”
- Public companies and financial services organizations exhibit the biggest move towards ERM in 2020.
- Most types of organizations believe their risk management oversight is more robust or mature than any of the prior four years, with the exception of non-profit organizations; however, fewer than half of respondents describe their organization’s approach to risk management as “mature” or “robust.”
- Organizations continue to struggle to integrate their risk management and strategic planning efforts.
- There are a number of impediments to advancing an organization’s risk management processes, with the belief that “risks are managed in other ways besides ERM” dominating the list.
- There may be a disconnect between desired versus actual risk management capabilities given the majority of organizations describe their risk culture as “strongly risk averse” to “risk averse” despite the finding that only a minority of respondents describe their risk management processes as “mature” or “robust.”
Risk Management Leadership
- Pinpointing an executive to lead the risk management process is becoming more common relative to a decade ago; however, just one-half of our surveyed organizations are doing so.
- Individuals serving in the CRO or equivalent role most often report directly to either the CEO or CFO.
- The likelihood an organization has a management-level risk committee is higher than the likelihood they have appointed a CRO or equivalent.
Ongoing Risk Monitoring
- There appears to be an opportunity for most organizations to improve the nature and type of key risk indicators included in their management dashboard systems. Across the full sample, only 30% report they are “mostly satisfied” or “very satisfied” with their organization’s KRIs.
- The growing use of data analytics may provide opportunities for management to strengthen their management “dashboards” to include more information that helps track potential risks on the horizon.
- More often than not, boards of directors assign formal responsibility for overseeing management’s risk assessment and risk management process to a board committee, which is typically the audit committee, except for financial services organizations that have a risk committee at the board level.
- Most organizations prepare a formal report on top risks to the board at least annually, with the percentage highest in 2020.
- The majority of boards set aside a specific meeting to discuss the aggregate report of top risk exposures facing the organization, particularly for public companies.
- The integration of risk information with discussion of the strategic plan is not occurring extensively across most organizations, suggesting there may be opportunities to enhance the integration of risk information with strategic planning information for most organizations.
This report highlights the state of risk oversight practices in 420 organizations. We believe readers can use this report to identify a number of factors to be considered as they seek to enhance their ERM approaches to managing the ever-changing nature of risks in the global business environment.
You can access all of the prior years’ reports by clicking on the links below.
- 11th Edition
- 10th Edition
- 9th Edition
- 8th Edition
- 7th Edition
- 6th Edition
- 5th Edition
- 4th Edition
- 3rd Edition
- 2nd Edition
- 1st Edition
If your organization seeks additional training on the topic of ERM, the ERM Initiative hosts executive education and ERM Roundtable Summits featuring ERM best practices. Learn more.
Read ERM articles as soon as we post them
Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.