2022 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices - 13th Edition
Each year, the ERM Initiative at NC State University, in partnership with the AICPA, conducts research about the current state of risk oversight processes in organizations of all types and sizes to obtain an understanding of the relative maturity of underlying activities executives and boards use to monitor the rapidly changing risk landscape. We are pleased to announce that our 2022 State of Risk Oversight Report is now available reflecting insights from 560 respondents.
Listen to a brief podcast interview of one of the authors, Mark Beasley, who provides a high-level overview of the report (15 minutes).
Our 13th annual report reveals that executives believe risk volumes and complexities remain high, giving ongoing concerns related to the war in Ukraine, rising inflation, the war for talent, lingering supply chain disruptions, ransomware threats, and a host of other triggers. Recent realities are revealing a need for real change in how organizations oversee the constantly evolving risk landscape.
This 2022 State of Risk Oversight Report highlights over 40 different aspects of risk management practices that readers can use to benchmark their risk management processes along several dimensions. Additionally, the report also offers a list of questions that executives and boards can use to assess their organization’s risk readiness and to help pinpoint tactical next steps for strengthening risk management processes. The questions cover nine areas including:
- Drivers for Enhanced Risk Management
- Overall State of Risk Management Maturity
- Strategic Value of Risk Management
- Impact of Culture on Risk Management
- Assignment of Risk Management Leadership
- Risk Identification and Risk Assessment Processes
- Risk Monitoring Processes
- Board Risk Oversight Structure
- Board Reporting and Monitoring
The report also includes a number of questions readers can consider about their organizations as they read the findings for each of these topics and it concludes with a series of Calls to Action that executives can use to evaluate their risk management maturity.
In addition to providing analyses for the full sample, the report includes sub-analyses for large organizations (revenues > $1B), public companies, and not-for-profit organizations.
- Risk volumes and complexities are near their highest level in 13 years, triggered by significant events tied to the ongoing economy, geopolitical challenges, the great resignation, supply-chain roadblocks, never-ending cyber threats, upcoming mid-term elections, and a host of other risk triggers – no type of organization is immune.
- Events in 2022 are convincing leaders about the need for real change in how organizations govern business continuity and crisis management.
- Organizations are facing pressures from a number of stakeholders to provide more risk information, and business leaders want to be better prepared when unexpected risk events emerge to avoid being surprised.
- Effective risk management is a priority among boards of directors
Maturity of Risk Management Practices
- While progress has been made in implementing complete ERM processes, more than two-thirds of organizations surveyed still cannot claim they have “complete ERM in place.”
- Public companies and financial services organizations exhibit the highest level of ERM in 2022.
- Most types of organizations believe their risk management oversight is more robust or mature than pre-COVID 19 perids; however, fewer than half of respondents describe their organization’s approach to risk management as “mature” or “robust.”
- Organizations continue to struggle to integrate their risk management and strategic planning efforts.
- There are a number of impediments to advancing an organization’s risk management processes, with the belief that “risks are managed in other ways besides ERM” dominating the list.
- There may be a disconnect between desired versus actual risk management capabilities given the majority of organizations describe their risk culture as “strongly risk averse” to “risk averse” despite the finding that only a minority of respondents describe their risk management processes as “mature” or “robust.”
Risk Management Leadership
- Pinpointing an executive to lead the risk management process is becoming more common relative to a decade ago; however, just under one-half of our surveyed organizations are doing so.
- Individuals serving in the CRO or equivalent role most often report directly to either the CEO or CFO.
- The likelihood an organization has a management-level risk committee is increasing and higher than the likelihood they have appointed a CRO or equivalent.
Ongoing Risk Monitoring
- There appears to be an opportunity for most organizations to improve the nature and type of key risk indicators included in their management dashboard systems. Across the full sample, only 32% report they are “mostly satisfied” or “very satisfied” with their organization’s KRIs.
- The growing use of data analytics may provide opportunities for management to strengthen their management “dashboards” to include more information that helps track potential risks on the horizon.
- More often than not, boards of directors assign formal responsibility for overseeing management’s risk assessment and risk management process to a board committee, which is typically the audit committee, except for financial services organizations that have a risk committee at the board level.
- Most organizations prepare a formal report on top risks to the board at least annually, with the percentage highest for public companies in 2022.
- The majority of boards set aside a specific meeting to discuss the aggregate report of top risk exposures facing the organization, particularly for public companies.
- The integration of risk information with discussion of the strategic plan is not occurring extensively across most organizations, suggesting there may be opportunities to enhance the integration of risk information with strategic planning information for most organizations.
This report highlights the state of risk oversight practices in 560 organizations. We believe readers can use this report to identify a number of factors to be considered as they seek to enhance their ERM approaches to managing the ever-changing nature of risks in the global business environment.
You can access all of the prior years’ reports by clicking on the links below.
- 12th Edition
- 11th Edition
- 10th Edition
- 9th Edition
- 8th Edition
- 7th Edition
- 6th Edition
- 5th Edition
- 4th Edition
- 3rd Edition
- 2nd Edition
- 1st Edition
If your organization seeks additional training on the topic of ERM, the ERM Initiative hosts executive education and ERM Roundtable Summits featuring ERM best practices. Learn more.
Subscribe to ERM Insights
The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.