A survey by the Institute of Internal Auditors’ (IIA’s) and The IIA Research Foundation’s Global Audit Information Network was conducted of 240 chief audit executives or heads of internal auditing in organizations representing various industries and countries. Of those surveyed, 165 (68.8%) have either a formal or informal risk management program or process in place. These 165 respondents provided feedback about ERM in their organizations. For those organizations without a risk management program, approximately one-third will implement a plan within the next year but two-thirds have no plans to implement a risk management program in the future. In over half of the organizations without risk management implementation plans, internal audit has brought the idea of establishing a risk management process to management’s attention.
Approximately 68% of respondents indicated their organization either has a risk management philosophy in place or will be establishing one in the future. Key elements of risk management philosophies that were noted include identifying, documenting, and evaluating risks; managing and mitigating identified risks; and establishing the right tone at the top.
Drivers prompting organizations to establish risk management programs include implementing regulatory guidelines, sound risk management practices, and internal audit recommendations (54.2%), following up on chief-level interest (38.1%), and meeting a board mandate (35.1%). COSO’s Enterprise Risk Management – Integrated Framework is the most commonly used framework to guide risk management efforts and respondents indicated that frameworks have a moderate (39%) to substantial (34.1%) impact on risk management efforts. The top benefits identified as driving risk management efforts are identifying and managing organization wide risks; minimizing operational surprises and losses; enhancing risk response decisions; linking growth, risk, and return; and providing an integrated response to multiple tasks.
Timeframe of ERM Implementation
Implementing risk management programs and processes took two or more years for 75% of respondents’ organizations. This timeframe is partially due to the methods of implementation used; 39.8% used a pilot and phased approach and 31.7% implemented the program on a full, companywide scale. In implementing risk management programs, 60.1% encountered barriers to implementation including the organization’s culture, an unclear definition of program benefits, and a lack of time or resources for implementation. While 69.6% indicated their risk management programs had not lost momentum since inception, for those programs losing momentum reasons included lack of management support, loss of initial impact due to routine processes, lack of time or financial support, and lack of risk management education.
Respondents specified key structure elements of their risk management programs as the program’s or process’ owner, the number of staff supporting the program, whether the program reached a sustaining maturity level, and how risk management efforts are integrated into the organization. The person in charge of risk management efforts is most often the chief risk officer or equivalent (32.7%) followed by the internal audit department or chief audit executive (15.2%), CFO (13.9%), or CEO (10.3%). Larger organizations are more likely to have a chief risk manger or risk department in place. At most organizations, risk management programs are supported by 1-3 staff members (64.4%), with only 13.7% having support staff of 11 or more.
The majority of respondents (70.6%) indicated their organizations did not have a sustainable risk management maturity level. However, respondents were overall more satisfied than dissatisfied with their organization’s risk management efforts (60%) and the effectiveness of those efforts (58.9%). For organizations with sustainable risk management programs, the key elements contributing to sustainability are senior management’s endorsement of the organization’s risk management efforts (84%) and the integration of management as part of the risk management program (74%). Risk management efforts are most often integrated organization wide during the strategic planning process (65%) and the business planning process (60.6%).
Satisfaction with risk management communication channels is divided almost evenly among respondents. Risk categories are used by 76.2% of respondents, with 4-6 being the average number of risk categories used. Satisfaction levels with the accuracy, completeness, and timeliness of information used for risk management activities as well as the effectiveness of risk monitoring capabilities were again divided almost evenly among respondents. Risk management activities are most frequently reported to senior management (87.3%), the audit committee (66.1%), and the board of directors (51.5%), with face-to-face delivery of reports in a meeting the preferred method of communication of results.
Respondents indicated the top internal sources of information leveraged to identify risks to the organization are data collected from various internal, IT, or external sources; discussions with senior management, the board or audit committee; and participation of business leaders in risk management teams or councils to provide feedback on risks. Top external information sources include industry publications, information from industry groups or affiliated groups, and benchmarking data from other organizations.
The majority of companies do not use technology to monitor risks (67.9%) and only 18.2% use technology tools to monitor all risk areas. Of tools used to support risk management activities, use of in-house tools is split almost evenly with use of off-the-shelf or third-party applications. Risk dashboards are the most commonly used tool to validate risk assessments (28.7%) followed by risk profiles (25.2%). More than 60% of participants rated the effectiveness, efficiency, and satisfaction of risk management tools as moderately to extremely low.
Importance of Executive Buy-In
The number one obstacle respondents face in implementing risk management programs or processes is lack of support from business functions leaders or the management team. A recommendation to counteract this is for designated risk managers or process owners to get the support of senior management before establishing the risk management process. Senior management buy-in and support is also critical to creating the necessary tone at the top promoting a culture that views risk management as a key business process. This culture can help staff and stakeholders to make risk management an ongoing priority in their daily work and is assisted by selecting a risk management process that truly meets an organization’s needs.
Effective monitoring is also important to risk management programs and implementation of an informal risk management process is a key obstacle to effective monitoring. The designated risk manager or process owner can help minimize this issue by calling for the creation of a board-level committee that is actively involved in the risk management process and by ensuring the support of senior management. Risk monitoring activities should be incorporated into all business action plans and followed up on when necessary.
Risk management monitoring and reporting can be assisted by having the appropriate tool or application. Risk management process owners should ensure tools do not operate at too basic of a level, that risk ranking systems accurately categorize risks based on the organization’s risk tolerance level and appetite, and that processes are implemented consistently throughout the entire organization. Correlation and interdependence challenges can be addressed by integrating risk management processes into other business areas, ensuring the involvement of senior management, and using a formalized and standardized risk mitigation process.
Subscribe to ERM Insights
The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.