The recent economic crisis has forced many companies to evaluate their risk management process. In the past, most organizations have managed risk in a silo-based or departmental approach. The downside of this approach is that individual departments do not come together to share risk oversight information. As a result, one silo may develop a risk management process that increases risk in another silo, leading to inefficient risk management across the organization. This article was authored by Mark S. Beasley, Bruce C. Branson, and Bonnie V. Hancock.
Enterprise risk management (ERM) is a top-down approach to identifying, assessing, and monitoring risks across the organization. ERM involves establishing communication protocols to ensure that risk information is shared across the entity. This approach allows executives to take inventory of key risk exposures that could have a pervasive effect on the entity’s objectives. Executives can then reduce these risks in order to preserve and enhance stakeholder value.
The authors of this article conducted a survey of more than 700 organizations to gain insight into the state of risk oversight in organizations today. The survey found that more than 60% of respondents had no formal enterprise-wide approach to risk oversight. While almost all respondents indicated an increase in the volume and complexity of their risks, only 9% of respondents believe they have completely implemented a formal ERM process. The remaining respondents largely agreed that their risk management process is very immature in relation to the level of risks in their organization.
Since there is such a large gap between the need for enterprise risk management and the number of organizations who have adopted ERM, the authors asked the respondents to identify perceived barriers to implementing ERM. The top two barriers were competing priorities and insufficient resources. Other barriers included lack of perceived value and lack of executive ERM leadership.
Despite these barriers, 75% of respondents indicated that the board of directors is asking executives to increase their involvement in risk oversight. Eighty-three percent of respondents specified that internal audit is also pressuring executives to strengthen risk oversight. The majority of organizations who have implemented ERM have delegated risk oversight responsibility to the audit committee, indicating that the board’s interest in strengthening risk oversight is often channeled through the audit committee.
Opportunities for Improvement
Given the results of the survey, there is room for improvement in risk management in the majority of organizations. CPAs, in particular, are in a unique position to assist with the development and implementation of ERM. The CFO, members of the audit committee, and internal audit can all play a role in risk management.
While CFOs are often responsible for developing the ERM infrastructure, the audit committee typically provides oversight of the process and its completeness and effectiveness. At the same time, internal audit can ensure that the ERM process is functioning correctly. Internal audit can also independently verify the information output from the ERM process itself. Individuals in these positions can fuel the implementation of ERM in their organization, leading to more effective risk management across the board.
Click below to read the full article.