The necessity for a fully functioning ERM system for an organization is becoming increasingly important.  Many organizations are beginning to take hold of their risk oversight process and others are feeling the pressure of external factors to take a deeper look into risk oversight.  The AICPA and CIMA commissioned the ERM Initiative at NC State University to survey both U.S. organizations and global organizations on the current state of ERM.  Responses were received from 331 U.S. organizations and 264 global organizations.  The survey consisted of forty questions addressing many of the key issues dealing with ERM. This paper was authored by Mark S. Beasley, Bruce C. Branson, and Bonnie V. Hancock.

As more organizations are taking risk into consideration, it is easy to see that there is a misunderstanding of the perceived level of risk management needed within a business.  The majority of the respondents said that the complexity and volume of risk has increased extensively over the past five years and almost half have faced a significant operational surprise in that same time period.  In spite of that, responses suggest that most organizations do not have much faith in the maturity level of their risk oversight processes.  These statistics do not bode well to the fact that while organizations are aware of the need for better risk oversight processes, their organizations do not have a strong process in place.

Although not all of these organizations are investing significantly in implementing effective ERM processes, they are noticing increasing calls for more focus on the risk oversight aspect of ERM to help strengthen the case for implementation.  In the United States, audit committees are often the ones asking for increased involvement from senior executives in risk oversight.  Interestingly, global organizations are noticing that boards of directors are asking for more senior executive participation in enterprise risk management.  Once again, global participants are doing their part, as over half of the respondents claim to have assigned formal responsibility for overseeing risk to one or more board committees.  In contrast, only a third of U.S. respondents claim to delegate the responsibility to a committee with most assigning responsibility to the audit committee. 

U.S. organizations report that about half of the respondents do not have an enterprise wide approach and have no plans to implement one anytime soon.  It is very clear that the global organizations also have more faith in their ERM systems, compared to the U.S. respondents.  The global organizations appear to have more formal and complete ERM processes in place, as evidenced by the attention given by global organizations to updating risk inventories and standardizing processes for identifying and assessing risks.  The U.S. organizations are still not providing appropriate guidance to key business leaders and with few going far enough to define what they mean by of the term “risk”, as compared to global organizations.

The global organizations also appear to be more likely to designate internal risk leaders within their firms.  Global organizations appear to be creating internal risk committees and assigning someone to the role of chief risk officer more so than U.S. firms. Both globally and domestically run organizations claim that the proper amount of training has not been implemented with ERM in the organizations.  Even though both groups of respondents are not positive that the ERM process is moving in the right direction, both believe that their senior executive teams consider risk exposures when evaluating possible strategic initiatives.  Additionally, both groups of respondents place the blame for barriers to ERM on competing priorities, insufficient resources, ERM perceived as unneeded bureaucracy, and lack of perceived value.

With all of these findings from the survey, it is still clear that not everyone is fully prepared for the implementation of ERM processes.  This lack of preparedness may be due to organizations not understanding the clear meaning of enterprise risk management or how it may benefit their organization in the future. Hopefully, U.S. organizations will take this survey into consideration and strive to help better organize their ERM efforts and place them on the correct path for success as global organizations are currently doing.

Click below to read the survey report