The intense focus on board oversight of risk management processes continues in 2010. The volatile economic environment that persists is generating greater scrutiny of the role of boards and senior executives in the oversight of the multitude of risks their organizations face.
The Securities and Exchange Commission (SEC) announced in December 2009 new proxy disclosure rules that require U.S. publicly traded companies to include in their annual proxy statements information about the board’s involvement in risk oversight. In October 2009, the Blue Ribbon Commission of the National Association of Corporate Directors (NACD) issued its report, Risk Governance: Balancing Risk and Reward, providing suggestions and practical advice for directors on risk oversight. Similarly, COSO issued in fall 2009 two thought papers, Effective Enterprise Risk Management: The Role of the Board of Directors and Strengthening Enterprise Risk Management for Strategic Advantage, that highlight the key roles of the board of directors and senior executives in enterprise risk management. Furthermore, legislation has been proposed in Congress that would require boards of public companies to create separate risk committees among other matters.
These recent developments continue the emphasis on strengthening risk oversight that has been building over the last several years. In 2004, the New York Stock Exchange adopted governance rules that require audit committees of listed firms to oversee management’s risk oversight processes. In 2008, rating agencies, such as Standard & Poor’s, began to explicitly evaluate an entity’s ERM processes as an input to their credit ratings analysis. Greater expectations also exist among regulators, such as the Federal Reserve.
Some organizations are responding to these shifts in expectations by implementing an enterprise-wide approach to risk management frequently referred to as “enterprise risk management” or “ERM.” Despite the growing trends towards adopting a more holistic top-down approach to risk oversight, not all organizations have taken steps to modify their procedures for identifying, assessing, managing, and communicating risk information to key stakeholders.
In March 2009, we issued, in conjunction with the AICPA Business, Industry, & Government Team, our first Report on the Current State of Enterprise Risk Management, to provide insight about the current state of enterprise risk management based on fall 2008 survey results from over 700 senior executives representing organizations of various sizes and industries. That report found that while organizations face a significant volume of complex risks, the state of enterprise-wide risk management was relatively immature in late 2008.
Given the continued amount of attention and focus throughout 2009 and early 2010 on the need to strengthen risk oversight from organizations such as the SEC, NACD, COSO, Congress, the Federal Reserve, and the financial press, we partnered again with the AICPA Business, Industry, and Government Team to update our understanding about the current state of enterprise risk management. We surveyed senior executives in December 2009 to ask them a series of questions similar to those we asked in 2008 designed to illuminate their enterprise risk oversight process.
This 2010 Report on the Current State of Enterprise Risk Oversight – 2nd Edition, updates our insights on how boards and senior management teams are responding to the challenges of risk oversight in light of the current environment. We explore numerous factors that help shed light upon the current sophistication of risk oversight, many of the current drivers within organizations that are leading to changes in their risk oversight processes, and some of the impediments to further ERM evolution.
Key Findings from Research
- Over 63% of respondents believe that the volume and complexity of risks have changed “Extensively” or “A Great Deal” in the last five years. This is relatively unchanged from the 62.2% who responded similarly in the 2009 report. Thus, most believe the world of risk is rapidly evolving in complex ways.
- Organizations continue to experience significant operational surprises. Thirty-nine percent of respondents admit they were caught off guard by an operational surprise “Extensively” or “A Great Deal” in the last five years. Another 35% noted that they had been “Moderately” affected by an operational surprise. Together, these findings suggest that weaknesses in existing risk identification and monitoring processes may exist, given that unexpected risk events have significantly affected many organizations.
- About half (47.5%) of respondents self describe the organization’s risk culture as one that is either “strongly risk averse” or “risk averse.” Given their admission of a highly complex and voluminous risk environment and the risk averse nature of the organization’s culture, one might expect these organizations to be moving rapidly towards more robust risk oversight processes.
- Ironically, 48.7% of respondents describe the sophistication of their risk oversight processes as immature to minimally mature. Forty-seven percent do not have their business functions establishing or updating assessments of risk exposures on any formal basis. Almost 70% noted that management does not report the entity’s top risk exposures to the board of directors. These trends are relatively unchanged from those noted in the 2009 report.
- Almost 57% of our respondents have no formal enterprise-wide approach to risk oversight, as compared to 61.8% in our 2009 report with no formal ERM processes in place. Only a small number (11%) of respondents believe they have a complete formal enterprise-wide risk management process in place as compared to 9% in the 2009 report. Thus, there has been only a slight movement towards an ERM approach since our 2009 report.
- Almost half (48%) admit that they are “Not at All Satisfied” or are “Minimally” satisfied with the nature and extent of reporting to senior executives of key risk indicators.
- Very few (15.5%) organizations provide explicit guidelines or measures to business unit leaders on how to assess the probability or potential impact of a risk event. Despite this, 60.5% indicate that they believe risks are being effectively assessed and monitored in other ways besides ERM. This raises the potential for those organizations to have widely varying levels of risk acceptance across business units, and an increased potential for the acceptance of risks beyond an organization’s appetite for risk taking.
- Almost half (47.6%) have provided senior executives or key business unit leaders formal training or guidance on risk management in the past two years, with an additional 30.5% providing minimal training or guidance.
- There has been some movement towards delegating senior management leadership over risk oversight. Twenty-three percent have created a chief risk officer position, up from 17.8% in the 2009 report, and 30% have an internal risk committee that formally discusses enterprise level risks, up from 22% noted in the 2009 report.
- Just over half (53%) of organizations surveyed currently do no formal assessments of strategic, market, or industry risks, and 51% noted that they do not maintain any risk inventories on a formal basis. Thus, almost half have no processes for assessing strategic risks. Despite that, about 43% of our respondents believe that existing risk exposures are considered “Extensively” or “A Great Deal” when evaluating possible new strategic initiatives. This raises the question of whether some organizations may be overconfident of their informal processes.
- When boards of directors delegate risk oversight to a board level committee, most (65%) are assigning that task to the audit committee, which is somewhat higher than the 55% of boards assigning risk oversight to the audit committee noted in our 2009 report.
- When risk oversight is assigned to the audit committee, 64% of those audit committees are focusing on financial, operational, or compliance related risks. Only 36% indicate that they also track strategic and/or emerging risks; however, this is up from the 18% in the 2009 report who said the audit committee monitors all entity risks, including strategic risks.
- Expectations for improvements in risk oversight may be on the rise. For almost half (45%) of the organizations represented, the board of directors is asking senior executives to increase their involvement in risk oversight.