NC State’s ERM Initiative, in partnership with the American Institute of CPAs, has just released its Report on the Current State of Enterprise Risk Management:  Opportunities to Strengthen Integration with Strategy. Based on survey responses from 446 business executives spanning a number of industries, types and sizes of organizations, the report provides detailed insights about the state of maturity about a number of processes related to their organization’s current state of enterprise risk management (ERM). This is the fifth year that we have conducted similar research in partnership with the AICPA.

Despite the fact that over 55% of the respondents believe that the volume and complexity of risks has increased “mostly” or “extensively” in the past five years and that in over 60% of the organizations the board of directors is asking “somewhat”, “mostly” or “extensively” for increased senior executive involvement in risk oversight, only 20% of them describe the level of their organization’s risk management as “mature” or “robust.” In 2009, we found that only 8.8% of organizations we surveyed claimed to have complete ERM processes in place; by 2013, 24.6% made that claim. However, the fact that only a quarter of organizations surveyed have complete ERM processes in place suggests that there continues to be significant room for risk oversight improvement across most entities. Not surprising, the largest organizations and public companies are much further along, with 55.8% and 52.0% of those organizations, respectively, claiming to have complete ERM processes in place. In contrast, just 13.0% of not-for-profit organizations made that claim.

Most notably, organizations appear to be struggling to integrate their risk oversight and strategic planning processes. Less than 15% believe “mostly” or “extensively” that the organization’s risk management process is a proprietary strategic tool that provides unique competitive advantage. Less than half (40.4%) of the organizations describe the extent as “mostly” or “extensively” that the board formally discusses the top risk exposures facing the organization when the board discusses the organization’s strategic plan. This seems surprisingly low given the relationship between risk and return. Over one-third (38.2%) of the organizations do no formal assessments of emerging strategic, market, or industry risks. Significant opportunities remain for organizations to strengthen underlying processes for identifying and assessing key risks facing the entity especially as it relates to integrating risk oversight efforts with strategic planning activities.  

The report contains key insights about the level of implementation related to a number of key ERM processes that may be useful for benchmarking purposes.  For example:

  • 29.7% have a formal policy statement regarding its ERM approach.
  • 31% have formally designated an individual to serve as Chief Risk Officer (CRO) or equivalent senior risk management executive. Banks are more likely to have done so, as indicated by 53.1% of financial services entities reporting that kind of designation.
  • 43% have a management-level risk committee in place, with that committee most often meeting on a quarterly basis.
  • About 40% claim to maintain inventories of risks at the enterprise level; however, three-fourths of them do not provide explicit guidelines for business unit leaders to assess risk probabilities and impact.
  • 37.5% of entities go through a process to update key risk inventories annually with an additionally 7.9% doing that semi-annually and 12.1% doing that quarterly. 
  • The majority of organizations (66.3%) communicate key risks on an ad hoc basis at management meetings. Only one-third explicitly schedule agenda time to discuss key risks at management meetings.
  • Almost half are “not at all” or “minimally” satisfied with the nature and extent of reporting of key risk indicators to senior executives regarding key risk exposures.
  • 26.6% describe their ERM process as “systematic, robust, and repeatable.”
  • 41.4% of the boards of directors have assigned formal responsibility for risk oversight to a board committee, with most delegating to the audit committee.
  • 43.1% report between 5 and 20 risk exposures to the board or one of its committees.

The report contains a number of other key benchmarking insights.

Download the full report.