NC State’s ERM Initiative, in partnership with the American Institute of CPAs, has just released its 2015 Report on the Current State of Enterprise Risk Management: Update on Trends and Opportunities. Based on survey responses from 1,093 business executives spanning a number of industries, types and sizes of organizations, the report provides detailed insights about the current state of maturity of their organization’s enterprise risk management (ERM) practices. This is the sixth year that we have conducted similar research in partnership with the AICPA.
There appears to be a disconnect between the recognition of today’s high-risk business environment and the decision to invest more in structured risk oversight. While almost 60% of participants believe that the volume of complexity of risks have changed “extensively” or “mostly” in the last five years, only 23% describe their organization’s level of risk management as “mature” or “robust.” Even more revealing is the finding that 52% indicate their organization’s risk management process is “not at all” or “minimally” viewed as a proprietary strategic tool that provides unique competitive advantage. Have executives lost sight of the interrelationship of “risk” and “return”?
Under-Investment In Risk Oversight?
Respondents indicate that they are receiving increased calls for greater engagement by executives in risk oversight. But those pressures do not appear to be leading to significant year-over-year changes in risk management approaches. The maturity of enterprise-wide risk oversight processes appears to have leveled off for organizations in general, although we do find that large organizations, public companies, and financial services organizations are significantly more mature than other organizations in their enterprise-risk oversight processes. In 2009, we found that only 9% of organizations we surveyed claimed to have complete ERM processes in place; by 2015, 25% made that claim.
Other key findings discussed in this report include:
- 32% have designated an individual to serve as the chief risk officer or equivalent, with financial services entities most likely to do so. It is more common (45% of the time) for the entity to have a management-level risk committee.
- Only 33% of organizations maintain risk inventories at the enterprise level; however, 71% claim to use written reports to communicate risk information to senior executives. Most (59%) chose to report risks on an ad hoc basis rather than schedule agenda time for such discussion.
- 28% provide guidance to management to assess a risk’s probability or impact, thereby subjecting the risk prioritization process to individual biases and risk tolerances of executives.
- 41% admit to not being “at all satisfied” or “minimally” satisfied with the nature and extent of the reporting of key risk indicators to senior executives.
- 36% of the organizations do no formal assessments of emerging strategic, market, or industry risks.
- Only 27% of organizations have boards that “mostly” or “extensively” review the top risk exposures.
This year’s report highlights many other specific findings about various aspects of an effective enterprise-wide risk management process. In addition to providing findings for the overall sample, the report separately highlights key findings for public companies, the largest organizations, financial services organizations, and not-for-profit entities.
If your organization seeks additional training on the topic of ERM, the ERM Initiative hosts executive education and ERM Roundtable Summits featuring ERM best practices. Learn more.