2017 The State of Risk Oversight:  An Overview of Enterprise Risk Management Practices (8th Edition)

The percentage of organizations with relatively mature risk management processes increased over recent years, although the majority of organizations still do not believe their processes reflect a “complete” or robust ERM process. While progress is being made, there is still room for significant improvement in risk oversight for many organizations, according to a recently released study, 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices

NC State’s ERM Initiative, in partnership with the American Institute of CPAs, has just released its 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. Based on survey responses from 432 business executives spanning a number of industries, types and sizes of organizations, the report provides detailed insights about the state of maturity of their organization’s current enterprise risk management (ERM) practices. This is the eighth year that we have conducted similar research in partnership with the AICPA.

This report provides extensive data about the state of maturity about various aspects of an organization’s ERM process. Not only do we provide data about the full sample, but we also separately report findings for the largest sized organizations (revenues > $1B), publicly traded companies, financial services organizations, and not-for-profit organizations.

Here is a brief overview of some of the key findings.

Risk Environment is Complex

Most respondents believe the risks they face are complex and numerous

  • About 70% of large organizations, public companies, and financial services entities perceive the volume and complexities of risks have increased "mostly" or "extensively" in the past 5 years
  • That trend has been consistent over the past several years, suggesting the overall risk environment continues to be challenging to manage for all types of organizations
  • Most organizations have dealt with significant operational surprises in past 5 years

Risk Management Processes Less Advanced

Less than half of the respondents describe risk management processes as "mature" or "robust"

  • 25% of full sample describes their risk management processes as "mature" or "robust", with large organizations, public companies, and financial services entities having more mature processes (but less than 50% of those are "mature" or "robust")
  • The majority of organizations do not believe their processes reflect "complete" or formal enterprise-wide risk management

Opportunities Exist to Integrate Risk Management and Strategic Planning

Most organizations are struggling to integrate risk management with strategic planning

  • Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations
  • 34% of the full sample do no formal assessments of emerging strategic, market, or industry risks
  • If an entity considers strategic risks, that mostly involves qualitative assessments of risk exposures

Organizations are Strengthening Risk Leadership

More organizations are establishing management-level risk committees

  • 58% of the full sample has a management-level risk committee, up from 45% last year
  • Management-level risk committees are more likely for larger organizations, public companies and financial services organizations (around 80%) - an increase of about 10 percentage points over last year
  • We also saw an increase in the designation of individuals who serve as chief risk officer or equivalent

Calls for Increased Senior Management Involvement

Strong majority of boards are asking for increased senior executive involvement in risk oversight ("somewhat", "mostly", or "extensively")

  • 67% of the boards for the full sample are calling for more involvement, with even higher percentages of boards asking for greater management involvement in risk oversight at large organizations, public companies, and financial services entities
  • This trend is consistent with prior years, suggesting boards continue to be interested in strengthening risk oversight

Future of ERM

As organizations peer into the future, the challenge question for the board of directors, senior executives, and other key stakeholders is “how confident are we in our organization’s ability to effectively identify and navigate the unfolding uncertainties surrounding our current business model and new strategic initiatives?” Based on key findings in this report, what opportunities exist to enhance the organization’s risk management thinking so that both sides of the risk and return relationship are sufficiently and effectively managed?

This year’s report highlights many other specific findings about various aspects of an effective enterprise-wide risk management process. In addition to providing findings for the overall sample, the report separately highlights key findings for public companies, the largest organizations, financial services organizations, and not-for-profit entities.

Download the 8th Edition

Download Prior Year Reports

View full report

If your organization seeks additional training on the topic of ERM, the ERM Initiative hosts executive education and ERM Roundtable Summits featuring ERM best practices. Learn more.