2018 The State of Risk Oversight:  An Overview of Enterprise Risk Management Practices (9th Edition)

The percentage of organizations with relatively mature risk management processes increased over recent years, although the majority of organizations still do not believe their processes reflect a “complete” or robust ERM process. While progress is being made, there is still room for significant improvement in risk oversight for many organizations, according to our recently released study,  2018 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.

Overview of Study

NC State’s ERM Initiative, in partnership with the American Institute of CPAs, has just released its 2018 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. Based on survey responses from 474 business executives spanning a number of industries, types and sizes of organizations, the report provides detailed insights about the state of maturity of their organization’s current enterprise risk management (ERM) practices. This is the ninth year that we have conducted similar research in partnership with the AICPA.

This report provides extensive data about the state of maturity about various aspects of an organization’s ERM process. Not only do we provide data about the full sample, but we also separately report findings for the largest sized organizations (revenues > $1B), publicly traded companies, financial services organizations, and not-for-profit organizations.

Key Highlights

Here are highlights of some of the key findings:

Managing risks in today’s environment isn’t getting easier.

  • Most respondents (60%) believe the volume and complexity of risks is increasing extensively over time.
  • Two-thirds (65%) of organizations indicate they have recently experienced an operational surprise due to a risk they did not adequately anticipate.

Risk management practices in most organizations remain relatively immature.

  • Twenty-two percent of respondents describe their risk management as “mature” or “robust” with the perceived level of maturity declining over the past two years.
  • Thirty-one percent of organizations (48% of the largest organizations) have complete ERM processes in place.
  • Most boards of directors (68%) are putting pressure on senior executives to increase management involvement in risk oversight.

Most struggle to integrate risk management with strategy.

  • Less than 20% of organizations view their risk management process as providing important strategic advantage.
  • Only 29% of the organizations’ board of directors substantively discuss top risk exposures in a formal manner when they discuss the organization’s strategic plan.
  • Forty-one percent (41%) of the respondents admit they are “not at all” or only “minimally” satisfied with the nature and extent of internal reporting of key risk indicators that might be useful for monitoring emerging risks by senior executives.

This year’s report highlights many other specific findings about various aspects of an effective enterprise-wide risk management process.

Calls for Increased Senior Management Involvement.

The findings in this report indicate some slowly progressing improvements in how organizations are proactively managing risks on the horizon. Many of the findings suggest that boards and senior executives should consider more aggressive action to ramp up their organization’s infrastructure surrounding risk oversight. Here are several calls to action:

  • Be honest about the organization’s risk management capabilities.
  • Find ways to connect risk management and strategic planning.
  • Challenge the basis for identifying risk information reported to boards and others.
  • Expand management dashboards to include risk indicators.
  • Find ways to incentivize management to invest in risk management.
  • Provide training and education on the value of robust, proactive risk management.

Download the 9th Edition

Download Prior Year Reports

View full report

If your organization seeks additional training on the topic of ERM, the ERM Initiative hosts executive education and ERM Roundtable Summits featuring ERM best practices. Learn more.