2023 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices – 14th Edition
Each year, the ERM Initiative at NC State University, in partnership with the AICPA, conducts research about the current state of risk oversight processes in organizations of all types and sizes to obtain an understanding of the relative maturity of underlying activities executives and boards use to monitor the rapidly changing risk landscape. We are pleased to announce that our 2023 State of Risk Oversight Report is now available reflecting insights from 454 respondents.
State of Risk Oversight
Our 14th annual report reveals that executives believe risk volumes and complexities remain high, giving ongoing concerns related to the economy and inflation, geopolitical uncertainties, potential disruptive technologies and AI, and the ongoing conflict in Eastern Europe, and a host of other risk drivers.
Recent realities are revealing a need for real change in how organizations oversee the constantly evolving risk landscape; however, our findings suggest that some organizations are prepared to navigate that landscape while others may be naively thinking their risk management processes are sufficient. Now is the time for executives to ponder whether their approaches to risk oversight are on par with the complex web of risks on the horizon.
ERM Benchmarking Data
This 2023 State of Risk Oversight Report highlights over 40 different aspects of risk management practices that readers can use to benchmark their risk management processes along several dimensions. The questions cover nine areas including:
- Drivers for Enhanced Risk Management
- Overall State of Risk Management Maturity
- Strategic Value of Risk Management
- Impact of Culture on Risk Management
- Assignment of Risk Management Leadership
- Risk Identification and Risk Assessment Processes
- Risk Monitoring Processes
- Board Risk Oversight Structure
- Board Reporting and Monitoring
The report includes sub-analyses for large organizations (revenues > $1B), public companies, and not-for-profit organizations.
Diagnostic Questions to Consider and Calls to Action
The report also offers a list of diagnostic questions that executives and boards can use to assess their organization’s risk readiness and to help pinpoint tactical next steps for strengthening risk management processes. The report concludes with a series of Calls to Action that executives can use to evaluate their risk management maturity.
Key Findings
While this report provides detailed insights about specific dimensions of risk oversight practices, here are five overarching themes suggested by this year’s aggregated findings:
5 Themes:
- Risk management processes may not be keeping pace with realities in the global business environment. While two-thirds of respondents describe the volume and complexity of risks as higher than prior levels, less than one-third describe their risk management processes as mature or robust. That suggests a disconnect between risk management capabilities and needs.
- Stakeholders are expecting business leaders to “up their game” in regards to how they anticipate and manage risks. Boards of directors, regulators, and shareholders are pressuring management to strengthen their organization’s resiliency and governance of organizational continuity. Unfortunately, the organization’s leadership and culture may not see risk management as an important priority for their organization.
- Entities struggle to integrate risk management and strategic oversight. Most respondents do not view their organization’s risk management efforts as providing strategic insight. A majority of respondents indicate their risk management processes are not focused on assessing emerging strategic, market, and industry risks.
- Fundamental risk management elements are in place, but there is room for enhancing risk metrics to monitor emerging risks from both internal and external drivers. There has been a surge in the creation of risk management committees to help management monitor risks. Despite that, only 28% describe their key risk indicators (KRIs) to monitor risks as robust and insightful for strategic decision making and most risk management processes are based on qualitative rather than quantitative approaches.
- Risk governance is an important responsibility for the full board of directors; however, most delegate that to a subcommittee. Most organizations report risks to the board on an annual rather than a quarterly or more frequent basis, despite the ever-changing nature of the global risk environment. Rich insights about the inter-connected nature of risks and their impact on the strategy of the organization should be a primary and regular input to overall board discussions and governance.
The following provide more specific highlights of a number of key findings from this year’s survey results.
Risk Environment
- Risk volumes and complexities are near their highest level in 14 years for all types of organizations – no type of organization is immune.
- Many leaders are realizing there is a need for real change in their organizations’ business continuity and crisis management.
- Organizations are facing pressures from a number of stakeholders to provide more risk information, and business leaders want to be better prepared when unexpected risk events emerge to avoid being surprised.
- A number of key stakeholders are pressuring management for more effective risk oversight processes.
Maturity of Risk Management Practices
- Fewer than one-half of our respondents describe their organization’s approach to risk management as “mature” or “robust.”
- While progress has been made in implementing complete ERM processes, more than two-thirds of organizations surveyed still cannot claim they have “complete ERM in place.”
- Public companies and financial services organizations exhibit the highest level of ERM in 2023.
- Organizations continue to struggle to integrate their risk management and strategic planning efforts.
- There are a number of impediments to advancing an organization’s risk management processes, with the belief that “risks are managed in other ways besides ERM” dominating the list.
- There may be a disconnect between desired versus actual risk management capabilities given the majority of organizations describe their risk culture as “strongly risk averse” to “risk averse” despite the finding that only a minority of respondents describe their risk management processes as “mature” or “robust.”
Risk Management Leadership
- Pinpointing an executive to lead the risk management process is becoming more common relative to a decade ago; however, only about 40% of our surveyed organizations are doing so.
- Individuals serving in the CRO or equivalent role most often report directly to either the CEO or CFO.
- A high percentage of organizations are creating management-level risk committees.
Ongoing Risk Monitoring
- Across the full sample, only 28% describe the robustness of their key risk indicators as “mostly” to “extensively” robust.
- The growing use of data analytics may provide opportunities for management to strengthen their management “dashboards” to include more information that helps track potential risks on the horizon.
Board Risk Governance
- More often than not, boards of directors assign formal responsibility for overseeing management’s risk assessment and risk management process to a board committee, which is typically the audit committee, except for financial services organizations that have a risk committee at the board level.
- Most organizations prepare a formal report on top risks to the board at least annually, with the percentage highest for public companies in 2023.
- The majority of boards set aside a specific meeting to discuss the aggregate report of top risk exposures facing the organization, particularly for public companies.
- The integration of risk information with discussion of the strategic plan is not occurring extensively across most organizations, suggesting there may be opportunities to enhance the integration of risk information with strategic planning information for most organizations.
This report highlights the state of risk oversight practices in 454 organizations. We believe readers can use this report to identify a number of factors to be considered as they seek to enhance their ERM approaches to managing the ever-changing nature of risks in the global business environment.
You can access all of the prior years’ reports by clicking on the links below.
- 13th Edition
- 12th Edition
- 11th Edition
- 10th Edition
- 9th Edition
- 8th Edition
- 7th Edition
- 6th Edition
- 5th Edition
- 4th Edition
- 3rd Edition
- 2nd Edition
- 1st Edition
If your organization seeks additional training on the topic of ERM, the ERM Initiative hosts executive education and ERM Roundtable Summits featuring ERM best practices. Learn more.
Original Article Source: “2023 State of Risk Oversight Report”, Mark S. Beasley and Bruce C. Branson, AICPA and NC State University ERM Initiative, July 2023