Maturity of Risk Management Practices
What is the maturity of risk management practices among organizations today?
Robust risk management processes are among the ERM best practices that help management and boards anticipate risks before they fully emerge.
In the The State of Risk Oversight Report, which we publish annually in collaboration with AICPA, we ask respondents to describe the maturity of their organization’s risk management processes—including insights about whether their process is enterprise-wide or siloed within functional areas or business units.
2024 Insights from Data
- While many organizations have a formal policy statement about their enterprise risk management approach, fewer than half of our respondents describe their organization’s risk management oversight as mature or robust.
- In fact, 27% of organizations have no enterprise-wide view of risks.
- There has been a slow steady embrace of enterprise risk management (ERM) as a formal risk management practice over the past 15 years of our study
- However, across the full sample, less than one-half of organizations report having a complete formal enterprise-wide risk management process in place.
- Larger organizations and public companies are more likely to have embraced ERM as their risk management approach.
Discussion Items for Management and Board Consideration
The table below suggests 5 questions that risk leaders can use to prompt conversations to help executives and boards assess the maturity of risk management processes within the organization.
1. | How rapidly is our organization’s business environment changing and how difficult is it for our leadership team to anticipate emerging issues? |
2. | What significant surprises have management and the board faced that they did not sufficiently anticipate? Why were we surprised by these occurrences? |
3. | How often does our management team or the board seem to be in a “fire-fighting” mode that distracts our management team from important strategic initiatives? |
4. | What should management do to enhance the organization’s preparedness to navigate a sudden, unexpected risk event? |
5. | How are recent geopolitical events (both nationally and internationally) likely to impact our business? |