While business leaders likely think about various types of risks as they engage in day-to-day activities, there is value in employing an organized structured approach to identify risks so that management is more likely to move risks from an “unknown” to “known” state.

In the 15th edition of The State of Risk Oversight Report, which we publish annually in collaboration with AICPA, asked a series of questions to better understand the process of how management actively seeks to identify potential risks on the horizon, including the frequency and scope of those activities.

2024 Insights from Data

• Over the past 15 years of this study, there has been a steady increase in the percentage of organizations that maintain an inventory of risks at the enterprise level. That is especially true for large organizations and public companies.
• Most organizations (49% full sample; 67% of large organizations and public companies) follow a dedicated process to identify risks on an annual basis, with just under one-third doing so more frequently than once a year.
  • However, Most organizations do not have formal processes in place to prompt executives to consider long-term risks (e.g., risks five to ten years in the future).
• Most organizations (58% full sample; 78% of large organizations and 86% of public companies) have a standardized template that they use to identify risks, suggesting that the risk identification processes for those organizations are more structured than ad hoc.
• Among the different types of risks most frequently identified, emerging, strategic, market risks are least likely to be considered in the risk identification process. Most of the risk focus is on IT, operational, financial, and legal/compliance risks.

Discussion Items for Management and Board Consideration

The list below suggests 5 questions that risk leaders can use to prompt conversations with executives and boards about how to better identify potential risks on the horizon.

1. To what extent are the techiques used by our organization to engage management in the identification of risks effectively prompting our leadership team to identify emerging risks?
2. Do we need to alter our approaches to risk identification to help us think “outside the box” about potential risks on the horizon?
3. To what extent are the right individuals engaged in the process for identifying risks? Do we have sufficient representation of individuals who serve on the board of directors, executive team, middle management, and others (potentially key suppliers or customers)?
4. What can be done to increase our organization’s risk identification process to ensure there is a focus on emerging, strategic market risks in addition to more traditional operational, compliance, and financial risks?
5. How can our organization enhance the risk identification process to also consider longer-term risks in addition to short-term risks?

Related Tools

We’ve created two downloadable tools to help risk leaders identify and assess potential risks. Click on the resource name to view a detailed page where you can download the tool or template.