ERM Maturity Found Lagging Behind Perception of Growth in Risks

While a sizable majority of senior finance leaders believe that the volume and complexity of risks facing their organizations have increased, a much smaller percentage say their organizations have complete enterprise risk management (ERM) processes in place, according to a recent study.

The study found that 65 percent of those senior finance leaders agree that the volume and complexity of corporate risks have changed "mostly" or "extensively" over the past 5 years.

At the same time, however, only 34 percent say their organizations have complete ERM processes in place, and just 29 percent rate their organization's overall risk management oversight as "mature" or "robust," the Association of International Certified Public Accountants (AICPA) and North Carolina State University found. This year's findings matched those of a year earlier.

The findings are from the 14th annual study by the AICPA and the Poole College of Management at North Carolina State. This year's report, The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, is based on a survey of 454 US chief financial officers and senior finance leaders conducted this past winter.

The survey measured finance-related executives' assessments of the level of maturity in their organizations' proactive management of risks through the adoption of ERM processes.

"Our study finds that organizations of all types and sizes continue to overlook an important reality that risks can emerge rapidly triggering a cascade of events that quickly derail the organization's strategic goals," Mark Beasley, Alan T. Dickson distinguished professor and director of the ERM Initiative at NC State, said in a statement accompanying the report. "Organizations that invest in robust risk oversight processes that explicitly link risk insights to strategies increase their nimbleness and agility, which can provide huge strategic advantage if done so better than their competitors."

While the level of full ERM adoption might not yet match the perception of risks facing organizations, this year's report showed that ERM adoption in the United States is increasing. Over the past 13 years, the percentage of organizations claiming to have complete ERM processes in place has increased from 9 percent to 34 percent, according to the AICPA and NC State. Still, those findings suggest that most organizations still have work to do.

"Given the ongoing experience in navigating the multitude of risks experienced over recent years, more organizations will likely want to further enhance their focus on efforts to strengthen their entity's approach to managing the interconnected nature of risks to their business models," the AICPA and NC State statement said.

Among the report's other key findings, most executives indicated that they don't believe their organizations' risk management processes provide a strategic advantage. Some 64 percent of those surveyed said they see those processes offering no or minimal advantage, according to the report.

Only 40 percent of respondents said risk management was significantly positioned to pinpoint emerging strategic risks.

The frequency with which management shares risk exposure information with the board varies. Of those surveyed, 43 percent indicated they report top risks to the board annually, while 41 percent share that information on a quarterly basis. Only 16 percent report top exposures to the board at every board meeting.

The report notes that risk governance is an important responsibility for the full board of directors. Yet most delegate risk governance to a subcommittee.

"Only one-quarter of respondents believe risk information generated by the organization's ERM process is formally discussed by the full board of directors when it discusses the strategic plan," the report says. "Rich insights about the interconnected nature of risks and their impact on the strategy of the organization should be a primary and regular input to overall board discussions and governance."

The report notes that there is room for improving the metrics used to assess and communicate risks. "There has been a surge in the creation of management level risk committees to help management monitor risks across the enterprise and many organizations have standardized templates to help them assess risk probabilities and impact of various risks," the report says. "Despite that, only 28 percent describe their key risk indicators (KRIs) to monitor risks as robust and insightful for strategic decision making and most risk management processes are based on qualitative rather than quantitative approaches."

The AICPA and NC State report suggests that cultural factors, including the tone set by the board and the C-suite, might explain organizations' lack of ERM maturity.

"A dominant belief exists in many organizations that 'risks are managed in other ways besides ERM,'" the report says. "Others believe there are other more important priorities that compete with the need to enhance risk management."

Most organizations don't provide training and guidance on risk management, according to the report, potentially creating a lack of understanding of the advantages of proactive risk management versus reactive risk management. And, the report says, few organizations embed risk management incentives in performance compensation arrangements.

The AICPA and NC State report suggests several questions organizations can ask to assess their risk readiness.

• How is the overall business environment changing risks affecting your organization?
• How might recent significant operational surprises be hinting that the organization's risk management processes are insufficiently robust?
• How are external stakeholder expectations driving improvements in how your organization's leaders identify and manage ongoing risks?
• Who within your organization's leadership team is calling for more management involvement in risk management activities?

The report suggests several areas executives should consider in seeking to improve the state of their organizations' enterprise risk management.

One is considering management's perspectives on the current risk management approach, including ERM leaders seeking feedback from senior executives about the organization's approach to risk management.

There's also a need to maintain a constant dialog with executives about emerging risk issues with the aim of reaching consensus about those most critical to the organization and achieving an understanding of how the organization is responding to them.

Organizations also should identify the obstacles to involving consideration of risk exposures in strategic planning and determine how the risk management process can better frame risks in the strategic plan.

Organizations should evaluate their risk metrics, looking to put risk metrics in place that are both forward-looking and consider both internal and external trends.

Finally, organizations should evaluate the extent to which the risk management program enhances the organization's resilience and the extent to which the organization is prepared to navigate significant risk events.