Study Finds Work Remains To Be Done in Many Organizations' ERM Efforts

While organizations continue to make progress in implementing enterprise risk management (ERM) processes, more than two-thirds of those surveyed for a new study indicate they still don't have "complete ERM in place."

The June 2022 report, titled 2022—The State of Risk Oversight: An Overview of Enterprise Risk Management Practices—13th Edition, indicates that large organizations and public companies are more likely than other organizations to report that they have a complete ERM process in place.

The study, conducted annually by the ERM Initiative at North Carolina State University (NC State) and the American Institute of Certified Public Accountants (AICPA), found that the level of robustness and maturity of organizations' risk management oversight remained relatively constant from last year to this year, with less than half of organizations surveyed describing their approach to risk management as "mature" or "robust."

Just over half of the public companies surveyed did not describe their risk management processes as robust or mature. Meanwhile, nonprofit organizations were found to be less likely to have structured risk management processes than other organizations.

The survey found that organizations are keenly aware of risk, with perceptions about the volumes and complexities of risks remaining high as organizations continue to deal with the COVID-19 pandemic, the Russia-Ukraine war and its impacts, supply chain challenges, social unrest, cyber threats, the "Great Resignation," inflation, and various other risk triggers.

COVID-19 continues to impact the nature of top risks, with organizations' core operations experiencing significant impacts from real risk events during the pandemic, the report says.

"Businesses are beginning to realize they need to strengthen processes to enhance resiliency as events continue to unfold at record pace," the report says. "There is need for real change in how organizations govern business continuity and crisis management."

Organizations are facing pressure from a variety of stakeholders to provide more risk information, according to the report. At the same time, business leaders want to be better prepared and avoid surprises when unexpected risk events emerge, while board members are increasing their calls for effective risk management.

While organizations recognize the growing number and complexity of risks they face—as well as the need to provide more information about them—they seem slower to make the connection between risk management and strategy, NC State and the AICPA found.

Less than 20 percent of organizations surveyed indicated that they believe their risk management processes provide strategic advantage, according to report. "This is surprising given most leaders understand that risk and return are inseparable realities," the report says.

The report notes that organizations continue to struggle to integrate their risk management and strategic planning efforts. And, with the exception of financial services organizations, most organizations aren't emphasizing the consideration of risk exposures in evaluating possible strategic initiatives or in making capital allocations.

According to the NC State/AICPA study, most organizations don't formally articulate risk tolerances as part of their strategic planning. There also is clear room for improvement in using ERM processes to help manage reputation and brand risks, the report says.

"There are opportunities to reposition an entity's risk management process to ensure risk insights generated are focused on the most important strategic issues," the report says.

The latest NC State/AICPA study found that there are a number of obstacles to advancing organizations' risk management processes, with the belief that "risks are managed in other ways besides ERM" factoring prominently among those impediments.

"Some believe there are other more important priorities that compete with the need to enhance risk management," the report says. In addition, many organizations don't provide risk management training and guidance, fostering a lack of understanding of the benefits of proactive versus reactive risk management.

The survey also found that few organizations embed risk management incentives in performance compensation arrangements.

"There may be a disconnect between desired versus actual risk management capabilities given the majority of organizations describe their risk culture as 'strongly risk averse' to 'risk averse' despite the finding that only a minority of respondents describe their risk management processes as 'mature' or 'robust,'" the report says.

This year's study found that identifying an executive to lead the risk management process has become more common today than it was a decade ago. Still, less than one-half of surveyed organizations are doing so. Individuals serving in a chief risk officer (CRO) or equivalent role most often report directly to the CEO or CFO.

The survey found that it is more likely that an organization has created a management-level risk committee than that it has appointed a CRO or equivalent. Almost all large organizations and public companies have management-level risk committees, according to the report. Most of those risk committees meet quarterly, with 25 percent meeting monthly.

Data for this year's NC State/AICPA ERM report was collected through an online survey in early 2022. Survey respondents included 152 large organizations (those with more than $1 billion in revenue), 129 publicly traded companies, 151 financial service entities, and 156 not-for-profit organizations.