New research from North Carolina State University and the American Institute of CPAs (AICPA) finds most executives see risks increasing in both number and complexity – but those same executives say their organizations’ risk management efforts may not be staying abreast of those risks.
The findings are part of a new report titled “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices,” released jointly by NC State’s Enterprise Risk Management (ERM) Initiative and AICPA.
In a survey of 432 chief financial officers and other senior executives, nearly 70 percent of large, public, and financial service company respondents reported that the risks they face are increasingly complex and numerous compared to five years ago. At the same time, less than 50 percent of those organizations – and only 25 percent of all respondents – described their risk management processes as mature or robust.
What this study reveals is that there is a huge disconnect between corporate challenges and how organizations are responding to them,” says Mark Beasley, co-author of the report, director of the ERM Initiative and the Deloitte Professor of Enterprise Risk Management in NC State’s Poole College of Management.
This disconnect may stem from the fact that only 25 percent of survey respondents felt they had effectively integrated risk management into their strategic planning.
“If risk management isn’t advancing strategic goals, it’s hard to show its value,” Beasley says. “And that means risk management can easily slip down an organization’s list of priorities.”
The lack of executive leadership positions focused specifically on risk may also be factor. According to the report, only 42 percent of respondents said their organizations have a designated Chief Risk Officer (CRO) or equivalent senior risk executive. This figure is an increase of 10 percentage points over 2015 and 2014, showing that organizations are moving towards strengthening risk leadership. The study cites growing cyber security threats and global events such as Brexit and the U.S. presidential election as possible explanations for the noticeable increase in CRO designations.
The report also found that pressure is increasing for business leaders to embrace a more direct role in risk oversight. Sixty-seven percent of respondents report that their board members are calling for increased senior executive involvement in risk oversight.
“This report tells us that there is a significant need for enterprise risk management given the complexity of the risks businesses are facing – and that boards of directors are calling for it,” says Ash Noah, CPA, CGMA, vice president of CGMA external relations at the AICPA. “Organizations that fail to adapt and implement a big-picture approach to risk may be setting themselves up for failure.”
“ERM can be a valuable tool because it essentially calls for executive leadership to look at all of the potential risks an organization may face and develop plans to address those risks from the top down,” Beasley says.
“All organizations engage in risk management, but conventional risk management is done in silos – the sales group handles sales risks, the manufacturing group handles production risks, and so on,” Beasley says. “This approach can be problematic. For example, one group may take steps to limit risk in its area that inadvertently create risks for another area – such as implementing new IT security protocols that may affect software used by the sales group.”
“The ERM approach allows for a holistic overview of risks across silos,” Beasley explains. “Perhaps more importantly, ERM allows executive leadership to identify and address risks that are relevant to an organization’s strategic goals; something that executive leadership is ideally suited to address.”
To assess the status of risk oversight, the ERM Initiative and AICPA collaborated to conduct a survey of executives in organizations ranging from the manufacturing and insurance sectors to construction and nonprofits. The size of the organizations also varied. Approximately 14 percent of respondents worked for entities with annual revenue of $10 million or less. At the other end of the spectrum, nine percent of respondents worked for organizations with annual revenue of more than $10 billion. Eighty-eight percent of the entities were based in the United States.
The report looks at responses from all parties, but also breaks out the survey findings for publicly traded companies, financial service providers, nonprofit organizations, and “large” organizations – defined as those that have revenue of at least $1 billion per year.
Additional findings from the study include:
- Approximately 28 percent of organizations have complete ERM processes in place. This figure is up 19 percent from 2009.
- About half (51 percent), of organizations communicate key risks merely on an ad hoc basis at meetings. Only 30 percent of executives said they had dedicated agenda time to discuss key risks at management meetings.
- Almost two-thirds (62 percent) of organizations said the extent to which risk management activities are an explicit component in determining management compensation is non-existent or minimal.
The report was co-authored by Bruce Branson, associate director of the ERM Initiative, and Bonnie Hancock, executive director of the ERM Initiative.