Executives see risks increasing in number and complexity, but they say their organizations’ risk management efforts may not be keeping up with those risks, new research found.
“What this study reveals is there is a huge disconnect between corporate challenges and how organizations are responding to them,” said Mark Beasley, co-author of the report, director of the Enterprise Risk Management (ERM) Initiative and the Deloitte Professor of Enterprise Risk Management in North Carolina State University’s Poole College of Management.
The findings are part of a new report entitled “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices,” released jointly by NC State’s ERM Initiative and the American Institute of CPAs (AICPA).
In a survey of 432 chief financial officers and other senior executives, nearly 70 percent of large, public, and financial service company respondents reported the risks they face are increasingly complex and numerous compared to five years ago.
At the same time, less than 50 percent of those organizations – and only 25 percent of all respondents – described their risk management processes as mature or robust.
This disconnect Beasley mentioned may stem from only 25 percent of survey respondents felt they had effectively integrated risk management into their strategic planning.
“If risk management isn’t advancing strategic goals, it’s hard to show its value,” Beasley said. “And that means risk management can easily slip down an organization’s list of priorities.”
The lack of executive leadership positions focused specifically on risk may also be factor. Only 42 percent of respondents said their organizations have a designated Chief Risk Officer (CRO) or equivalent senior risk executive, according to the report. This figure is an increase of 10 percentage points over 2015 and 2014, showing organizations are moving toward strengthening risk leadership. The study cites growing cyber security threats and global events such as Brexit and the U.S. presidential election as possible explanations for the noticeable increase in CRO designations.
The report also found pressure is increasing for business leaders to embrace a more direct role in risk oversight. Sixty-seven percent of respondents report their board members are calling for increased senior executive involvement in risk oversight.
“This report tells us there is a significant need for enterprise risk management given the complexity of the risks businesses are facing – and that boards of directors are calling for it,” says Ash Noah, CPA, CGMA, vice president of CGMA external relations at the AICPA. “Organizations that fail to adapt and implement a big-picture approach to risk may be setting themselves up for failure.”
“ERM can be a valuable tool because it essentially calls for executive leadership to look at all of the potential risks an organization may face and develop plans to address those risks from the top down,” Beasley said.
“All organizations engage in risk management, but conventional risk management is done in silos – the sales group handles sales risks, the manufacturing group handles production risks, and so on,” Beasley said. “This approach can be problematic. For example, one group may take steps to limit risk in its area that inadvertently create risks for another area – such as implementing new IT security protocols that may affect software used by the sales group.”
“The ERM approach allows for a holistic overview of risks across silos,” Beasley said. “Perhaps more importantly, ERM allows executive leadership to identify and address risks that are relevant to an organization’s strategic goals; something that executive leadership is ideally suited to address.”
To assess the status of risk oversight, the ERM Initiative and AICPA collaborated to conduct a survey of executives in organizations ranging from the manufacturing and insurance sectors to construction and nonprofits. The size of the organizations also varied. Approximately 14 percent of respondents worked for entities with annual revenue of $10 million or less. At the other end of the spectrum, nine percent of respondents worked for organizations with annual revenue of more than $10 billion. Eighty-eight percent of the entities were United States based.
The report looks at responses from all parties, but also breaks out the survey findings for publicly traded companies, financial service providers, nonprofit organizations, and “large” organizations – defined as those that have revenue of at least $1 billion per year.
Additional findings from the study include:
• 28 percent of organizations have complete ERM processes in place. This figure is up 19 percent from 2009.
• 51 percent of organizations communicate key risks merely on an ad hoc basis at meetings. Only 30 percent of executives said they had dedicated agenda time to discuss key risks at management meetings.
• 62 percent of organizations said the extent to which risk management activities are an explicit component in determining management compensation is non-existent or minimal.