While most executives perceive that uncertainties in the business environment are leading to more complex risk challenges for their organizations, few executives describe their organization’s approach to risk management as mature or robust, according to a recently released study, 2019 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. That may be changing, given the majority of organizations have external stakeholders and boards of directors who are calling for more extensive management involvement in risk oversight. Furthermore, business leaders admit that they are not at all or only minimally satisfied with the nature and extent of internal reporting of key risk indicators.
Overview of Study
NC State’s ERM Initiative, in partnership with the American Institute of CPAs, has just released its tenth anniversary report, 2019 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. Based on survey responses from 445 business executives spanning a number of industries, types and sizes of organizations, the report provides detailed insights about the state of maturity of their organization’s current enterprise risk management (ERM) practices. This is the tenth year that we have conducted similar research in partnership with the AICPA.
This report provides extensive data about the state of maturity about various aspects of an organization’s ERM process. Not only do we provide data about the full sample, but we also separately report findings for the largest sized organizations (revenues > $1B), publicly traded companies, financial services organizations, and not-for-profit organizations.
Here are highlights of some of the key findings:
Most executives perceive that uncertainties in the business environment are leading to more complex risks.
- Most respondents (59%) believe the volume and complexity of risks are increasing extensively over time. They are particularly concerned about risks related to talent, innovation, the economy, and their reputation and brand.
- 68% of organizations indicate they have recently experienced an operational surprise due to a risk they did not adequately anticipate.
Despite concerns about a number of potential risk issues on the horizon, few executives describe their organization’s approach to risk management as mature.
- Twenty-three percent of respondents describe their risk management as “mature” or “robust” with the perceived level of maturity declining over the past two years.
- Thirty-one percent of organizations (54% of the largest organizations) report that they have complete ERM processes in place.
External stakeholders expect greater senior executive involvement in risk management.
- External parties (59%) are putting pressure on senior executives for more extensive information about risks.
- 65% of boards are calling for “somewhat” to “extensively” increased management involvement in risk oversight. Strong risk management practices are becoming an expected best practice. These pressures are increasing for large organizations and public companies, particularly.
Boards are focused on risk oversight, but they tend to delegate responsibilities to a committee rather than retain that for the full board.
- Just under two-thirds (61%) of boards of the full sample (83% of public companies) have delegated risk oversight to a board committee.
- Most delegate to an audit committee unless they are a financial services organization with a board-level risk committee.
More organizations are appointing an executive to oversee their risk management processes, with most organizations creating a management-level risk committee.
- About half of the full sample have designated an individual to serve as chief risk officer (or equivalent), with 58% of large organizations and 56% of public companies doing so.
- Over 80% of large organizations, public companies, and financial services entities have management-level risk committees.
Few organizations perceive their approaches to risk management as providing important strategic value.
- Less than 20% of organizations view their risk management process as providing important strategic advantage.
- Only 26% of the organizations report that their board substantively review top risk exposures in a formal manner when they discuss the organization’s strategic plan.
About half of the organizations engage in formal risk identification and risk assessment processes.
- About one-half (46%) of the organizations have a risk management policy statement, with 49% maintaining risk inventories at an enterprise level.
- Just over 40% have guidelines for assessing risk probabilities and impact. Most (77%) update risk inventories at least annually.
While boards receive written reports about top risk exposures, there is some question as to whether the process used to generate the reports is systematic or robust.
- Most boards of large organizations (84%) or public companies (87%) discuss formal reports about top risks at least annually; however, less than 60% of those describe the underlying risk management process as systematic or repeatable.
- Forty-one percent of the respondents admit they are “not at all” or only “minimally” satisfied with the nature and extent of internal reporting of key risk indicators.
Organizations are not building in explicit accountabilities for risk management with few organizations embedding risk oversight responsibilities as components of compensation plans.
- The lack of risk management maturity may be tied to the challenges of providing sufficient incentives for them to engage in risk management activities.
- Most (64%) have not included explicit components of risk management activities in compensation plans.
Perceived roadblocks exist that prevent organizations from strengthening their approach to risk management.
- Respondents of organizations that have not yet implemented an enterprise-wide risk management process indicate that one impediment is the belief that the benefits of risk management do not exceed the costs or there are too many other pressing needs.
The Publisher wishes to express appreciation to the Enterprise Risk Management Initiative at NC State for this and other valuable resources for Risk and Resilience. Their website is:Recommend0 recommendationsPublished in