Risk management practices are progressing, but there is still room for significant improvement.
That’s according to the eighth annual study by the AICPA and NC State’s ERM initiative. The study, titled “2017: The State of Risk Oversight – An Overview of Enterprise Risk Management Practices (8th Edition),” contains survey results from 432 business executives across large and small public and private companies, financial institutions, and not-for-profits.
Risks are increasing …
Risks are increasing, but risk management practices are not keeping up, concluded the AICPA-NC State study. Most participants believe the risks they face are complex and numerous, with about 70 percent of respondents saying the volume and complexity of risks have ‘mostly’ or ‘extensively’ increased over the past five years.
But risk management has not kept up
Risk management has not kept up, in terms of the extent of adoption of enterprise risk management, even among public companies and financial institutions.
Over half the organizations surveyed indicated their enterprise risk management systems are not mature, complete or robust. This could be due to a failure to aggregate risks at the enterprise level, a failure to integrate with strategic planning, or other reasons.
On the plus side, however, there has been an increased presence of management-level risk committees, currently 58 percent of organizations surveyed, up from 45 percent a year ago. Survey respondents also reported an increase in the designation of individuals serving as Chief Risk Officer or equivalent roles.
Interestingly, there is a higher incidence of audit committees taking the lead on behalf of boards of directors for risk oversight, vs. risk committees or the executive committee of the full board; this held true for all segments of the study population.
Ash Noah, CPA, CGMA, vice president of CGMA external relations at the AICPA, said, “This report tells us that there is a significant need for enterprise risk management given the complexity of the risks businesses are facing – and that boards of directors are calling for it. Organizations that fail to adapt and implement a big-picture approach to risk may be setting themselves up for failure.”
A broad-based definition of ERM
Mark Beasley, Ph.D., CPA, the Deloitte professor of enterprise risk management at NC State, and director of the ERM Initiative and primary author of the study, says survey participants were provided a common frame of reference of the term “enterprise risk management” (ERM) as defined by the Committee of Sponsoring Organizations of the Treadway Commission (better known as COSO), in COSO’s 2004 ERM framework as: “a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to (a) identify potential events that may affect the entity, and (b) manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
The AICPA-NC State team also provided a set of high-level “key characteristics” of ERM: a formal, enterprise-wide process, led by the organization’s leaders, which addresses risks to the organization’s overall business model in a portfolio manner, where interactions among risks are considered.
How does ‘risk management’ differ from ‘ERM’?
“As you think about what ERM is relative to what companies are doing in terms of risk management, it’s this idea of a formalized process that is really trying to get an enterprise-wide, top-level, portfolio-level view of what are the most important risks to the strategies of the business, and aggregating them together in a formal process,” said Beasley.
“We see companies managing risk by silos all the time,” said Beasley. “What we are trying to say, is, what sits on top of all that, to pull those leaders together, and their thoughts about risk in the context of their strategy, in any formalized way, vs. ad hoc, gut reactions? And, is there an annual cycle to go through this process, in a formalized way?”
Troubling lack of robust risk management oversight
The fact that less than half the survey respondents report mature or robust ERM systems, could mean trouble in the event of macroeconomic or microeconomic shocks.
Some of the most frequently cited reasons for not yet implementing ERM include:
- 51 percent: “Risks are monitored in other ways besides ERM.”
- 45 percent: “Completing priorities.”
- 44 percent: “Insufficient resources.”
- 37 percent: “Lack of perceived value.”
- 32 percent: “No requests to change our risk management approach.”
- 28 percent: “Perception ERM adds bureaucracy.”
- 20 percent: “Do not see benefits exceeding costs.”
- 27 percent: “No one to lead the effort/lack of senior executive ERM leadership.”
In today’s world, it’s hard to imagine not elevating risk management, said Beasley, who questions “how, at the board of director level or C-suite level, you don’t invest in resources” to effect a robust ERM system. With the economic downturn not that far behind us, one may question whether management and boards are conducting sufficient due diligence in considering the costs and benefits relating to ERM.
“We still have an environment where people are running risk management differently than the strategy team, not connecting the dots,” he added. “We’ll see advancement in ERM maturity as companies realize the need to integrate – and get a really good risk management system.”
See the full results of the AICPA – NC State study at: 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices