NC State University Poole College of Management, in partnership with the American Institute of Certified Public Accountants’ (AICPA), has published the 9th edition of its annual overview of enterprise risk management practices.
Data for the report was collected during the fall of 2017 through an online survey instrument electronically sent to members of the AICPA’s Business and Industry group who serve in chief financial officer or equivalent senior executive positions. In total, 474 fully completed surveys were received.
Key findings included:
Managing risks in today’s environment isn’t getting easier. Most respondents (60 percent) believe the volume and complexity of risks is increasing extensively over time. And, 65 percent of organizations indicate they have recently experienced an
operational surprise due to a risk they did not adequately anticipate.
Demands for greater management focus on risks are increasing. Most boards of directors (68 percent) are putting pressure on senior executives to increase management involvement in risk oversight. Strong risk management practices are becoming an expected best practice. These pressures are getting harder and harder for senior executives to ignore.
Risk management practices in most organizations remain relatively immature. 22 percent of respondents describe their risk management as ‘mature’ or ‘robust’ with the perceived level of maturity declining over the past two years. 31 percent of organizations (48 percent of the largest organizations) have complete enterprise risk management processes in place.
Organizations are formalizing their risk management leadership structures. The percentage of organizations designating an individual to serve as chief risk officer (or equivalent) has increased over time, with 67 percent of large organizations and 63 percent of public companies doing so. Most of those organizations (>80 percent) have management risk committees.
Most struggle to integrate risk management with strategy. Less than 20 percent of organizations view their risk management process as providing important strategic advantage. Only 29 percent of the organizations’ board of directors substantively discuss top risk exposures in a formal manner when they discuss the organization’s strategic plan.
Organizations have some elements of risk management processes. About one-half (45 percent) of the organizations have a risk management policy statement, with 43 percent maintaining risk inventories at an enterprise level. About 40 percent have guidelines for assessing risk probabilities and impact. Most (75 percent) update risk inventories at least annually.
Boards receive written reports annually about top risks, but the underlying process may not be robust. Most boards of large organizations (82 percent) or public companies (89 percent) discuss written reports about top risks at least annually; however, just 60 percent of those describe the underlying risk management process as systematic or repeatable.
Opportunities exist for improvement in the nature of risk information being reported to senior management. 41 percent of the respondents admit they are ‘not at all’ or only ‘minimally’ satisfied with the nature
and extent of internal reporting of key risk indicators that might be useful for monitoring emerging risks by senior executives.
Few organizations are linking risk management responsibilities to compensation. The lack of risk management maturity may be tied to the challenges of providing sufficient incentives for them to engage in risk management activities. Most (66 percent) have not included explicit components of risk management activities in compensation plans.
10 Different barriers exist that limit progress in how organizations manage risks. Respondents of organizations that have not yet implemented an enterprise wide risk management process indicate that one impediment is the belief that the benefits of risk management do not exceed the costs or there are too many other pressing needs.
Read the report (PDF).