An overview of enterprise risk management practices
- Published: Wednesday, 03 April 2019 12:48
The ERM Initiative in the Poole College of Management at North Carolina State University has issued a report which makes ten key observations about how organizations are using enterprise risk management. ‘2019 The State of Risk Oversight’ is based on a survey conducted with the American Institute of Certified Public Accountants which generated 445 responses.
The study finds that an increasing number of organizations have embraced the concept of enterprise risk management, which is designed to provide an organization’s board and senior leaders a top-down, strategic perspective of risks on the horizon so that those risks can be managed proactively to increase the likelihood the organization will achieve its core objectives.
The ten key observations are as follows:
Most executives perceive that uncertainties in the business environment are leading to more complex risks. Most respondents (59 percent) believe the volume and complexity of risks is increasing extensively over time.
68 percent of organizations indicate they have recently experienced an operational surprise due to a risk they did not adequately anticipate.
Despite concerns about a number of potential risk issues on the horizon, few executives describe their organization’s approach to risk management as mature.
External stakeholders expect greater senior executive involvement in risk management. External parties (59 percent) are putting pressure on senior executives for more extensive information about risks, and 65 percent of boards are calling for ‘somewhat’ to ‘extensively’ increased management involvement in risk oversight. Strong risk
management practices are becoming an expected best practice.
Boards are focused on risk oversight, but they tend to delegate responsibilities to a committee rather than retain that for the full board. Just under two-thirds (61 percent)of boards have delegated risk oversight to a board committee, with most delegating to an audit committee unless they are a financial services organization with a board-level risk committee.
More organizations are appointing an executive to oversee their risk management processes, with most organizations creating a management-level risk committee. About half of the full sample have designated an individual to serve as chief risk officer (or equivalent).
Few organizations perceive their approaches to risk management as providing important strategic value. Less than 20 percent of organizations view their risk management process as providing important strategic advantage. Only 26 percent of the organizations report that their board substantively review top risk exposures in a formal manner when they discuss the organization’s strategic plan.
About half of the organizations engage in formal risk identification and risk assessment processes. About one-half (46 percent) of the organizations have a risk management policy statement, with 49 percent maintaining risk inventories at an enterprise level. Just over 40 percent have guidelines for assessing risk probabilities and impact. Most
(77 percent) update risk inventories at least annually.
While boards receive written reports about top risk exposures, there is some question as to whether the process used to generate the reports is systematic or robust. Most boards of large organizations (84 percent) or public companies (87 percent) discuss formal reports about top risks at least annually; however, less than 60 percent of those describe
the underlying risk management process as systematic or repeatable.
Organizations are not building in explicit accountabilities for risk management with few organizations embedding risk oversight responsibilities as components of compensation plans.
Perceived roadblocks exist that prevent organizations from strengthening their approach to risk management. Respondents of organizations that have not yet implemented an enterprise-wide risk management process indicate that one impediment is the belief that the benefits of risk management do not exceed the costs or there are
too many other pressing needs.
Read the report (PDF).