A new report issued by the Association of International Certified Professional Accountants and North Carolina State University's Enterprise Risk Management (ERM) Initiative has looked at the state of ERM in US organizations. Based on a survey of 454 US-based CFOs and senior finance leaders conducted in winter 2023, ‘The 2023 State of Risk Oversight: An Overview of Enterprise Risk Management Practices’ measured finance-related executives' assessments of the level of maturity in their organization's proactive management of emerging risks through the adoption of ERM processes.
According to the report, 65 percent of senior finance leaders agree that the volume and complexity of corporate risks have changed ‘mostly’ or ‘extensively’ over the last five years. Despite this, only a third (34 percent) say their organizations have complete enterprise risk management (ERM) processes in place, and just over a quarter (29 percent) rate their organization's overall risk management oversight as ‘mature’ or ‘robust’. These findings are unchanged from a year ago.
Rapidly changing events, including concerns about the economy and inflation, geopolitical developments impacting trade and supply chains, disruptive technologies and AI, cyber and privacy threats, and a host of other risk triggers are continuing to drive significant disruptions that impact an organization's business model. Despite these unfolding realities, most organizations continue to not have robust enterprise risk management practices in place.
"Our study finds that organizations of all types and sizes continue to overlook an important reality that risks can emerge rapidly triggering a cascade of events that quickly derail the organization's strategic goals," according to Mark Beasley, Alan T. Dickson Distinguished Professor and Director of the ERM Initiative at NC State. "Organizations that invest in robust risk oversight processes that explicitly link risk insights to strategies increase their nimbleness and agility, which can provide huge strategic advantage if done so better than their competitors."
The report did find indications that adoption of ERM processes in the US is on the rise. Over the last 13 years, the percentage of organizations that claim to have complete ERM processes in place has increased 25 points, from 9 percent to 34 percent, but that still suggests most entities do not. This finding, also unchanged from last year's report, again highlights the emphasis that more ERM focus is needed.
Given the ongoing experience in navigating the multitude of risks experienced over recent years, more organizations will likely want to further enhance their focus on efforts to strengthen their entity's approach to managing the interconnected nature of risks to their business models, says the report.
Other key findings from the report include:
- Most executives do not believe their organization's risk management processes provide strategic advantage (64 percent state no or minimal advantage), with less than half (40 percent) positioning risk management significantly to pinpoint emerging strategic risks.
- The frequency at which management shares risk exposure with the boards of directors varies with 43 percent reporting top risks to the board on an annual basis, followed by reporting on a quarterly basis (41 percent). Only 16 percent of organizations report top risk exposures to the board at every board meeting.
Questions for boards to ask about risk management
The report also includes several calls for action to help executives and boards identify actions they can take to enhance the strategic value of their risk oversight. These questions are just a sampling of the kinds of issues senior executives and boards of directors should consider as they evaluate the robustness of their entity's approach to managing a rapidly evolving portfolio of risks:
- What are management's perceptions about the current approach to risk management?
- Is there consensus about the most significant enterprise risks?
- How is the output from risk management used in strategic planning?
- Does management have access to robust key risk indicators?
- Is our entity sufficiently prepared to manage a significant risk event?