Most senior finance leaders agree that the volume and complexity of corporate risks are increasing, yet less than a third, 31%, report their organizations have complete enterprise risk management (ERM) processes in place. This is according to new report released today by North Carolina State University’s Enterprise Risk Management Initiative and the American Institute of CPAs (AICPA).
“The State of Risk Oversight: An Overview of Enterprise Risk Management Practices” shares insights from a survey of 474 U.S. CFOs and senior finance leaders on how they are proactively managing potential emerging risks by strengthening their organization’s processes surrounding the identification, assessment, management and monitoring of risks. This concept, known as ERM, is one way CFOs and finance leaders are providing organizational leadership with a top-down, strategic view of risks and their impact on the business.
According to the report, ERM practices in US organizations are still relatively immature. Less than a quarter, 22%, of finance leaders described the maturity of their organization’s overall risk management oversight as ‘mature’ or ‘robust’. However, there is indication that adoption of ERM is growing among US organizations. Since 2009, when the AICPA and NC State began the annual research study, there has been a 22% increase, from 9% to 31%, in the number of organizations that claim to have complete ERM processes in place. While adoption of ERM is most common in larger organizations, public companies, and financial services organizations, the study revealed a surprising uptick in adoption by not-for-profit organizations in the last year. Nearly a third, 27%, of not-for-profit organizations reported they had a complete ERM process in place—an increase of 9% from 2016.
“Senior executives and boards of directors are realizing increasingly that the speed of change and the level of uncertainty in the global business environment is outpacing the ability of their organization’s traditional approach to managing risks,” noted Mark Beasley, Deloitte Professor of Enterprise Risk Management and director of NC State’s ERM Initiative. “While many are increasing the robustness of their processes for identifying, assessing, and managing emerging risks that may ultimately impact their core business model and strategic objectives, a number of organizations may not discover that need until they face a major risk event.”
“This research reinforces that ERM is rising up the list of priorities for CFOs, however, organizations need to do more,” said Ash Noah, CPA, CGMA, vice president of CGMA external relations at the Association of International Certified Professional Accountants. “Value in the business is much more than the balance sheet these days and embracing ERM supports the creation of value and the long-term viability of the business.”
Other key findings from the research include:
- Management wants a greater focus on risk. Most boards of directors, 68%, want senior executives to increase management involvement in risk management. Nearly half of CEOs, 46%, have asked “mostly” or “extensively” for increased risk management oversight—an increase of 3% from 2016.
- There is a disconnect between risk and strategy. Less than 20% of organizations say their risk management process provides a strategic advantage. Only 29% of the organizations’ board of directors discuss risk exposures when they discuss the organization’s strategic plan.
- There is a growing demand for Chief Risk Officers (CRO). The number of organizations designating a CRO (or equivalent) has increased, with 67% of large organizations and 63% of public companies doing so.
- Risk management is not being considered for incentive compensation. A majority, 66%, of respondents said their organization does not include explicit components of risk management activities in compensations plans.
- Barriers limit progress in management of risks. Nearly half of respondents, 48%, said risk was measured in ways other than ERM. Other barriers reported include competing priorities, insufficient resources and lack of perceived value.
The report attributed several factors to the growing risk landscape including increased cyber threats, geopolitical shifts, terrorism, tax reform, and other emerging developments. These risks, if unmanaged, could destroy an organization’s business model and brand.
The findings also suggest boards of directors and management should have a more proactive and aggressive role in strengthening an organization’s risk oversight. Calls to action include incorporating risk management with strategic planning, maintaining risk inventories to provide complete risk reports to the board, expanding management dashboards to include risk indicators, finding ways to incentivize management to invest in risk management and providing training and education on risk management.
To download a copy of “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices” click here. Additional resources on risk management from the Association of international Certified Professional Accountants, the unified voice of the AICPA and the Chartered Institute of Management Accountants (CIMA), can be found here.
“The State of Risk Oversight: An Overview of Enterprise Risk Management Practices” includes data collected during the fall of 2017 through a survey sent to members of the AICPA’s Business and Industry group who serve in chief financial officer or equivalent senior executive positions. In total, received 474 fully completed surveys were submitted.
The respondents represent organizations ranging from the manufacturing and insurance sectors to service and nonprofits. The report looks at responses from all parties, but also breaks out the survey findings for publicly traded companies, financial services providers, nonprofit organizations, and “large” organizations – defined as those that have revenue of at least $1 billion per year. The size of the organizations also varied. Approximately 12% of respondents worked for entities with annual revenue of $10 million or less. At the other end of the spectrum, 10% of respondents worked for organizations with annual revenue of more than $10 billion. Eighty-eight percent of the entities were based in the United States.
The report looks at responses from all parties, but also breaks out the survey findings for publicly traded companies, financial services providers, nonprofit organizations, and “large” organizations – defined as those that have revenue of at least $1 billion per year.