New Report Explores Enterprise Risk Management Practices
Despite perceived high volumes and complexities of risks, most organizations describe their risk management processes as immature
A new report issued today by the American Institute of CPAs (AICPA) and North Carolina State University’s Enterprise Risk Management (ERM) Initiative found that 65 percent of senior finance leaders agree that the volume and complexity of corporate risks have changed “mostly” or “extensively” over the last five years. Rapidly changing events, including the war in Ukraine, ongoing talent crisis, soaring inflation, lingering supply-chain disruptions, ransomware threats and a host of other risk triggers are leading to significant disruptions impacting an organization’s business model. Despite these complexities of risks, only a third (33 percent) say their organizations have complete ERM processes in place, and just over a quarter (29 percent) rate their organization’s overall risk management oversight as “mature” or “robust.”
The 2022 State of Risk Oversight: An Overview of Enterprise Risk Management Practices includes insights from a survey of 560 U.S. CFOs and senior finance leaders conducted in winter 2022. The survey measured finance-related executives’ assessments of the level of maturity in their organization’s proactive management of these risks through adoption of enterprise risk management (ERM) processes. “
The study finds that few executives perceive their risk management processes as providing important strategic value,” according to Mark Beasley, KPMG Professor of Accounting and Director of the ERM Initiative at NC State. “This is despite the reality that risk and return are interrelated – organizations must take risks in the pursuit of strategic objectives. It is our hope that the ongoing uncertainties and rapidly changing business environment will convince more executives of the strategic importance of having rich insights about risks facing the organization as they make key strategic decisions.”
The report found indication that adoption of ERM processes in the U.S. is on the rise. Over the last 13 years, the percentage of organizations that claim to have complete ERM processes in place has increased 24 points, from 9 percent to 33 percent, but that still suggests a majority of entities do not. Given the ongoing experience in navigating the multitude of risks experienced over recent years, more organizations will likely want to focus their efforts in strengthening their entity’s approach to managing the interconnected nature of risks to their business models.“
While predictable and unpredictable global disruptions continue to create new and exacerbate ongoing risk triggers, this research reinforces that enterprise risk management needs to be amplified in the list of priorities for CFOs,” said Ash Noah, CPA, CGMA, Vice President & Managing Director Learning Education & Development at the Association of International Certified Professional Accountants. “Value in the business is much more than the balance sheet these days, and along with providing protection for the business, embracing ERM especially at a time when organizations must pay close attention to ESG risks, supports the creation of value and the long-term viability and sustainability of the business.”
Additional key findings from the report include:
Most executives do not believe their organization’s risk management processes provide strategic advantage (63 percent state no or minimal advantage), with less than half (45 percent) positioning risk management to pinpoint emerging strategic risks.
A majority of boards of directors are calling for more senior executive involvement in risk oversight, with three-fourths (74 percent) signaling there will be significant changes to their existing continuity and crisis management planning.
While providing extensive data points about the state of risk oversight practices that organizations can use to benchmark their efforts, the report also offers a list of questions that executives and boards can use to assess their organization’s risk readiness and to help pinpoint tactical next steps for strengthening risk management processes. The questions cover nine areas including:
Drivers for enhanced risk management
- Overall state of risk management maturity
- Strategic value of risk management
- Impact of culture on risk management
- Assignment of risk management leadership
- Risk identification and risk assessment processes
- Risk monitoring processes
- Board risk oversight structure
- Board reporting and monitoring
The report also includes a number of calls for action to help executives and boards identify actions they can take to enhance the strategic value of their risk oversight.
The ERM Initiative has a breadth of tools and resources to help executives through its searchable ERM Library and offers a number of executive learning opportunities and events.