Companies plan to pump up enterprise risk management

Executives worldwide find the current business environment fraught with significant enterprise risks and expect to allocate more resources to manage the threats.

The heightened risk awareness isn’t necessarily based on a riskier business environment. What has changed is how enterprise risks are perceived and companies’ willingness to ratchet up their management programmes, said Bruce Branson, the associate director of the ERM Initiative at North Carolina State University’s Poole College of Management.

“I don’t think the threat level is significantly higher than five or ten years ago,” said Branson, who helped oversee a risk management survey conducted by the university and consulting firm Protiviti. “… The external pressures have increased.”

Factors driving this change include new reporting requirements prompted by regulations such as the Dodd-Frank Wall Street Reform and Consumer Protection Act in the United States and the impact severe weather and other natural disasters have had on businesses in the past few years, he said.

Companies also have been taking the board’s role in overseeing risk management more seriously. In the US, many companies have been required to disclose how the board was discharging this responsibility.

The university survey polled 205 executives, most of them in the US, during the fourth quarter 2012. The results showed that respondents were significantly concerned about the magnitude and severity of risks that could affect corporate profitability or funding goals in 2013.

The top three risks the survey identified across industries were related to:

  • Regulatory changes and heightened regulatory scrutiny.
  • Economic conditions in markets the company serves.
  • Uncertainty surrounding political leadership in national and international markets.

Respondents ranked other risks, such as gaining new customers to grow organically, succession and talent retention challenges, anticipated volatility in global financial markets and cyber-attacks, as potential rather than significant threats.

Risk awareness differed by industry and size of company. Larger companies, especially those with annual revenue of $1 billion or more, perceived risks as more threatening than smaller companies, survey results suggest. The financial services industry was one of the most worried and was the most likely to devote additional resources to risk management

A KPMG survey of more than 1,000 executives worldwide, conducted in December 2012, came to similar conclusions. Respondents in the financial services and energy and natural resources industries were most worried about regulatory pressures. Industrial manufacturers, energy and natural resources companies and the financial services industry were most concerned about global economic conditions.
Two-thirds of the respondents in the KPMG survey expected their companies to invest more in risk management over the next three years.

The KPMG survey results also showed areas where corporate risk-management programmes were lacking:

  • The companies of 28% of the respondents don’t measure returns on investment of their risk-management programmes.
  • Only 44% of respondents said their companies are effective in making stakeholders understand the risk-management programme.
  • More than half of the respondents said their companies were in the process of establishing, vetting or spreading the word of a formal risk-appetite statement, but only 19% of companies had one fully developed and implemented.
  • The three lines of defence against enterprise risk should be equally adept at identifying, assessing and managing risk, but respondents considered the business units the strongest line of defence (79% for current risks and 75% for emerging risks), followed by a slightly weaker second line of defence, risk management and compliance (74% and 73%), and an even weaker third line, internal audit (about two-thirds).
  • The most significant barriers to getting risk and control functions on the same page were the lack of human resources (42%), followed by the complexity of the convergence process (36%) and more important priorities (33%).
  • One-third of respondents considered incentives to make risk-based decisions weak. More than 75% of businesses link compensation and risk management formally or informally, but respondents rated fewer than half of these links as strong.

Related CGMA Magazine resources:

Risk Management Takes Hold in the Asset-Management Industry, but Challenges Remain”: The US asset management industry invested significantly to improve risk management since the 2008 financial crisis, but risk managers still face big challenges.

How to Evaluate Enterprise Risk Management Maturity: This Enterprise Risk Management (ERM) assessment tool can be used by senior executives and their boards of directors to evaluate the strength and relevance of their organisation’s existing risk oversight processes.

Nine Steps for Effective Risk Oversight by Corporate Boards”: Corporate boards can better prepare for their role in enterprise risk management oversight with a framework aimed specifically at them. A framework produced by the Canadian Institute of Chartered Accountants describes a nine-step process for effective board oversight.

COSO Shows How to Put Risk Assessment Into Practice”: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a thought paper, Risk Assessment in Practice, designed to help organisations find the optimal risk-taking zone, which the paper refers to as the “sweet spot.”

Sabine Vollmer ( is a CGMA Magazine senior editor.