Organisations continue to be aware of the risks in their midst, yet barriers remain for implementing enterprise risk management (ERM) initiatives.
More than half (57%) of companies acknowledge that the volume and complexity of risks has increased “mostly” or “extensively” in the past five years, but the number of mature ERM programmes appears to be levelling off, according to a survey conducted by the ERM Initiative at North Carolina State University for the American Institute of CPAs.
Companies are “seeing a more complex risk world, but they’re not yet investing at any higher levels in strengthening their risk oversight in a general sense,” said Mark Beasley, CPA, Ph.D., a professor at North Carolina State University and one of the survey’s authors.
About 15% of the 446 senior executives surveyed believe that their organisations’ risk-management processes are “mostly” or “extensively” a proprietary strategic tool that provides competitive advantage. That’s down about a percentage point from the previous year’s survey
The top five barriers to ERM progress listed in the survey were:
- Competing priorities, chosen by 51% of respondents.
- Insufficient resources, 43%.
- Lack of perceived value, 41%.
- Perception ERM adds bureaucracy, 33%.
- Lack of board or senior executive ERM leadership, 30%.
Beasley said barriers such as lack of perceived value keep cropping up in the survey because companies haven’t linked ERM with strategy.
“When you think about risk and return, companies have to take risk to generate more profit, so it’s surprising they’re not seeing the connection of ERM when thinking about the strategy of the business,” he said. “We see that a lot. Organisations start the conversation about known risks to their operations, or known risks related to compliance or regulation, versus starting the conversation with strategy. ‘What are the risks to how we make money? What are the risks to the things that drive our value?’ They should position ERM from that perspective.”
About 25% of companies have a mature ERM process in place, although larger organisations and public companies have a much higher rate. The larger companies (56%) and the public ones (52%) help drive up the average, which is weighed down by not-for-profits, which rarely have a mature ERM process in place (13%).
There is less board pressure on not-for-profits to institute ERM practices, but there is plenty of risk discussion at larger companies. Boards of directors are asking for more senior executive involvement in risk oversight at 87% of large companies – those with revenue of $1 billion or more – and 78% of public ones. The most frequently cited factors for increasing executive involvement are regulatory demands, emerging corporate governance requirements, and a desire to better anticipate unexpected risk events.
Since 2009, the first year of the survey, companies seem to have become more attuned to risk in several ways: 31% had a designated chief risk officer in 2013, compared with 18% who had one in 2009. Also, 22% had a management-level risk committee in 2009; 43% had one last year. That trend is led by large organisations, public companies, and financial services firms: about two-thirds of such entities surveyed had internal ERM committees last year.
Related CGMA Magazine content:
“Regulatory Issues Requiring More Attention From Some CFOs”: Twenty per cent of US CFOs reported in a new survey that it has become more challenging to manage their firms’ compliance-related initiatives in the past 12 months.
“Five Key Defences Against Risk”: Maintaining a healthy tension between entrepreneurial risk and protection of enterprise value is a challenging task for risk management and internal control. Organisations can use five lines of defence to achieve the appropriate tension.
—Neil Amato (firstname.lastname@example.org) is a CGMA Magazine senior editor.